emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

Allow disabling of subordinate IDs.

Browse Source 
* configure.in: Add configure options --enable-subordinate-ids /
	--disable-subordinate-ids. Enabled by default.
	* lib/prototypes.h: Include <config.h> before using its macros.
	* lib/commonio.h, lib/commonio.c: Define commonio_append only when
	ENABLE_SUBIDS is defined.
	* lib/prototypes.h, libmisc/find_new_sub_gids.c,
	libmisc/find_new_sub_uids.c: Likewise.
	* lib/subordinateio.h, lib/subordinateio.c: Likewise.
	* libmisc/user_busy.c: Only check if subordinate IDs are in use if
	ENABLE_SUBIDS is defined.
	* src/Makefile.am: Create newgidmap and newuidmap only if
	ENABLE_SUBIDS is defined.
	* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
	subordinate IDs.
	* src/useradd.c: Likewise.
	* src/userdel.c: Likewise.
	* src/usermod.c: Likewise.
	* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
	* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 (not translated yet).
	* man/generate_mans.mak: Add xsltproc conditionals
	subids/no_subids.
	* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
	condition.
	* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
	* man/usermod.8.xml: Document options for subordinate IDs and
	reference subgid(5) / subuid(5) depending on the subids condition.
This commit is contained in:
Nicolas François 2013-08-11 14:54:22 +02:00
parent 1fb1486c8a
commit d611d54ed4
21 changed files with 259 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
ChangeLog
View File

@ -1,3 +1,34 @@
2013-08-11 Nicolas François <nicolas.francois@centraliens.net>
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-09 Nicolas François <nicolas.francois@centraliens.net> 2013-08-09 Nicolas François <nicolas.francois@centraliens.net>
* libmisc/salt.c: Remove unused variable. * libmisc/salt.c: Remove unused variable.

17
configure.in
View File

@ -240,6 +240,13 @@ AC_ARG_ENABLE(utmpx,
[enable_utmpx="no"] [enable_utmpx="no"]
) )
AC_ARG_ENABLE(subordinate-ids,
[AC_HELP_STRING([--enable-subordinate-ids],
[support subordinate ids @<:@default=yes@:>@])],
[enable_subids="${enableval}"],
[enable_subids="yes"]
)
AC_ARG_WITH(audit, AC_ARG_WITH(audit,
[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
[with_audit=$withval], [with_audit=maybe]) [with_audit=$withval], [with_audit=maybe])
@ -324,6 +331,15 @@ if test "$enable_man" = "yes"; then
fi fi
AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test "x$enable_man" != "xno") AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test "x$enable_man" != "xno")
if test "$enable_subids" = "yes"; then
dnl
dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
dnl
AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
enable_subids="yes"
fi
AM_CONDITIONAL(ENABLE_SUBIDS, test "x$enable_subids" != "xno")
AC_SUBST(LIBCRYPT) AC_SUBST(LIBCRYPT)
AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt], AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
[AC_MSG_ERROR([crypt() not found])]) [AC_MSG_ERROR([crypt() not found])])
@ -649,4 +665,5 @@ echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey" echo " S/Key support: $with_skey"
echo " SHA passwords encryption: $with_sha_crypt" echo " SHA passwords encryption: $with_sha_crypt"
echo " nscd support: $with_nscd" echo " nscd support: $with_nscd"
echo " subordinate IDs support: $enable_subids"
echo echo

2
lib/commonio.c
View File

@ -1113,6 +1113,7 @@ int commonio_update (struct commonio_db *db, const void *eptr)
return 1; return 1;
} }
#ifdef ENABLE_SUBIDS
int commonio_append (struct commonio_db *db, const void *eptr) int commonio_append (struct commonio_db *db, const void *eptr)
{ {
struct commonio_entry *p; struct commonio_entry *p;
@ -1143,6 +1144,7 @@ int commonio_append (struct commonio_db *db, const void *eptr)
db->changed = true; db->changed = true;
return 1; return 1;
} }
#endif /* ENABLE_SUBIDS */
void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p) void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p)
{ {

2
lib/commonio.h
View File

@ -146,7 +146,9 @@ extern int commonio_lock_nowait (struct commonio_db *, bool log);
extern int commonio_open (struct commonio_db *, int); extern int commonio_open (struct commonio_db *, int);
extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *); extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
extern int commonio_update (struct commonio_db *, const void *); extern int commonio_update (struct commonio_db *, const void *);
#ifdef ENABLE_SUBIDS
extern int commonio_append (struct commonio_db *, const void *); extern int commonio_append (struct commonio_db *, const void *);
#endif /* ENABLE_SUBIDS */
extern int commonio_remove (struct commonio_db *, const char *); extern int commonio_remove (struct commonio_db *, const char *);
extern int commonio_rewind (struct commonio_db *); extern int commonio_rewind (struct commonio_db *);
extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *); extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);

4
lib/prototypes.h
View File

@ -42,6 +42,8 @@
#ifndef _PROTOTYPES_H #ifndef _PROTOTYPES_H
#define _PROTOTYPES_H #define _PROTOTYPES_H
#include <config.h>
#include <sys/stat.h> #include <sys/stat.h>
#ifdef USE_UTMPX #ifdef USE_UTMPX
#include <utmpx.h> #include <utmpx.h>
@ -149,6 +151,7 @@ extern int find_new_uid (bool sys_user,
uid_t *uid, uid_t *uid,
/*@null@*/uid_t const *preferred_uid); /*@null@*/uid_t const *preferred_uid);
#ifdef ENABLE_SUBIDS
/* find_new_sub_gids.c */ /* find_new_sub_gids.c */
extern int find_new_sub_gids (const char *owner, extern int find_new_sub_gids (const char *owner,
gid_t *range_start, unsigned long *range_count); gid_t *range_start, unsigned long *range_count);
@ -156,6 +159,7 @@ extern int find_new_sub_gids (const char *owner,
/* find_new_sub_uids.c */ /* find_new_sub_uids.c */
extern int find_new_sub_uids (const char *owner, extern int find_new_sub_uids (const char *owner,
uid_t *range_start, unsigned long *range_count); uid_t *range_start, unsigned long *range_count);
#endif /* ENABLE_SUBIDS */
/* get_gid.c */ /* get_gid.c */

7
lib/subordinateio.c
View File

@ -3,6 +3,9 @@
*/ */
#include <config.h> #include <config.h>
#ifdef ENABLE_SUBIDS
#include "prototypes.h" #include "prototypes.h"
#include "defines.h" #include "defines.h"
#include <stdio.h> #include <stdio.h>
@ -507,3 +510,7 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
start = find_free_range (&subordinate_gid_db, min, max, count); start = find_free_range (&subordinate_gid_db, min, max, count);
return start == ULONG_MAX ? (gid_t) -1 : start; return start == ULONG_MAX ? (gid_t) -1 : start;
} }
#else /* !ENABLE_SUBIDS */
extern int errno; /* warning: ANSI C forbids an empty source file */
#endif /* !ENABLE_SUBIDS */

5
lib/subordinateio.h
View File

@ -5,6 +5,10 @@
#ifndef _SUBORDINATEIO_H #ifndef _SUBORDINATEIO_H
#define _SUBORDINATEIO_H #define _SUBORDINATEIO_H
#include <config.h>
#ifdef ENABLE_SUBIDS
#include <sys/types.h> #include <sys/types.h>
extern int sub_uid_close(void); extern int sub_uid_close(void);
@ -34,5 +38,6 @@ extern int sub_gid_unlock (void);
extern int sub_gid_add (const char *owner, gid_t start, unsigned long count); extern int sub_gid_add (const char *owner, gid_t start, unsigned long count);
extern int sub_gid_remove (const char *owner, gid_t start, unsigned long count); extern int sub_gid_remove (const char *owner, gid_t start, unsigned long count);
extern uid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count); extern uid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count);
#endif /* ENABLE_SUBIDS */
#endif #endif

5
libmisc/find_new_sub_gids.c
View File

@ -28,6 +28,8 @@
#include <config.h> #include <config.h>
#ifdef ENABLE_SUBIDS
#include <assert.h> #include <assert.h>
#include <stdio.h> #include <stdio.h>
#include <errno.h> #include <errno.h>
@ -86,4 +88,7 @@ int find_new_sub_gids (const char *owner,
*range_count = count; *range_count = count;
return 0; return 0;
} }
#else /* !ENABLE_SUBIDS */
extern int errno; /* warning: ANSI C forbids an empty source file */
#endif /* !ENABLE_SUBIDS */

5
libmisc/find_new_sub_uids.c
View File

@ -28,6 +28,8 @@
#include <config.h> #include <config.h>
#ifdef ENABLE_SUBIDS
#include <assert.h> #include <assert.h>
#include <stdio.h> #include <stdio.h>
#include <errno.h> #include <errno.h>
@ -86,4 +88,7 @@ int find_new_sub_uids (const char *owner,
*range_count = count; *range_count = count;
return 0; return 0;
} }
#else /* !ENABLE_SUBIDS */
extern int errno; /* warning: ANSI C forbids an empty source file */
#endif /* !ENABLE_SUBIDS */

11
libmisc/user_busy.c
View File

@ -41,7 +41,9 @@
#include <fcntl.h> #include <fcntl.h>
#include "defines.h" #include "defines.h"
#include "prototypes.h" #include "prototypes.h"
#ifdef ENABLE_SUBIDS
#include "subordinateio.h" #include "subordinateio.h"
#endif /* ENABLE_SUBIDS */
#ifdef __linux__ #ifdef __linux__
static int check_status (const char *name, const char *sname, uid_t uid); static int check_status (const char *name, const char *sname, uid_t uid);
@ -128,9 +130,12 @@ static int check_status (const char *name, const char *sname, uid_t uid)
if ( (ruid == (unsigned long) uid) if ( (ruid == (unsigned long) uid)
|| (euid == (unsigned long) uid) || (euid == (unsigned long) uid)
|| (suid == (unsigned long) uid) || (suid == (unsigned long) uid)
#ifdef ENABLE_SUBIDS
|| have_sub_uids(name, ruid, 1) || have_sub_uids(name, ruid, 1)
|| have_sub_uids(name, euid, 1) || have_sub_uids(name, euid, 1)
|| have_sub_uids(name, suid, 1)) { || have_sub_uids(name, suid, 1)
#endif /* ENABLE_SUBIDS */
) {
(void) fclose (sfile); (void) fclose (sfile);
return 1; return 1;
} }
@ -158,7 +163,9 @@ static int user_busy_processes (const char *name, uid_t uid)
struct stat sbroot; struct stat sbroot;
struct stat sbroot_process; struct stat sbroot_process;
#ifdef ENABLE_SUBIDS
sub_uid_open (O_RDONLY); sub_uid_open (O_RDONLY);
#endif /* ENABLE_SUBIDS */
proc = opendir ("/proc"); proc = opendir ("/proc");
if (proc == NULL) { if (proc == NULL) {
@ -238,7 +245,9 @@ static int user_busy_processes (const char *name, uid_t uid)
} }
(void) closedir (proc); (void) closedir (proc);
#ifdef ENABLE_SUBIDS
sub_uid_close(); sub_uid_close();
#endif /* ENABLE_SUBIDS */
return 0; return 0;
} }
#endif /* __linux__ */ #endif /* __linux__ */

18
man/Makefile.am
View File

@ -30,9 +30,7 @@ man_MANS = \
man1/login.1 \ man1/login.1 \
man5/login.defs.5 \ man5/login.defs.5 \
man8/logoutd.8 \ man8/logoutd.8 \
man1/newgidmap.1 \
man1/newgrp.1 \ man1/newgrp.1 \
man1/newuidmap.1 \
man8/newusers.8 \ man8/newusers.8 \
man8/nologin.8 \ man8/nologin.8 \
man1/passwd.1 \ man1/passwd.1 \
@ -45,8 +43,6 @@ man_MANS = \
man5/shadow.5 \ man5/shadow.5 \
man1/su.1 \ man1/su.1 \
man5/suauth.5 \ man5/suauth.5 \
man5/subgid.5 \
man5/subuid.5 \
man8/useradd.8 \ man8/useradd.8 \
man8/userdel.8 \ man8/userdel.8 \
man8/usermod.8 \ man8/usermod.8 \
@ -62,6 +58,16 @@ if !USE_PAM
man_MANS += $(man_nopam) man_MANS += $(man_nopam)
endif endif
man_subids = \
man1/newgidmap.1 \
man1/newuidmap.1 \
man5/subgid.5 \
man5/subuid.5
if ENABLE_SUBIDS
man_MANS += $(man_subids)
endif
man_XMANS = \ man_XMANS = \
chage.1.xml \ chage.1.xml \
chfn.1.xml \ chfn.1.xml \
@ -187,6 +193,10 @@ if USE_PAM
EXTRA_DIST += $(man_nopam) EXTRA_DIST += $(man_nopam)
endif endif
if !ENABLE_SUBIDS
EXTRA_DIST += $(man_subids)
endif
generate_mans.deps: *.xml generate_mans.deps: *.xml
echo "# This file is generated" > $@ echo "# This file is generated" > $@
awk 'BEGIN{FS="\"";} /^<!ENTITY .* * SYSTEM ".*">$$/{ f=FILENAME; sub(/.xml/,"",f); print "man" substr(f, length (f)) "/" f ": " $$2 }' $(man_XMANS) >> $@ awk 'BEGIN{FS="\"";} /^<!ENTITY .* * SYSTEM ".*">$$/{ f=FILENAME; sub(/.xml/,"",f); print "man" substr(f, length (f)) "/" f ": " $$2 }' $(man_XMANS) >> $@

14
man/fr/Makefile.am
View File

@ -53,6 +53,16 @@ if !USE_PAM
man_MANS += $(man_nopam) man_MANS += $(man_nopam)
endif endif
man_subids = \
man1/newgidmap.1 \
man1/newuidmap.1 \
man5/subgid.5 \
man5/subuid.5
if ENABLE_SUBIDS
man_MANS += $(man_subids)
endif
EXTRA_DIST = \ EXTRA_DIST = \
$(man_MANS) \ $(man_MANS) \
man1/id.1 \ man1/id.1 \
@ -62,5 +72,9 @@ if USE_PAM
EXTRA_DIST += $(man_nopam) EXTRA_DIST += $(man_nopam)
endif endif
if !ENABLE_SUBIDS
EXTRA_DIST += $(man_subids)
endif
include ../generate_translations.mak include ../generate_translations.mak

8
man/generate_mans.mak
View File

@ -20,6 +20,12 @@ else
SHA_CRYPT_COND=no_sha_crypt SHA_CRYPT_COND=no_sha_crypt
endif endif
if ENABLE_SUBIDS
SUBIDS_COND=subids
else
SUBIDS_COND=no_subids
endif
if ENABLE_REGENERATE_MAN if ENABLE_REGENERATE_MAN
%.xml-config: %.xml %.xml-config: %.xml
if grep -q SHADOW-CONFIG-HERE $<; then \ if grep -q SHADOW-CONFIG-HERE $<; then \
@ -29,7 +35,7 @@ if ENABLE_REGENERATE_MAN
fi fi
man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml
$(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND)" \ $(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND);$(SUBIDS_COND)" \
--param "man.authors.section.enabled" "0" \ --param "man.authors.section.enabled" "0" \
--stringparam "man.output.base.dir" "" \ --stringparam "man.output.base.dir" "" \
--param "man.output.in.separate.dir" "1" \ --param "man.output.in.separate.dir" "1" \

2
man/login.defs.d/SUB_GID_COUNT.xml
View File

@ -26,7 +26,7 @@
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--> -->
<varlistentry> <varlistentry condition="subids">
<term><option>SUB_GID_MIN</option> (number)</term> <term><option>SUB_GID_MIN</option> (number)</term>
<term><option>SUB_GID_MAX</option> (number)</term> <term><option>SUB_GID_MAX</option> (number)</term>
<term><option>SUB_GID_COUNT</option> (number)</term> <term><option>SUB_GID_COUNT</option> (number)</term>

2
man/login.defs.d/SUB_UID_COUNT.xml
View File

@ -26,7 +26,7 @@
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--> -->
<varlistentry> <varlistentry condition="subids">
<term><option>SUB_UID_MIN</option> (number)</term> <term><option>SUB_UID_MIN</option> (number)</term>
<term><option>SUB_UID_MAX</option> (number)</term> <term><option>SUB_UID_MAX</option> (number)</term>
<term><option>SUB_UID_COUNT</option> (number)</term> <term><option>SUB_UID_COUNT</option> (number)</term>

10
man/usermod.8.xml
View File

@ -389,7 +389,7 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry condition="subids">
<term> <term>
<option>-v</option>, <option>--add-sub-uids</option> <option>-v</option>, <option>--add-sub-uids</option>
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable> <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
@ -408,7 +408,7 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry condition="subids">
<term> <term>
<option>-V</option>, <option>--del-sub-uids</option> <option>-V</option>, <option>--del-sub-uids</option>
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable> <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
@ -429,7 +429,7 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry condition="subids">
<term> <term>
<option>-w</option>, <option>--add-sub-gids</option> <option>-w</option>, <option>--add-sub-gids</option>
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable> <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
@ -448,7 +448,7 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry condition="subids">
<term> <term>
<option>-W</option>, <option>--del-sub-gids</option> <option>-W</option>, <option>--del-sub-gids</option>
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable> <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
@ -588,12 +588,14 @@
<citerefentry> <citerefentry>
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum> <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>, </citerefentry>,
<phrase condition="subids">
<citerefentry> <citerefentry>
<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum> <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>, </citerefentry>,
<citerefentry> <citerefentry>
<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum> <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>, </citerefentry>,
</phrase>
<citerefentry> <citerefentry>
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum> <refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>, </citerefentry>,

6
src/Makefile.am
View File

@ -24,8 +24,10 @@ INCLUDES = \
bin_PROGRAMS = groups login su bin_PROGRAMS = groups login su
sbin_PROGRAMS = nologin sbin_PROGRAMS = nologin
ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd \ ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
newgidmap newuidmap if ENABLE_SUBIDS
ubin_PROGRAMS += newgidmap newuidmap
endif
usbin_PROGRAMS = \ usbin_PROGRAMS = \
chgpasswd \ chgpasswd \
chpasswd \ chpasswd \

22
src/newusers.c
View File

@ -65,7 +65,9 @@
#include "pwio.h" #include "pwio.h"
#include "sgroupio.h" #include "sgroupio.h"
#include "shadowio.h" #include "shadowio.h"
#ifdef ENABLE_SUBIDS
#include "subordinateio.h" #include "subordinateio.h"
#endif /* ENABLE_SUBIDS */
#include "chkname.h" #include "chkname.h"
/* /*
@ -83,8 +85,6 @@ static long sha_rounds = 5000;
#endif /* USE_SHA_CRYPT */ #endif /* USE_SHA_CRYPT */
#endif /* !USE_PAM */ #endif /* !USE_PAM */
static bool is_sub_uid = false;
static bool is_sub_gid = false;
static bool is_shadow; static bool is_shadow;
#ifdef SHADOWGRP #ifdef SHADOWGRP
static bool is_shadow_grp; static bool is_shadow_grp;
@ -93,8 +93,12 @@ static bool sgr_locked = false;
static bool pw_locked = false; static bool pw_locked = false;
static bool gr_locked = false; static bool gr_locked = false;
static bool spw_locked = false; static bool spw_locked = false;
#ifdef ENABLE_SUBIDS
static bool is_sub_uid = false;
static bool is_sub_gid = false;
static bool sub_uid_locked = false; static bool sub_uid_locked = false;
static bool sub_gid_locked = false; static bool sub_gid_locked = false;
#endif /* ENABLE_SUBIDS */
/* local function prototypes */ /* local function prototypes */
static void usage (int status); static void usage (int status);
@ -183,6 +187,7 @@ static void fail_exit (int code)
} }
} }
#endif #endif
#ifdef ENABLE_SUBIDS
if (sub_uid_locked) { if (sub_uid_locked) {
if (sub_uid_unlock () == 0) { if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
@ -197,6 +202,7 @@ static void fail_exit (int code)
/* continue */ /* continue */
} }
} }
#endif /* ENABLE_SUBIDS */
exit (code); exit (code);
} }
@ -778,6 +784,7 @@ static void open_files (void)
sgr_locked = true; sgr_locked = true;
} }
#endif #endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) { if (is_sub_uid) {
if (sub_uid_lock () == 0) { if (sub_uid_lock () == 0) {
fprintf (stderr, fprintf (stderr,
@ -796,6 +803,7 @@ static void open_files (void)
} }
sub_gid_locked = true; sub_gid_locked = true;
} }
#endif /* ENABLE_SUBIDS */
if (pw_open (O_RDWR) == 0) { if (pw_open (O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ());
@ -815,6 +823,7 @@ static void open_files (void)
fail_exit (EXIT_FAILURE); fail_exit (EXIT_FAILURE);
} }
#endif #endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) { if (is_sub_uid) {
if (sub_uid_open (O_RDWR) == 0) { if (sub_uid_open (O_RDWR) == 0) {
fprintf (stderr, fprintf (stderr,
@ -831,6 +840,7 @@ static void open_files (void)
fail_exit (EXIT_FAILURE); fail_exit (EXIT_FAILURE);
} }
} }
#endif /* ENABLE_SUBIDS */
} }
/* /*
@ -875,6 +885,7 @@ static void close_files (void)
SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
fail_exit (EXIT_FAILURE); fail_exit (EXIT_FAILURE);
} }
#ifdef ENABLE_SUBIDS
if (is_sub_uid && (sub_uid_close () == 0)) { if (is_sub_uid && (sub_uid_close () == 0)) {
fprintf (stderr, fprintf (stderr,
_("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ()); _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
@ -887,6 +898,7 @@ static void close_files (void)
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ())); SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
fail_exit (EXIT_FAILURE); fail_exit (EXIT_FAILURE);
} }
#endif /* ENABLE_SUBIDS */
if (gr_unlock () == 0) { if (gr_unlock () == 0) {
fprintf (stderr, fprintf (stderr,
@ -916,6 +928,7 @@ static void close_files (void)
sgr_locked = false; sgr_locked = false;
} }
#endif #endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) { if (is_sub_uid) {
if (sub_uid_unlock () == 0) { if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
@ -932,6 +945,7 @@ static void close_files (void)
} }
sub_gid_locked = false; sub_gid_locked = false;
} }
#endif /* ENABLE_SUBIDS */
} }
int main (int argc, char **argv) int main (int argc, char **argv)
@ -973,8 +987,10 @@ int main (int argc, char **argv)
#ifdef SHADOWGRP #ifdef SHADOWGRP
is_shadow_grp = sgr_file_present (); is_shadow_grp = sgr_file_present ();
#endif #endif
#ifdef ENABLE_SUBIDS
is_sub_uid = sub_uid_file_present (); is_sub_uid = sub_uid_file_present ();
is_sub_gid = sub_gid_file_present (); is_sub_gid = sub_gid_file_present ();
#endif /* ENABLE_SUBIDS */
open_files (); open_files ();
@ -1156,6 +1172,7 @@ int main (int argc, char **argv)
continue; continue;
} }
#ifdef ENABLE_SUBIDS
/* /*
* Add subordinate uids if the user does not have them. * Add subordinate uids if the user does not have them.
*/ */
@ -1195,6 +1212,7 @@ int main (int argc, char **argv)
errors++; errors++;
} }
} }
#endif /* ENABLE_SUBIDS */
} }
/* /*

33
src/useradd.c
View File

@ -65,7 +65,9 @@
#include "sgroupio.h" #include "sgroupio.h"
#endif #endif
#include "shadowio.h" #include "shadowio.h"
#ifdef ENABLE_SUBIDS
#include "subordinateio.h" #include "subordinateio.h"
#endif /* ENABLE_SUBIDS */
#ifdef WITH_TCB #ifdef WITH_TCB
#include "tcbfuncs.h" #include "tcbfuncs.h"
#endif #endif
@ -122,20 +124,22 @@ static bool is_shadow_pwd;
static bool is_shadow_grp; static bool is_shadow_grp;
static bool sgr_locked = false; static bool sgr_locked = false;
#endif #endif
#ifdef ENABLE_SUBIDS
static bool is_sub_uid = false; static bool is_sub_uid = false;
static bool is_sub_gid = false; static bool is_sub_gid = false;
static bool pw_locked = false;
static bool gr_locked = false;
static bool spw_locked = false;
static bool sub_uid_locked = false; static bool sub_uid_locked = false;
static bool sub_gid_locked = false; static bool sub_gid_locked = false;
static char **user_groups; /* NULL-terminated list */
static long sys_ngroups;
static bool do_grp_update = false; /* group files need to be updated */
static uid_t sub_uid_start; /* New subordinate uid range */ static uid_t sub_uid_start; /* New subordinate uid range */
static unsigned long sub_uid_count; static unsigned long sub_uid_count;
static gid_t sub_gid_start; /* New subordinate gid range */ static gid_t sub_gid_start; /* New subordinate gid range */
static unsigned long sub_gid_count; static unsigned long sub_gid_count;
#endif /* ENABLE_SUBIDS */
static bool pw_locked = false;
static bool gr_locked = false;
static bool spw_locked = false;
static char **user_groups; /* NULL-terminated list */
static long sys_ngroups;
static bool do_grp_update = false; /* group files need to be updated */
static bool static bool
bflg = false, /* new default root of home directory */ bflg = false, /* new default root of home directory */
@ -177,8 +181,10 @@ static bool home_added = false;
#define E_GRP_UPDATE 10 /* can't update group file */ #define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */ #define E_HOMEDIR 12 /* can't create home directory */
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ #define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#ifdef ENABLE_SUBIDS
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */ #define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */ #define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
#endif /* ENABLE_SUBIDS */
#define DGROUP "GROUP=" #define DGROUP "GROUP="
#define DHOME "HOME=" #define DHOME "HOME="
@ -279,6 +285,7 @@ static void fail_exit (int code)
} }
} }
#endif #endif
#ifdef ENABLE_SUBIDS
if (sub_uid_locked) { if (sub_uid_locked) {
if (sub_uid_unlock () == 0) { if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
@ -305,6 +312,7 @@ static void fail_exit (int code)
/* continue */ /* continue */
} }
} }
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog, audit_logger (AUDIT_ADD_USER, Prog,
@ -1415,6 +1423,7 @@ static void close_files (void)
} }
#endif #endif
} }
#ifdef ENABLE_SUBIDS
if (is_sub_uid && (sub_uid_close () == 0)) { if (is_sub_uid && (sub_uid_close () == 0)) {
fprintf (stderr, fprintf (stderr,
_("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ()); _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
@ -1427,6 +1436,7 @@ static void close_files (void)
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ())); SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
fail_exit (E_SUB_GID_UPDATE); fail_exit (E_SUB_GID_UPDATE);
} }
#endif /* ENABLE_SUBIDS */
if (is_shadow_pwd) { if (is_shadow_pwd) {
if (spw_unlock () == 0) { if (spw_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
@ -1481,6 +1491,7 @@ static void close_files (void)
sgr_locked = false; sgr_locked = false;
} }
#endif #endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) { if (is_sub_uid) {
if (sub_uid_unlock () == 0) { if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
@ -1509,6 +1520,7 @@ static void close_files (void)
} }
sub_gid_locked = false; sub_gid_locked = false;
} }
#endif /* ENABLE_SUBIDS */
} }
/* /*
@ -1563,6 +1575,7 @@ static void open_files (void)
} }
} }
#endif #endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) { if (is_sub_uid) {
if (sub_uid_lock () == 0) { if (sub_uid_lock () == 0) {
fprintf (stderr, fprintf (stderr,
@ -1593,6 +1606,7 @@ static void open_files (void)
fail_exit (E_SUB_GID_UPDATE); fail_exit (E_SUB_GID_UPDATE);
} }
} }
#endif /* ENABLE_SUBIDS */
} }
static void open_shadow (void) static void open_shadow (void)
@ -1839,6 +1853,7 @@ static void usr_update (void)
#endif #endif
fail_exit (E_PW_UPDATE); fail_exit (E_PW_UPDATE);
} }
#ifdef ENABLE_SUBIDS
if (is_sub_uid && if (is_sub_uid &&
(sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) { (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
fprintf (stderr, fprintf (stderr,
@ -1853,6 +1868,7 @@ static void usr_update (void)
Prog, sub_uid_dbname ()); Prog, sub_uid_dbname ());
fail_exit (E_SUB_GID_UPDATE); fail_exit (E_SUB_GID_UPDATE);
} }
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog, audit_logger (AUDIT_ADD_USER, Prog,
@ -2005,8 +2021,10 @@ int main (int argc, char **argv)
#ifdef SHADOWGRP #ifdef SHADOWGRP
is_shadow_grp = sgr_file_present (); is_shadow_grp = sgr_file_present ();
#endif #endif
#ifdef ENABLE_SUBIDS
is_sub_uid = sub_uid_file_present (); is_sub_uid = sub_uid_file_present ();
is_sub_gid = sub_gid_file_present (); is_sub_gid = sub_gid_file_present ();
#endif /* ENABLE_SUBIDS */
get_defaults (); get_defaults ();
@ -2157,6 +2175,7 @@ int main (int argc, char **argv)
grp_add (); grp_add ();
} }
#ifdef ENABLE_SUBIDS
if (is_sub_uid) { if (is_sub_uid) {
if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) { if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
fprintf (stderr, fprintf (stderr,
@ -2173,6 +2192,8 @@ int main (int argc, char **argv)
fail_exit(E_SUB_GID_UPDATE); fail_exit(E_SUB_GID_UPDATE);
} }
} }
#endif /* ENABLE_SUBIDS */
usr_update (); usr_update ();
if (mflg) { if (mflg) {

20
src/userdel.c
View File

@ -65,7 +65,9 @@
#endif /* WITH_TCB */ #endif /* WITH_TCB */
/*@-exitarg@*/ /*@-exitarg@*/
#include "exitcodes.h" #include "exitcodes.h"
#ifdef ENABLE_SUBIDS
#include "subordinateio.h" #include "subordinateio.h"
#endif /* ENABLE_SUBIDS */
/* /*
* exit status values * exit status values
@ -76,8 +78,10 @@
#define E_GRP_UPDATE 10 /* can't update group file */ #define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't remove home directory */ #define E_HOMEDIR 12 /* can't remove home directory */
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ #define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#ifdef ENABLE_SUBIDS
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */ #define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */ #define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
#endif /* ENABLE_SUBIDS */
/* /*
* Global variables * Global variables
@ -99,13 +103,15 @@ static bool is_shadow_pwd;
static bool is_shadow_grp; static bool is_shadow_grp;
static bool sgr_locked = false; static bool sgr_locked = false;
#endif /* SHADOWGRP */ #endif /* SHADOWGRP */
static bool is_sub_uid;
static bool is_sub_gid;
static bool pw_locked = false; static bool pw_locked = false;
static bool gr_locked = false; static bool gr_locked = false;
static bool spw_locked = false; static bool spw_locked = false;
#ifdef ENABLE_SUBIDS
static bool is_sub_uid;
static bool is_sub_gid;
static bool sub_uid_locked = false; static bool sub_uid_locked = false;
static bool sub_gid_locked = false; static bool sub_gid_locked = false;
#endif /* ENABLE_SUBIDS */
/* local function prototypes */ /* local function prototypes */
static void usage (int status); static void usage (int status);
@ -445,6 +451,7 @@ static void close_files (void)
} }
#endif /* SHADOWGRP */ #endif /* SHADOWGRP */
#ifdef ENABLE_SUBIDS
if (is_sub_uid) { if (is_sub_uid) {
if (sub_uid_close () == 0) { if (sub_uid_close () == 0) {
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ()); fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
@ -472,6 +479,7 @@ static void close_files (void)
} }
sub_gid_locked = false; sub_gid_locked = false;
} }
#endif /* ENABLE_SUBIDS */
} }
/* /*
@ -509,6 +517,7 @@ static void fail_exit (int code)
} }
} }
#endif /* SHADOWGRP */ #endif /* SHADOWGRP */
#ifdef ENABLE_SUBIDS
if (sub_uid_locked) { if (sub_uid_locked) {
if (sub_uid_unlock () == 0) { if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
@ -523,6 +532,7 @@ static void fail_exit (int code)
/* continue */ /* continue */
} }
} }
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog, audit_logger (AUDIT_DEL_USER, Prog,
@ -644,6 +654,7 @@ static void open_files (void)
} }
} }
#endif /* SHADOWGRP */ #endif /* SHADOWGRP */
#ifdef ENABLE_SUBIDS
if (is_sub_uid) { if (is_sub_uid) {
if (sub_uid_lock () == 0) { if (sub_uid_lock () == 0) {
fprintf (stderr, fprintf (stderr,
@ -696,6 +707,7 @@ static void open_files (void)
fail_exit (E_SUB_GID_UPDATE); fail_exit (E_SUB_GID_UPDATE);
} }
} }
#endif /* ENABLE_SUBIDS */
} }
/* /*
@ -720,6 +732,7 @@ static void update_user (void)
Prog, user_name, spw_dbname ()); Prog, user_name, spw_dbname ());
fail_exit (E_PW_UPDATE); fail_exit (E_PW_UPDATE);
} }
#ifdef ENABLE_SUBIDS
if (is_sub_uid && sub_uid_remove(user_name, 0, ULONG_MAX) == 0) { if (is_sub_uid && sub_uid_remove(user_name, 0, ULONG_MAX) == 0) {
fprintf (stderr, fprintf (stderr,
_("%s: cannot remove entry %lu from %s\n"), _("%s: cannot remove entry %lu from %s\n"),
@ -732,6 +745,7 @@ static void update_user (void)
Prog, (unsigned long)user_id, sub_gid_dbname ()); Prog, (unsigned long)user_id, sub_gid_dbname ());
fail_exit (E_SUB_GID_UPDATE); fail_exit (E_SUB_GID_UPDATE);
} }
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog, audit_logger (AUDIT_DEL_USER, Prog,
"deleting user entries", "deleting user entries",
@ -1079,8 +1093,10 @@ int main (int argc, char **argv)
#ifdef SHADOWGRP #ifdef SHADOWGRP
is_shadow_grp = sgr_file_present (); is_shadow_grp = sgr_file_present ();
#endif /* SHADOWGRP */ #endif /* SHADOWGRP */
#ifdef ENABLE_SUBIDS
is_sub_uid = sub_uid_file_present (); is_sub_uid = sub_uid_file_present ();
is_sub_gid = sub_gid_file_present (); is_sub_gid = sub_gid_file_present ();
#endif /* ENABLE_SUBIDS */
/* /*
* Start with a quick check to see if the user exists. * Start with a quick check to see if the user exists.

62
src/usermod.c
View File

@ -63,7 +63,9 @@
#include "sgroupio.h" #include "sgroupio.h"
#endif #endif
#include "shadowio.h" #include "shadowio.h"
#ifdef ENABLE_SUBIDS
#include "subordinateio.h" #include "subordinateio.h"
#endif /* ENABLE_SUBIDS */
#ifdef WITH_TCB #ifdef WITH_TCB
#include "tcbfuncs.h" #include "tcbfuncs.h"
#endif #endif
@ -87,9 +89,13 @@
/* #define E_NOSPACE 11 insufficient space to move home dir */ /* #define E_NOSPACE 11 insufficient space to move home dir */
#define E_HOMEDIR 12 /* unable to complete home dir move */ #define E_HOMEDIR 12 /* unable to complete home dir move */
#define E_SE_UPDATE 13 /* can't update SELinux user mapping */ #define E_SE_UPDATE 13 /* can't update SELinux user mapping */
#ifdef ENABLE_SUBIDS
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */ #define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */ #define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
#endif /* ENABLE_SUBIDS */
#define VALID(s) (strcspn (s, ":\n") == strlen (s)) #define VALID(s) (strcspn (s, ":\n") == strlen (s))
/* /*
* Global variables * Global variables
*/ */
@ -135,12 +141,14 @@ static bool
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
Zflg = false, /* new selinux user */ Zflg = false, /* new selinux user */
#endif #endif
uflg = false, /* specify new user ID */ #ifdef ENABLE_SUBIDS
Uflg = false, /* unlock the password */
vflg = false, /* add subordinate uids */ vflg = false, /* add subordinate uids */
Vflg = false, /* delete subordinate uids */ Vflg = false, /* delete subordinate uids */
wflg = false, /* add subordinate gids */ wflg = false, /* add subordinate gids */
Wflg = false; /* delete subordinate gids */ Wflg = false, /* delete subordinate gids */
#endif /* ENABLE_SUBIDS */
uflg = false, /* specify new user ID */
Uflg = false; /* unlock the password */
static bool is_shadow_pwd; static bool is_shadow_pwd;
@ -148,8 +156,10 @@ static bool is_shadow_pwd;
static bool is_shadow_grp; static bool is_shadow_grp;
#endif #endif
#ifdef ENABLE_SUBIDS
static bool is_sub_uid = false; static bool is_sub_uid = false;
static bool is_sub_gid = false; static bool is_sub_gid = false;
#endif /* ENABLE_SUBIDS */
static bool pw_locked = false; static bool pw_locked = false;
static bool spw_locked = false; static bool spw_locked = false;
@ -157,8 +167,10 @@ static bool gr_locked = false;
#ifdef SHADOWGRP #ifdef SHADOWGRP
static bool sgr_locked = false; static bool sgr_locked = false;
#endif #endif
#ifdef ENABLE_SUBIDS
static bool sub_uid_locked = false; static bool sub_uid_locked = false;
static bool sub_gid_locked = false; static bool sub_gid_locked = false;
#endif /* ENABLE_SUBIDS */
/* local function prototypes */ /* local function prototypes */
@ -314,6 +326,7 @@ static int get_groups (char *list)
return 0; return 0;
} }
#ifdef ENABLE_SUBIDS
struct ulong_range struct ulong_range
{ {
unsigned long first; unsigned long first;
@ -376,6 +389,7 @@ static int prepend_range(const char *str, struct ulong_range_list_entry **head)
*head = entry; *head = entry;
return 1; return 1;
} }
#endif /* ENABLE_SUBIDS */
/* /*
* usage - display usage message and exit * usage - display usage message and exit
@ -409,10 +423,12 @@ static /*@noreturn@*/void usage (int status)
(void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout);
(void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout);
(void) fputs (_(" -U, --unlock unlock the user account\n"), usageout); (void) fputs (_(" -U, --unlock unlock the user account\n"), usageout);
#ifdef ENABLE_SUBIDS
(void) fputs (_(" -v, --add-subuids FIRST-LAST add range of subordinate uids\n"), usageout); (void) fputs (_(" -v, --add-subuids FIRST-LAST add range of subordinate uids\n"), usageout);
(void) fputs (_(" -V, --del-subuids FIRST-LAST remove range of subordinate uids\n"), usageout); (void) fputs (_(" -V, --del-subuids FIRST-LAST remove range of subordinate uids\n"), usageout);
(void) fputs (_(" -w, --add-subgids FIRST-LAST add range of subordinate gids\n"), usageout); (void) fputs (_(" -w, --add-subgids FIRST-LAST add range of subordinate gids\n"), usageout);
(void) fputs (_(" -W, --del-subgids FIRST-LAST remove range of subordinate gids\n"), usageout); (void) fputs (_(" -W, --del-subgids FIRST-LAST remove range of subordinate gids\n"), usageout);
#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
(void) fputs (_(" -Z, --selinux-user SEUSER new SELinux user mapping for the user account\n"), usageout); (void) fputs (_(" -Z, --selinux-user SEUSER new SELinux user mapping for the user account\n"), usageout);
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
@ -669,6 +685,7 @@ static /*@noreturn@*/void fail_exit (int code)
/* continue */ /* continue */
} }
} }
#ifdef ENABLE_SUBIDS
if (sub_uid_locked) { if (sub_uid_locked) {
if (sub_uid_unlock () == 0) { if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
@ -683,6 +700,7 @@ static /*@noreturn@*/void fail_exit (int code)
/* continue */ /* continue */
} }
} }
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog, audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
@ -982,22 +1000,26 @@ static void process_flags (int argc, char **argv)
{"shell", required_argument, NULL, 's'}, {"shell", required_argument, NULL, 's'},
{"uid", required_argument, NULL, 'u'}, {"uid", required_argument, NULL, 'u'},
{"unlock", no_argument, NULL, 'U'}, {"unlock", no_argument, NULL, 'U'},
#ifdef ENABLE_SUBIDS
{"add-subuids", required_argument, NULL, 'v'}, {"add-subuids", required_argument, NULL, 'v'},
{"del-subuids", required_argument, NULL, 'V'}, {"del-subuids", required_argument, NULL, 'V'},
{"add-subgids", required_argument, NULL, 'w'}, {"add-subgids", required_argument, NULL, 'w'},
{"del-subgids", required_argument, NULL, 'W'}, {"del-subgids", required_argument, NULL, 'W'},
#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
{"selinux-user", required_argument, NULL, 'Z'}, {"selinux-user", required_argument, NULL, 'Z'},
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
{NULL, 0, NULL, '\0'} {NULL, 0, NULL, '\0'}
}; };
while ((c = getopt_long (argc, argv, while ((c = getopt_long (argc, argv,
"ac:d:e:f:g:G:hl:Lmop:R:s:u:U"
#ifdef ENABLE_SUBIDS
"v:w:V:W:"
#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
"ac:d:e:f:g:G:hl:Lmop:R:s:u:UZ:v:w:V:W:", "Z:"
#else /* !WITH_SELINUX */ #endif /* WITH_SELINUX */
"ac:d:e:f:g:G:hl:Lmop:R:s:u:Uv:w:V:W:", , long_options, NULL)) != -1) {
#endif /* !WITH_SELINUX */
long_options, NULL)) != -1) {
switch (c) { switch (c) {
case 'a': case 'a':
aflg = true; aflg = true;
@ -1115,6 +1137,7 @@ static void process_flags (int argc, char **argv)
case 'U': case 'U':
Uflg = true; Uflg = true;
break; break;
#ifdef ENABLE_SUBIDS
case 'v': case 'v':
if (prepend_range (optarg, &add_sub_uids) == 0) { if (prepend_range (optarg, &add_sub_uids) == 0) {
fprintf (stderr, fprintf (stderr,
@ -1151,6 +1174,7 @@ static void process_flags (int argc, char **argv)
} }
Wflg = true; Wflg = true;
break; break;
#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
case 'Z': case 'Z':
if (is_selinux_enabled () > 0) { if (is_selinux_enabled () > 0) {
@ -1303,7 +1327,9 @@ static void process_flags (int argc, char **argv)
if (!(Uflg || uflg || sflg || pflg || mflg || Lflg || if (!(Uflg || uflg || sflg || pflg || mflg || Lflg ||
lflg || Gflg || gflg || fflg || eflg || dflg || cflg lflg || Gflg || gflg || fflg || eflg || dflg || cflg
#ifdef ENABLE_SUBIDS
|| vflg || Vflg || wflg || Wflg || vflg || Vflg || wflg || Wflg
#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
|| Zflg || Zflg
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
@ -1435,6 +1461,7 @@ static void close_files (void)
sgr_locked = false; sgr_locked = false;
#endif #endif
#ifdef ENABLE_SUBIDS
if (vflg || Vflg) { if (vflg || Vflg) {
if (!is_sub_uid || (sub_uid_close () == 0)) { if (!is_sub_uid || (sub_uid_close () == 0)) {
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ()); fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
@ -1461,6 +1488,7 @@ static void close_files (void)
} }
sub_gid_locked = false; sub_gid_locked = false;
} }
#endif /* ENABLE_SUBIDS */
/* /*
* Close the DBM and/or flat files * Close the DBM and/or flat files
@ -1541,6 +1569,7 @@ static void open_files (void)
} }
#endif #endif
} }
#ifdef ENABLE_SUBIDS
if (vflg || Vflg) { if (vflg || Vflg) {
if (!is_sub_uid || (sub_uid_lock () == 0)) { if (!is_sub_uid || (sub_uid_lock () == 0)) {
fprintf (stderr, fprintf (stderr,
@ -1571,6 +1600,7 @@ static void open_files (void)
fail_exit (E_SUB_GID_UPDATE); fail_exit (E_SUB_GID_UPDATE);
} }
} }
#endif /* ENABLE_SUBIDS */
} }
/* /*
@ -1672,6 +1702,7 @@ static void usr_update (void)
fail_exit (E_PW_UPDATE); fail_exit (E_PW_UPDATE);
} }
} }
#ifdef ENABLE_SUBIDS
if (Vflg) { if (Vflg) {
struct ulong_range_list_entry *ptr; struct ulong_range_list_entry *ptr;
for (ptr = del_sub_uids; ptr != NULL; ptr = ptr->next) { for (ptr = del_sub_uids; ptr != NULL; ptr = ptr->next) {
@ -1724,6 +1755,7 @@ static void usr_update (void)
} }
} }
} }
#endif /* ENABLE_SUBIDS */
} }
/* /*
@ -2059,8 +2091,10 @@ int main (int argc, char **argv)
#ifdef SHADOWGRP #ifdef SHADOWGRP
is_shadow_grp = sgr_file_present (); is_shadow_grp = sgr_file_present ();
#endif #endif
#ifdef ENABLE_SUBIDS
is_sub_uid = sub_uid_file_present (); is_sub_uid = sub_uid_file_present ();
is_sub_gid = sub_gid_file_present (); is_sub_gid = sub_gid_file_present ();
#endif /* ENABLE_SUBIDS */
process_flags (argc, argv); process_flags (argc, argv);
@ -2068,7 +2102,11 @@ int main (int argc, char **argv)
* The home directory, the username and the user's UID should not * The home directory, the username and the user's UID should not
* be changed while the user is logged in. * be changed while the user is logged in.
*/ */
if ( (uflg || lflg || dflg || Vflg || Wflg) if ( (uflg || lflg || dflg
#ifdef ENABLE_SUBIDS
|| Vflg || Wflg
#endif /* ENABLE_SUBIDS */
)
&& (user_busy (user_name, user_id) != 0)) { && (user_busy (user_name, user_id) != 0)) {
exit (E_USER_BUSY); exit (E_USER_BUSY);
} }
@ -2121,7 +2159,11 @@ int main (int argc, char **argv)
*/ */
open_files (); open_files ();
if ( cflg || dflg || eflg || fflg || gflg || Lflg || lflg || pflg if ( cflg || dflg || eflg || fflg || gflg || Lflg || lflg || pflg
|| sflg || uflg || Uflg || vflg || Vflg || wflg || Wflg) { || sflg || uflg || Uflg
#ifdef ENABLE_SUBIDS
|| vflg || Vflg || wflg || Wflg
#endif /* ENABLE_SUBIDS */
) {
usr_update (); usr_update ();
} }
if (Gflg || lflg) { if (Gflg || lflg) {