Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids / --disable-subordinate-ids. Enabled by default. * lib/prototypes.h: Include <config.h> before using its macros. * lib/commonio.h, lib/commonio.c: Define commonio_append only when ENABLE_SUBIDS is defined. * lib/prototypes.h, libmisc/find_new_sub_gids.c, libmisc/find_new_sub_uids.c: Likewise. * lib/subordinateio.h, lib/subordinateio.c: Likewise. * libmisc/user_busy.c: Only check if subordinate IDs are in use if ENABLE_SUBIDS is defined. * src/Makefile.am: Create newgidmap and newuidmap only if ENABLE_SUBIDS is defined. * src/newusers.c: Check for ENABLE_SUBIDS to enable support for subordinate IDs. * src/useradd.c: Likewise. * src/userdel.c: Likewise. * src/usermod.c: Likewise. * man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1, man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined. * man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1, man5/subgid.5, and man5/subuid.5 (not translated yet). * man/generate_mans.mak: Add xsltproc conditionals subids/no_subids. * man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids condition. * man/login.defs.d/SUB_UID_COUNT.xml: Likewise. * man/usermod.8.xml: Document options for subordinate IDs and reference subgid(5) / subuid(5) depending on the subids condition.
This commit is contained in:
parent
1fb1486c8a
commit
d611d54ed4
31
ChangeLog
31
ChangeLog
@ -1,3 +1,34 @@
|
|||||||
|
2013-08-11 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
|
* configure.in: Add configure options --enable-subordinate-ids /
|
||||||
|
--disable-subordinate-ids. Enabled by default.
|
||||||
|
* lib/prototypes.h: Include <config.h> before using its macros.
|
||||||
|
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
|
||||||
|
ENABLE_SUBIDS is defined.
|
||||||
|
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
|
||||||
|
libmisc/find_new_sub_uids.c: Likewise.
|
||||||
|
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
|
||||||
|
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
|
||||||
|
ENABLE_SUBIDS is defined.
|
||||||
|
* src/Makefile.am: Create newgidmap and newuidmap only if
|
||||||
|
ENABLE_SUBIDS is defined.
|
||||||
|
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
|
||||||
|
subordinate IDs.
|
||||||
|
* src/useradd.c: Likewise.
|
||||||
|
* src/userdel.c: Likewise.
|
||||||
|
* src/usermod.c: Likewise.
|
||||||
|
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
|
||||||
|
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
|
||||||
|
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
|
||||||
|
man5/subgid.5, and man5/subuid.5 (not translated yet).
|
||||||
|
* man/generate_mans.mak: Add xsltproc conditionals
|
||||||
|
subids/no_subids.
|
||||||
|
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
|
||||||
|
condition.
|
||||||
|
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
|
||||||
|
* man/usermod.8.xml: Document options for subordinate IDs and
|
||||||
|
reference subgid(5) / subuid(5) depending on the subids condition.
|
||||||
|
|
||||||
2013-08-09 Nicolas François <nicolas.francois@centraliens.net>
|
2013-08-09 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
* libmisc/salt.c: Remove unused variable.
|
* libmisc/salt.c: Remove unused variable.
|
||||||
|
17
configure.in
17
configure.in
@ -240,6 +240,13 @@ AC_ARG_ENABLE(utmpx,
|
|||||||
[enable_utmpx="no"]
|
[enable_utmpx="no"]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
AC_ARG_ENABLE(subordinate-ids,
|
||||||
|
[AC_HELP_STRING([--enable-subordinate-ids],
|
||||||
|
[support subordinate ids @<:@default=yes@:>@])],
|
||||||
|
[enable_subids="${enableval}"],
|
||||||
|
[enable_subids="yes"]
|
||||||
|
)
|
||||||
|
|
||||||
AC_ARG_WITH(audit,
|
AC_ARG_WITH(audit,
|
||||||
[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
|
[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
|
||||||
[with_audit=$withval], [with_audit=maybe])
|
[with_audit=$withval], [with_audit=maybe])
|
||||||
@ -324,6 +331,15 @@ if test "$enable_man" = "yes"; then
|
|||||||
fi
|
fi
|
||||||
AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test "x$enable_man" != "xno")
|
AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test "x$enable_man" != "xno")
|
||||||
|
|
||||||
|
if test "$enable_subids" = "yes"; then
|
||||||
|
dnl
|
||||||
|
dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
|
||||||
|
dnl
|
||||||
|
AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
|
||||||
|
enable_subids="yes"
|
||||||
|
fi
|
||||||
|
AM_CONDITIONAL(ENABLE_SUBIDS, test "x$enable_subids" != "xno")
|
||||||
|
|
||||||
AC_SUBST(LIBCRYPT)
|
AC_SUBST(LIBCRYPT)
|
||||||
AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
|
AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
|
||||||
[AC_MSG_ERROR([crypt() not found])])
|
[AC_MSG_ERROR([crypt() not found])])
|
||||||
@ -649,4 +665,5 @@ echo " shadow group support: $enable_shadowgrp"
|
|||||||
echo " S/Key support: $with_skey"
|
echo " S/Key support: $with_skey"
|
||||||
echo " SHA passwords encryption: $with_sha_crypt"
|
echo " SHA passwords encryption: $with_sha_crypt"
|
||||||
echo " nscd support: $with_nscd"
|
echo " nscd support: $with_nscd"
|
||||||
|
echo " subordinate IDs support: $enable_subids"
|
||||||
echo
|
echo
|
||||||
|
@ -1113,6 +1113,7 @@ int commonio_update (struct commonio_db *db, const void *eptr)
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
int commonio_append (struct commonio_db *db, const void *eptr)
|
int commonio_append (struct commonio_db *db, const void *eptr)
|
||||||
{
|
{
|
||||||
struct commonio_entry *p;
|
struct commonio_entry *p;
|
||||||
@ -1143,6 +1144,7 @@ int commonio_append (struct commonio_db *db, const void *eptr)
|
|||||||
db->changed = true;
|
db->changed = true;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p)
|
void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p)
|
||||||
{
|
{
|
||||||
|
@ -146,7 +146,9 @@ extern int commonio_lock_nowait (struct commonio_db *, bool log);
|
|||||||
extern int commonio_open (struct commonio_db *, int);
|
extern int commonio_open (struct commonio_db *, int);
|
||||||
extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
|
extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
|
||||||
extern int commonio_update (struct commonio_db *, const void *);
|
extern int commonio_update (struct commonio_db *, const void *);
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
extern int commonio_append (struct commonio_db *, const void *);
|
extern int commonio_append (struct commonio_db *, const void *);
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
extern int commonio_remove (struct commonio_db *, const char *);
|
extern int commonio_remove (struct commonio_db *, const char *);
|
||||||
extern int commonio_rewind (struct commonio_db *);
|
extern int commonio_rewind (struct commonio_db *);
|
||||||
extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);
|
extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);
|
||||||
|
@ -42,6 +42,8 @@
|
|||||||
#ifndef _PROTOTYPES_H
|
#ifndef _PROTOTYPES_H
|
||||||
#define _PROTOTYPES_H
|
#define _PROTOTYPES_H
|
||||||
|
|
||||||
|
#include <config.h>
|
||||||
|
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#ifdef USE_UTMPX
|
#ifdef USE_UTMPX
|
||||||
#include <utmpx.h>
|
#include <utmpx.h>
|
||||||
@ -149,6 +151,7 @@ extern int find_new_uid (bool sys_user,
|
|||||||
uid_t *uid,
|
uid_t *uid,
|
||||||
/*@null@*/uid_t const *preferred_uid);
|
/*@null@*/uid_t const *preferred_uid);
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
/* find_new_sub_gids.c */
|
/* find_new_sub_gids.c */
|
||||||
extern int find_new_sub_gids (const char *owner,
|
extern int find_new_sub_gids (const char *owner,
|
||||||
gid_t *range_start, unsigned long *range_count);
|
gid_t *range_start, unsigned long *range_count);
|
||||||
@ -156,6 +159,7 @@ extern int find_new_sub_gids (const char *owner,
|
|||||||
/* find_new_sub_uids.c */
|
/* find_new_sub_uids.c */
|
||||||
extern int find_new_sub_uids (const char *owner,
|
extern int find_new_sub_uids (const char *owner,
|
||||||
uid_t *range_start, unsigned long *range_count);
|
uid_t *range_start, unsigned long *range_count);
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
|
|
||||||
/* get_gid.c */
|
/* get_gid.c */
|
||||||
|
@ -3,6 +3,9 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
|
||||||
#include "prototypes.h"
|
#include "prototypes.h"
|
||||||
#include "defines.h"
|
#include "defines.h"
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
@ -507,3 +510,7 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
|
|||||||
start = find_free_range (&subordinate_gid_db, min, max, count);
|
start = find_free_range (&subordinate_gid_db, min, max, count);
|
||||||
return start == ULONG_MAX ? (gid_t) -1 : start;
|
return start == ULONG_MAX ? (gid_t) -1 : start;
|
||||||
}
|
}
|
||||||
|
#else /* !ENABLE_SUBIDS */
|
||||||
|
extern int errno; /* warning: ANSI C forbids an empty source file */
|
||||||
|
#endif /* !ENABLE_SUBIDS */
|
||||||
|
|
||||||
|
@ -5,6 +5,10 @@
|
|||||||
#ifndef _SUBORDINATEIO_H
|
#ifndef _SUBORDINATEIO_H
|
||||||
#define _SUBORDINATEIO_H
|
#define _SUBORDINATEIO_H
|
||||||
|
|
||||||
|
#include <config.h>
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
extern int sub_uid_close(void);
|
extern int sub_uid_close(void);
|
||||||
@ -34,5 +38,6 @@ extern int sub_gid_unlock (void);
|
|||||||
extern int sub_gid_add (const char *owner, gid_t start, unsigned long count);
|
extern int sub_gid_add (const char *owner, gid_t start, unsigned long count);
|
||||||
extern int sub_gid_remove (const char *owner, gid_t start, unsigned long count);
|
extern int sub_gid_remove (const char *owner, gid_t start, unsigned long count);
|
||||||
extern uid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count);
|
extern uid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count);
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -28,6 +28,8 @@
|
|||||||
|
|
||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
|
||||||
#include <assert.h>
|
#include <assert.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
@ -86,4 +88,7 @@ int find_new_sub_gids (const char *owner,
|
|||||||
*range_count = count;
|
*range_count = count;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
#else /* !ENABLE_SUBIDS */
|
||||||
|
extern int errno; /* warning: ANSI C forbids an empty source file */
|
||||||
|
#endif /* !ENABLE_SUBIDS */
|
||||||
|
|
||||||
|
@ -28,6 +28,8 @@
|
|||||||
|
|
||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
|
||||||
#include <assert.h>
|
#include <assert.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
@ -86,4 +88,7 @@ int find_new_sub_uids (const char *owner,
|
|||||||
*range_count = count;
|
*range_count = count;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
#else /* !ENABLE_SUBIDS */
|
||||||
|
extern int errno; /* warning: ANSI C forbids an empty source file */
|
||||||
|
#endif /* !ENABLE_SUBIDS */
|
||||||
|
|
||||||
|
@ -41,7 +41,9 @@
|
|||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include "defines.h"
|
#include "defines.h"
|
||||||
#include "prototypes.h"
|
#include "prototypes.h"
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
#include "subordinateio.h"
|
#include "subordinateio.h"
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
#ifdef __linux__
|
#ifdef __linux__
|
||||||
static int check_status (const char *name, const char *sname, uid_t uid);
|
static int check_status (const char *name, const char *sname, uid_t uid);
|
||||||
@ -128,9 +130,12 @@ static int check_status (const char *name, const char *sname, uid_t uid)
|
|||||||
if ( (ruid == (unsigned long) uid)
|
if ( (ruid == (unsigned long) uid)
|
||||||
|| (euid == (unsigned long) uid)
|
|| (euid == (unsigned long) uid)
|
||||||
|| (suid == (unsigned long) uid)
|
|| (suid == (unsigned long) uid)
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|| have_sub_uids(name, ruid, 1)
|
|| have_sub_uids(name, ruid, 1)
|
||||||
|| have_sub_uids(name, euid, 1)
|
|| have_sub_uids(name, euid, 1)
|
||||||
|| have_sub_uids(name, suid, 1)) {
|
|| have_sub_uids(name, suid, 1)
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
) {
|
||||||
(void) fclose (sfile);
|
(void) fclose (sfile);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
@ -158,7 +163,9 @@ static int user_busy_processes (const char *name, uid_t uid)
|
|||||||
struct stat sbroot;
|
struct stat sbroot;
|
||||||
struct stat sbroot_process;
|
struct stat sbroot_process;
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
sub_uid_open (O_RDONLY);
|
sub_uid_open (O_RDONLY);
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
proc = opendir ("/proc");
|
proc = opendir ("/proc");
|
||||||
if (proc == NULL) {
|
if (proc == NULL) {
|
||||||
@ -238,7 +245,9 @@ static int user_busy_processes (const char *name, uid_t uid)
|
|||||||
}
|
}
|
||||||
|
|
||||||
(void) closedir (proc);
|
(void) closedir (proc);
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
sub_uid_close();
|
sub_uid_close();
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif /* __linux__ */
|
#endif /* __linux__ */
|
||||||
|
@ -30,9 +30,7 @@ man_MANS = \
|
|||||||
man1/login.1 \
|
man1/login.1 \
|
||||||
man5/login.defs.5 \
|
man5/login.defs.5 \
|
||||||
man8/logoutd.8 \
|
man8/logoutd.8 \
|
||||||
man1/newgidmap.1 \
|
|
||||||
man1/newgrp.1 \
|
man1/newgrp.1 \
|
||||||
man1/newuidmap.1 \
|
|
||||||
man8/newusers.8 \
|
man8/newusers.8 \
|
||||||
man8/nologin.8 \
|
man8/nologin.8 \
|
||||||
man1/passwd.1 \
|
man1/passwd.1 \
|
||||||
@ -45,8 +43,6 @@ man_MANS = \
|
|||||||
man5/shadow.5 \
|
man5/shadow.5 \
|
||||||
man1/su.1 \
|
man1/su.1 \
|
||||||
man5/suauth.5 \
|
man5/suauth.5 \
|
||||||
man5/subgid.5 \
|
|
||||||
man5/subuid.5 \
|
|
||||||
man8/useradd.8 \
|
man8/useradd.8 \
|
||||||
man8/userdel.8 \
|
man8/userdel.8 \
|
||||||
man8/usermod.8 \
|
man8/usermod.8 \
|
||||||
@ -62,6 +58,16 @@ if !USE_PAM
|
|||||||
man_MANS += $(man_nopam)
|
man_MANS += $(man_nopam)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
man_subids = \
|
||||||
|
man1/newgidmap.1 \
|
||||||
|
man1/newuidmap.1 \
|
||||||
|
man5/subgid.5 \
|
||||||
|
man5/subuid.5
|
||||||
|
|
||||||
|
if ENABLE_SUBIDS
|
||||||
|
man_MANS += $(man_subids)
|
||||||
|
endif
|
||||||
|
|
||||||
man_XMANS = \
|
man_XMANS = \
|
||||||
chage.1.xml \
|
chage.1.xml \
|
||||||
chfn.1.xml \
|
chfn.1.xml \
|
||||||
@ -187,6 +193,10 @@ if USE_PAM
|
|||||||
EXTRA_DIST += $(man_nopam)
|
EXTRA_DIST += $(man_nopam)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
if !ENABLE_SUBIDS
|
||||||
|
EXTRA_DIST += $(man_subids)
|
||||||
|
endif
|
||||||
|
|
||||||
generate_mans.deps: *.xml
|
generate_mans.deps: *.xml
|
||||||
echo "# This file is generated" > $@
|
echo "# This file is generated" > $@
|
||||||
awk 'BEGIN{FS="\"";} /^<!ENTITY .* * SYSTEM ".*">$$/{ f=FILENAME; sub(/.xml/,"",f); print "man" substr(f, length (f)) "/" f ": " $$2 }' $(man_XMANS) >> $@
|
awk 'BEGIN{FS="\"";} /^<!ENTITY .* * SYSTEM ".*">$$/{ f=FILENAME; sub(/.xml/,"",f); print "man" substr(f, length (f)) "/" f ": " $$2 }' $(man_XMANS) >> $@
|
||||||
|
@ -53,6 +53,16 @@ if !USE_PAM
|
|||||||
man_MANS += $(man_nopam)
|
man_MANS += $(man_nopam)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
man_subids = \
|
||||||
|
man1/newgidmap.1 \
|
||||||
|
man1/newuidmap.1 \
|
||||||
|
man5/subgid.5 \
|
||||||
|
man5/subuid.5
|
||||||
|
|
||||||
|
if ENABLE_SUBIDS
|
||||||
|
man_MANS += $(man_subids)
|
||||||
|
endif
|
||||||
|
|
||||||
EXTRA_DIST = \
|
EXTRA_DIST = \
|
||||||
$(man_MANS) \
|
$(man_MANS) \
|
||||||
man1/id.1 \
|
man1/id.1 \
|
||||||
@ -62,5 +72,9 @@ if USE_PAM
|
|||||||
EXTRA_DIST += $(man_nopam)
|
EXTRA_DIST += $(man_nopam)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
if !ENABLE_SUBIDS
|
||||||
|
EXTRA_DIST += $(man_subids)
|
||||||
|
endif
|
||||||
|
|
||||||
include ../generate_translations.mak
|
include ../generate_translations.mak
|
||||||
|
|
||||||
|
@ -20,6 +20,12 @@ else
|
|||||||
SHA_CRYPT_COND=no_sha_crypt
|
SHA_CRYPT_COND=no_sha_crypt
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
if ENABLE_SUBIDS
|
||||||
|
SUBIDS_COND=subids
|
||||||
|
else
|
||||||
|
SUBIDS_COND=no_subids
|
||||||
|
endif
|
||||||
|
|
||||||
if ENABLE_REGENERATE_MAN
|
if ENABLE_REGENERATE_MAN
|
||||||
%.xml-config: %.xml
|
%.xml-config: %.xml
|
||||||
if grep -q SHADOW-CONFIG-HERE $<; then \
|
if grep -q SHADOW-CONFIG-HERE $<; then \
|
||||||
@ -29,7 +35,7 @@ if ENABLE_REGENERATE_MAN
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml
|
man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml
|
||||||
$(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND)" \
|
$(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND);$(SUBIDS_COND)" \
|
||||||
--param "man.authors.section.enabled" "0" \
|
--param "man.authors.section.enabled" "0" \
|
||||||
--stringparam "man.output.base.dir" "" \
|
--stringparam "man.output.base.dir" "" \
|
||||||
--param "man.output.in.separate.dir" "1" \
|
--param "man.output.in.separate.dir" "1" \
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
-->
|
-->
|
||||||
<varlistentry>
|
<varlistentry condition="subids">
|
||||||
<term><option>SUB_GID_MIN</option> (number)</term>
|
<term><option>SUB_GID_MIN</option> (number)</term>
|
||||||
<term><option>SUB_GID_MAX</option> (number)</term>
|
<term><option>SUB_GID_MAX</option> (number)</term>
|
||||||
<term><option>SUB_GID_COUNT</option> (number)</term>
|
<term><option>SUB_GID_COUNT</option> (number)</term>
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
-->
|
-->
|
||||||
<varlistentry>
|
<varlistentry condition="subids">
|
||||||
<term><option>SUB_UID_MIN</option> (number)</term>
|
<term><option>SUB_UID_MIN</option> (number)</term>
|
||||||
<term><option>SUB_UID_MAX</option> (number)</term>
|
<term><option>SUB_UID_MAX</option> (number)</term>
|
||||||
<term><option>SUB_UID_COUNT</option> (number)</term>
|
<term><option>SUB_UID_COUNT</option> (number)</term>
|
||||||
|
@ -389,7 +389,7 @@
|
|||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry condition="subids">
|
||||||
<term>
|
<term>
|
||||||
<option>-v</option>, <option>--add-sub-uids</option>
|
<option>-v</option>, <option>--add-sub-uids</option>
|
||||||
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
|
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
|
||||||
@ -408,7 +408,7 @@
|
|||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry condition="subids">
|
||||||
<term>
|
<term>
|
||||||
<option>-V</option>, <option>--del-sub-uids</option>
|
<option>-V</option>, <option>--del-sub-uids</option>
|
||||||
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
|
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
|
||||||
@ -429,7 +429,7 @@
|
|||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry condition="subids">
|
||||||
<term>
|
<term>
|
||||||
<option>-w</option>, <option>--add-sub-gids</option>
|
<option>-w</option>, <option>--add-sub-gids</option>
|
||||||
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
|
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
|
||||||
@ -448,7 +448,7 @@
|
|||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry condition="subids">
|
||||||
<term>
|
<term>
|
||||||
<option>-W</option>, <option>--del-sub-gids</option>
|
<option>-W</option>, <option>--del-sub-gids</option>
|
||||||
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
|
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
|
||||||
@ -588,12 +588,14 @@
|
|||||||
<citerefentry>
|
<citerefentry>
|
||||||
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
|
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
|
||||||
</citerefentry>,
|
</citerefentry>,
|
||||||
<citerefentry>
|
<phrase condition="subids">
|
||||||
<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
|
<citerefentry>
|
||||||
</citerefentry>,
|
<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
|
||||||
<citerefentry>
|
</citerefentry>,
|
||||||
<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
|
<citerefentry>
|
||||||
</citerefentry>,
|
<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
|
||||||
|
</citerefentry>,
|
||||||
|
</phrase>
|
||||||
<citerefentry>
|
<citerefentry>
|
||||||
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
|
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
|
||||||
</citerefentry>,
|
</citerefentry>,
|
||||||
|
@ -24,8 +24,10 @@ INCLUDES = \
|
|||||||
|
|
||||||
bin_PROGRAMS = groups login su
|
bin_PROGRAMS = groups login su
|
||||||
sbin_PROGRAMS = nologin
|
sbin_PROGRAMS = nologin
|
||||||
ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd \
|
ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
|
||||||
newgidmap newuidmap
|
if ENABLE_SUBIDS
|
||||||
|
ubin_PROGRAMS += newgidmap newuidmap
|
||||||
|
endif
|
||||||
usbin_PROGRAMS = \
|
usbin_PROGRAMS = \
|
||||||
chgpasswd \
|
chgpasswd \
|
||||||
chpasswd \
|
chpasswd \
|
||||||
|
@ -65,7 +65,9 @@
|
|||||||
#include "pwio.h"
|
#include "pwio.h"
|
||||||
#include "sgroupio.h"
|
#include "sgroupio.h"
|
||||||
#include "shadowio.h"
|
#include "shadowio.h"
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
#include "subordinateio.h"
|
#include "subordinateio.h"
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
#include "chkname.h"
|
#include "chkname.h"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -83,8 +85,6 @@ static long sha_rounds = 5000;
|
|||||||
#endif /* USE_SHA_CRYPT */
|
#endif /* USE_SHA_CRYPT */
|
||||||
#endif /* !USE_PAM */
|
#endif /* !USE_PAM */
|
||||||
|
|
||||||
static bool is_sub_uid = false;
|
|
||||||
static bool is_sub_gid = false;
|
|
||||||
static bool is_shadow;
|
static bool is_shadow;
|
||||||
#ifdef SHADOWGRP
|
#ifdef SHADOWGRP
|
||||||
static bool is_shadow_grp;
|
static bool is_shadow_grp;
|
||||||
@ -93,8 +93,12 @@ static bool sgr_locked = false;
|
|||||||
static bool pw_locked = false;
|
static bool pw_locked = false;
|
||||||
static bool gr_locked = false;
|
static bool gr_locked = false;
|
||||||
static bool spw_locked = false;
|
static bool spw_locked = false;
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
static bool is_sub_uid = false;
|
||||||
|
static bool is_sub_gid = false;
|
||||||
static bool sub_uid_locked = false;
|
static bool sub_uid_locked = false;
|
||||||
static bool sub_gid_locked = false;
|
static bool sub_gid_locked = false;
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
/* local function prototypes */
|
/* local function prototypes */
|
||||||
static void usage (int status);
|
static void usage (int status);
|
||||||
@ -183,6 +187,7 @@ static void fail_exit (int code)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (sub_uid_locked) {
|
if (sub_uid_locked) {
|
||||||
if (sub_uid_unlock () == 0) {
|
if (sub_uid_unlock () == 0) {
|
||||||
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -197,6 +202,7 @@ static void fail_exit (int code)
|
|||||||
/* continue */
|
/* continue */
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
exit (code);
|
exit (code);
|
||||||
}
|
}
|
||||||
@ -778,6 +784,7 @@ static void open_files (void)
|
|||||||
sgr_locked = true;
|
sgr_locked = true;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid) {
|
if (is_sub_uid) {
|
||||||
if (sub_uid_lock () == 0) {
|
if (sub_uid_lock () == 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
@ -796,6 +803,7 @@ static void open_files (void)
|
|||||||
}
|
}
|
||||||
sub_gid_locked = true;
|
sub_gid_locked = true;
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
if (pw_open (O_RDWR) == 0) {
|
if (pw_open (O_RDWR) == 0) {
|
||||||
fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ());
|
fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ());
|
||||||
@ -815,6 +823,7 @@ static void open_files (void)
|
|||||||
fail_exit (EXIT_FAILURE);
|
fail_exit (EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid) {
|
if (is_sub_uid) {
|
||||||
if (sub_uid_open (O_RDWR) == 0) {
|
if (sub_uid_open (O_RDWR) == 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
@ -831,6 +840,7 @@ static void open_files (void)
|
|||||||
fail_exit (EXIT_FAILURE);
|
fail_exit (EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -875,6 +885,7 @@ static void close_files (void)
|
|||||||
SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
|
SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
|
||||||
fail_exit (EXIT_FAILURE);
|
fail_exit (EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid && (sub_uid_close () == 0)) {
|
if (is_sub_uid && (sub_uid_close () == 0)) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
_("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
|
_("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -887,6 +898,7 @@ static void close_files (void)
|
|||||||
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
|
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
|
||||||
fail_exit (EXIT_FAILURE);
|
fail_exit (EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
if (gr_unlock () == 0) {
|
if (gr_unlock () == 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
@ -916,6 +928,7 @@ static void close_files (void)
|
|||||||
sgr_locked = false;
|
sgr_locked = false;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid) {
|
if (is_sub_uid) {
|
||||||
if (sub_uid_unlock () == 0) {
|
if (sub_uid_unlock () == 0) {
|
||||||
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -932,6 +945,7 @@ static void close_files (void)
|
|||||||
}
|
}
|
||||||
sub_gid_locked = false;
|
sub_gid_locked = false;
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
}
|
}
|
||||||
|
|
||||||
int main (int argc, char **argv)
|
int main (int argc, char **argv)
|
||||||
@ -973,8 +987,10 @@ int main (int argc, char **argv)
|
|||||||
#ifdef SHADOWGRP
|
#ifdef SHADOWGRP
|
||||||
is_shadow_grp = sgr_file_present ();
|
is_shadow_grp = sgr_file_present ();
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
is_sub_uid = sub_uid_file_present ();
|
is_sub_uid = sub_uid_file_present ();
|
||||||
is_sub_gid = sub_gid_file_present ();
|
is_sub_gid = sub_gid_file_present ();
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
open_files ();
|
open_files ();
|
||||||
|
|
||||||
@ -1156,6 +1172,7 @@ int main (int argc, char **argv)
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
/*
|
/*
|
||||||
* Add subordinate uids if the user does not have them.
|
* Add subordinate uids if the user does not have them.
|
||||||
*/
|
*/
|
||||||
@ -1195,6 +1212,7 @@ int main (int argc, char **argv)
|
|||||||
errors++;
|
errors++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -65,7 +65,9 @@
|
|||||||
#include "sgroupio.h"
|
#include "sgroupio.h"
|
||||||
#endif
|
#endif
|
||||||
#include "shadowio.h"
|
#include "shadowio.h"
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
#include "subordinateio.h"
|
#include "subordinateio.h"
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
#ifdef WITH_TCB
|
#ifdef WITH_TCB
|
||||||
#include "tcbfuncs.h"
|
#include "tcbfuncs.h"
|
||||||
#endif
|
#endif
|
||||||
@ -122,20 +124,22 @@ static bool is_shadow_pwd;
|
|||||||
static bool is_shadow_grp;
|
static bool is_shadow_grp;
|
||||||
static bool sgr_locked = false;
|
static bool sgr_locked = false;
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
static bool is_sub_uid = false;
|
static bool is_sub_uid = false;
|
||||||
static bool is_sub_gid = false;
|
static bool is_sub_gid = false;
|
||||||
static bool pw_locked = false;
|
|
||||||
static bool gr_locked = false;
|
|
||||||
static bool spw_locked = false;
|
|
||||||
static bool sub_uid_locked = false;
|
static bool sub_uid_locked = false;
|
||||||
static bool sub_gid_locked = false;
|
static bool sub_gid_locked = false;
|
||||||
static char **user_groups; /* NULL-terminated list */
|
|
||||||
static long sys_ngroups;
|
|
||||||
static bool do_grp_update = false; /* group files need to be updated */
|
|
||||||
static uid_t sub_uid_start; /* New subordinate uid range */
|
static uid_t sub_uid_start; /* New subordinate uid range */
|
||||||
static unsigned long sub_uid_count;
|
static unsigned long sub_uid_count;
|
||||||
static gid_t sub_gid_start; /* New subordinate gid range */
|
static gid_t sub_gid_start; /* New subordinate gid range */
|
||||||
static unsigned long sub_gid_count;
|
static unsigned long sub_gid_count;
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
static bool pw_locked = false;
|
||||||
|
static bool gr_locked = false;
|
||||||
|
static bool spw_locked = false;
|
||||||
|
static char **user_groups; /* NULL-terminated list */
|
||||||
|
static long sys_ngroups;
|
||||||
|
static bool do_grp_update = false; /* group files need to be updated */
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
bflg = false, /* new default root of home directory */
|
bflg = false, /* new default root of home directory */
|
||||||
@ -177,8 +181,10 @@ static bool home_added = false;
|
|||||||
#define E_GRP_UPDATE 10 /* can't update group file */
|
#define E_GRP_UPDATE 10 /* can't update group file */
|
||||||
#define E_HOMEDIR 12 /* can't create home directory */
|
#define E_HOMEDIR 12 /* can't create home directory */
|
||||||
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
|
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
|
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
|
||||||
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
|
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
#define DGROUP "GROUP="
|
#define DGROUP "GROUP="
|
||||||
#define DHOME "HOME="
|
#define DHOME "HOME="
|
||||||
@ -279,6 +285,7 @@ static void fail_exit (int code)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (sub_uid_locked) {
|
if (sub_uid_locked) {
|
||||||
if (sub_uid_unlock () == 0) {
|
if (sub_uid_unlock () == 0) {
|
||||||
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -305,6 +312,7 @@ static void fail_exit (int code)
|
|||||||
/* continue */
|
/* continue */
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_ADD_USER, Prog,
|
audit_logger (AUDIT_ADD_USER, Prog,
|
||||||
@ -1415,6 +1423,7 @@ static void close_files (void)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid && (sub_uid_close () == 0)) {
|
if (is_sub_uid && (sub_uid_close () == 0)) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
_("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
|
_("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -1427,6 +1436,7 @@ static void close_files (void)
|
|||||||
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
|
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
|
||||||
fail_exit (E_SUB_GID_UPDATE);
|
fail_exit (E_SUB_GID_UPDATE);
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
if (is_shadow_pwd) {
|
if (is_shadow_pwd) {
|
||||||
if (spw_unlock () == 0) {
|
if (spw_unlock () == 0) {
|
||||||
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
|
||||||
@ -1481,6 +1491,7 @@ static void close_files (void)
|
|||||||
sgr_locked = false;
|
sgr_locked = false;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid) {
|
if (is_sub_uid) {
|
||||||
if (sub_uid_unlock () == 0) {
|
if (sub_uid_unlock () == 0) {
|
||||||
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -1509,6 +1520,7 @@ static void close_files (void)
|
|||||||
}
|
}
|
||||||
sub_gid_locked = false;
|
sub_gid_locked = false;
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -1563,6 +1575,7 @@ static void open_files (void)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid) {
|
if (is_sub_uid) {
|
||||||
if (sub_uid_lock () == 0) {
|
if (sub_uid_lock () == 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
@ -1593,6 +1606,7 @@ static void open_files (void)
|
|||||||
fail_exit (E_SUB_GID_UPDATE);
|
fail_exit (E_SUB_GID_UPDATE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
}
|
}
|
||||||
|
|
||||||
static void open_shadow (void)
|
static void open_shadow (void)
|
||||||
@ -1839,6 +1853,7 @@ static void usr_update (void)
|
|||||||
#endif
|
#endif
|
||||||
fail_exit (E_PW_UPDATE);
|
fail_exit (E_PW_UPDATE);
|
||||||
}
|
}
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid &&
|
if (is_sub_uid &&
|
||||||
(sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
|
(sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
@ -1853,6 +1868,7 @@ static void usr_update (void)
|
|||||||
Prog, sub_uid_dbname ());
|
Prog, sub_uid_dbname ());
|
||||||
fail_exit (E_SUB_GID_UPDATE);
|
fail_exit (E_SUB_GID_UPDATE);
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_ADD_USER, Prog,
|
audit_logger (AUDIT_ADD_USER, Prog,
|
||||||
@ -2005,8 +2021,10 @@ int main (int argc, char **argv)
|
|||||||
#ifdef SHADOWGRP
|
#ifdef SHADOWGRP
|
||||||
is_shadow_grp = sgr_file_present ();
|
is_shadow_grp = sgr_file_present ();
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
is_sub_uid = sub_uid_file_present ();
|
is_sub_uid = sub_uid_file_present ();
|
||||||
is_sub_gid = sub_gid_file_present ();
|
is_sub_gid = sub_gid_file_present ();
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
get_defaults ();
|
get_defaults ();
|
||||||
|
|
||||||
@ -2157,6 +2175,7 @@ int main (int argc, char **argv)
|
|||||||
grp_add ();
|
grp_add ();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid) {
|
if (is_sub_uid) {
|
||||||
if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
|
if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
@ -2173,6 +2192,8 @@ int main (int argc, char **argv)
|
|||||||
fail_exit(E_SUB_GID_UPDATE);
|
fail_exit(E_SUB_GID_UPDATE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
usr_update ();
|
usr_update ();
|
||||||
|
|
||||||
if (mflg) {
|
if (mflg) {
|
||||||
|
@ -65,7 +65,9 @@
|
|||||||
#endif /* WITH_TCB */
|
#endif /* WITH_TCB */
|
||||||
/*@-exitarg@*/
|
/*@-exitarg@*/
|
||||||
#include "exitcodes.h"
|
#include "exitcodes.h"
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
#include "subordinateio.h"
|
#include "subordinateio.h"
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* exit status values
|
* exit status values
|
||||||
@ -76,8 +78,10 @@
|
|||||||
#define E_GRP_UPDATE 10 /* can't update group file */
|
#define E_GRP_UPDATE 10 /* can't update group file */
|
||||||
#define E_HOMEDIR 12 /* can't remove home directory */
|
#define E_HOMEDIR 12 /* can't remove home directory */
|
||||||
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
|
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
|
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
|
||||||
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
|
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Global variables
|
* Global variables
|
||||||
@ -99,13 +103,15 @@ static bool is_shadow_pwd;
|
|||||||
static bool is_shadow_grp;
|
static bool is_shadow_grp;
|
||||||
static bool sgr_locked = false;
|
static bool sgr_locked = false;
|
||||||
#endif /* SHADOWGRP */
|
#endif /* SHADOWGRP */
|
||||||
static bool is_sub_uid;
|
|
||||||
static bool is_sub_gid;
|
|
||||||
static bool pw_locked = false;
|
static bool pw_locked = false;
|
||||||
static bool gr_locked = false;
|
static bool gr_locked = false;
|
||||||
static bool spw_locked = false;
|
static bool spw_locked = false;
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
static bool is_sub_uid;
|
||||||
|
static bool is_sub_gid;
|
||||||
static bool sub_uid_locked = false;
|
static bool sub_uid_locked = false;
|
||||||
static bool sub_gid_locked = false;
|
static bool sub_gid_locked = false;
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
/* local function prototypes */
|
/* local function prototypes */
|
||||||
static void usage (int status);
|
static void usage (int status);
|
||||||
@ -445,6 +451,7 @@ static void close_files (void)
|
|||||||
}
|
}
|
||||||
#endif /* SHADOWGRP */
|
#endif /* SHADOWGRP */
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid) {
|
if (is_sub_uid) {
|
||||||
if (sub_uid_close () == 0) {
|
if (sub_uid_close () == 0) {
|
||||||
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
|
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -472,6 +479,7 @@ static void close_files (void)
|
|||||||
}
|
}
|
||||||
sub_gid_locked = false;
|
sub_gid_locked = false;
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -509,6 +517,7 @@ static void fail_exit (int code)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* SHADOWGRP */
|
#endif /* SHADOWGRP */
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (sub_uid_locked) {
|
if (sub_uid_locked) {
|
||||||
if (sub_uid_unlock () == 0) {
|
if (sub_uid_unlock () == 0) {
|
||||||
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -523,6 +532,7 @@ static void fail_exit (int code)
|
|||||||
/* continue */
|
/* continue */
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_DEL_USER, Prog,
|
audit_logger (AUDIT_DEL_USER, Prog,
|
||||||
@ -644,6 +654,7 @@ static void open_files (void)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* SHADOWGRP */
|
#endif /* SHADOWGRP */
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid) {
|
if (is_sub_uid) {
|
||||||
if (sub_uid_lock () == 0) {
|
if (sub_uid_lock () == 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
@ -696,6 +707,7 @@ static void open_files (void)
|
|||||||
fail_exit (E_SUB_GID_UPDATE);
|
fail_exit (E_SUB_GID_UPDATE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -720,6 +732,7 @@ static void update_user (void)
|
|||||||
Prog, user_name, spw_dbname ());
|
Prog, user_name, spw_dbname ());
|
||||||
fail_exit (E_PW_UPDATE);
|
fail_exit (E_PW_UPDATE);
|
||||||
}
|
}
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (is_sub_uid && sub_uid_remove(user_name, 0, ULONG_MAX) == 0) {
|
if (is_sub_uid && sub_uid_remove(user_name, 0, ULONG_MAX) == 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
_("%s: cannot remove entry %lu from %s\n"),
|
_("%s: cannot remove entry %lu from %s\n"),
|
||||||
@ -732,6 +745,7 @@ static void update_user (void)
|
|||||||
Prog, (unsigned long)user_id, sub_gid_dbname ());
|
Prog, (unsigned long)user_id, sub_gid_dbname ());
|
||||||
fail_exit (E_SUB_GID_UPDATE);
|
fail_exit (E_SUB_GID_UPDATE);
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_DEL_USER, Prog,
|
audit_logger (AUDIT_DEL_USER, Prog,
|
||||||
"deleting user entries",
|
"deleting user entries",
|
||||||
@ -1079,8 +1093,10 @@ int main (int argc, char **argv)
|
|||||||
#ifdef SHADOWGRP
|
#ifdef SHADOWGRP
|
||||||
is_shadow_grp = sgr_file_present ();
|
is_shadow_grp = sgr_file_present ();
|
||||||
#endif /* SHADOWGRP */
|
#endif /* SHADOWGRP */
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
is_sub_uid = sub_uid_file_present ();
|
is_sub_uid = sub_uid_file_present ();
|
||||||
is_sub_gid = sub_gid_file_present ();
|
is_sub_gid = sub_gid_file_present ();
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Start with a quick check to see if the user exists.
|
* Start with a quick check to see if the user exists.
|
||||||
|
@ -63,7 +63,9 @@
|
|||||||
#include "sgroupio.h"
|
#include "sgroupio.h"
|
||||||
#endif
|
#endif
|
||||||
#include "shadowio.h"
|
#include "shadowio.h"
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
#include "subordinateio.h"
|
#include "subordinateio.h"
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
#ifdef WITH_TCB
|
#ifdef WITH_TCB
|
||||||
#include "tcbfuncs.h"
|
#include "tcbfuncs.h"
|
||||||
#endif
|
#endif
|
||||||
@ -87,9 +89,13 @@
|
|||||||
/* #define E_NOSPACE 11 insufficient space to move home dir */
|
/* #define E_NOSPACE 11 insufficient space to move home dir */
|
||||||
#define E_HOMEDIR 12 /* unable to complete home dir move */
|
#define E_HOMEDIR 12 /* unable to complete home dir move */
|
||||||
#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
|
#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
|
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
|
||||||
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
|
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
|
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Global variables
|
* Global variables
|
||||||
*/
|
*/
|
||||||
@ -135,12 +141,14 @@ static bool
|
|||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
Zflg = false, /* new selinux user */
|
Zflg = false, /* new selinux user */
|
||||||
#endif
|
#endif
|
||||||
uflg = false, /* specify new user ID */
|
#ifdef ENABLE_SUBIDS
|
||||||
Uflg = false, /* unlock the password */
|
|
||||||
vflg = false, /* add subordinate uids */
|
vflg = false, /* add subordinate uids */
|
||||||
Vflg = false, /* delete subordinate uids */
|
Vflg = false, /* delete subordinate uids */
|
||||||
wflg = false, /* add subordinate gids */
|
wflg = false, /* add subordinate gids */
|
||||||
Wflg = false; /* delete subordinate gids */
|
Wflg = false, /* delete subordinate gids */
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
uflg = false, /* specify new user ID */
|
||||||
|
Uflg = false; /* unlock the password */
|
||||||
|
|
||||||
static bool is_shadow_pwd;
|
static bool is_shadow_pwd;
|
||||||
|
|
||||||
@ -148,8 +156,10 @@ static bool is_shadow_pwd;
|
|||||||
static bool is_shadow_grp;
|
static bool is_shadow_grp;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
static bool is_sub_uid = false;
|
static bool is_sub_uid = false;
|
||||||
static bool is_sub_gid = false;
|
static bool is_sub_gid = false;
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
static bool pw_locked = false;
|
static bool pw_locked = false;
|
||||||
static bool spw_locked = false;
|
static bool spw_locked = false;
|
||||||
@ -157,8 +167,10 @@ static bool gr_locked = false;
|
|||||||
#ifdef SHADOWGRP
|
#ifdef SHADOWGRP
|
||||||
static bool sgr_locked = false;
|
static bool sgr_locked = false;
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
static bool sub_uid_locked = false;
|
static bool sub_uid_locked = false;
|
||||||
static bool sub_gid_locked = false;
|
static bool sub_gid_locked = false;
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
|
|
||||||
/* local function prototypes */
|
/* local function prototypes */
|
||||||
@ -314,6 +326,7 @@ static int get_groups (char *list)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
struct ulong_range
|
struct ulong_range
|
||||||
{
|
{
|
||||||
unsigned long first;
|
unsigned long first;
|
||||||
@ -376,6 +389,7 @@ static int prepend_range(const char *str, struct ulong_range_list_entry **head)
|
|||||||
*head = entry;
|
*head = entry;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* usage - display usage message and exit
|
* usage - display usage message and exit
|
||||||
@ -409,10 +423,12 @@ static /*@noreturn@*/void usage (int status)
|
|||||||
(void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout);
|
(void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout);
|
||||||
(void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout);
|
(void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout);
|
||||||
(void) fputs (_(" -U, --unlock unlock the user account\n"), usageout);
|
(void) fputs (_(" -U, --unlock unlock the user account\n"), usageout);
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
(void) fputs (_(" -v, --add-subuids FIRST-LAST add range of subordinate uids\n"), usageout);
|
(void) fputs (_(" -v, --add-subuids FIRST-LAST add range of subordinate uids\n"), usageout);
|
||||||
(void) fputs (_(" -V, --del-subuids FIRST-LAST remove range of subordinate uids\n"), usageout);
|
(void) fputs (_(" -V, --del-subuids FIRST-LAST remove range of subordinate uids\n"), usageout);
|
||||||
(void) fputs (_(" -w, --add-subgids FIRST-LAST add range of subordinate gids\n"), usageout);
|
(void) fputs (_(" -w, --add-subgids FIRST-LAST add range of subordinate gids\n"), usageout);
|
||||||
(void) fputs (_(" -W, --del-subgids FIRST-LAST remove range of subordinate gids\n"), usageout);
|
(void) fputs (_(" -W, --del-subgids FIRST-LAST remove range of subordinate gids\n"), usageout);
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
(void) fputs (_(" -Z, --selinux-user SEUSER new SELinux user mapping for the user account\n"), usageout);
|
(void) fputs (_(" -Z, --selinux-user SEUSER new SELinux user mapping for the user account\n"), usageout);
|
||||||
#endif /* WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
@ -669,6 +685,7 @@ static /*@noreturn@*/void fail_exit (int code)
|
|||||||
/* continue */
|
/* continue */
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (sub_uid_locked) {
|
if (sub_uid_locked) {
|
||||||
if (sub_uid_unlock () == 0) {
|
if (sub_uid_unlock () == 0) {
|
||||||
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -683,6 +700,7 @@ static /*@noreturn@*/void fail_exit (int code)
|
|||||||
/* continue */
|
/* continue */
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||||
@ -982,22 +1000,26 @@ static void process_flags (int argc, char **argv)
|
|||||||
{"shell", required_argument, NULL, 's'},
|
{"shell", required_argument, NULL, 's'},
|
||||||
{"uid", required_argument, NULL, 'u'},
|
{"uid", required_argument, NULL, 'u'},
|
||||||
{"unlock", no_argument, NULL, 'U'},
|
{"unlock", no_argument, NULL, 'U'},
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
{"add-subuids", required_argument, NULL, 'v'},
|
{"add-subuids", required_argument, NULL, 'v'},
|
||||||
{"del-subuids", required_argument, NULL, 'V'},
|
{"del-subuids", required_argument, NULL, 'V'},
|
||||||
{"add-subgids", required_argument, NULL, 'w'},
|
{"add-subgids", required_argument, NULL, 'w'},
|
||||||
{"del-subgids", required_argument, NULL, 'W'},
|
{"del-subgids", required_argument, NULL, 'W'},
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
{"selinux-user", required_argument, NULL, 'Z'},
|
{"selinux-user", required_argument, NULL, 'Z'},
|
||||||
#endif /* WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
{NULL, 0, NULL, '\0'}
|
{NULL, 0, NULL, '\0'}
|
||||||
};
|
};
|
||||||
while ((c = getopt_long (argc, argv,
|
while ((c = getopt_long (argc, argv,
|
||||||
|
"ac:d:e:f:g:G:hl:Lmop:R:s:u:U"
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
"v:w:V:W:"
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
"ac:d:e:f:g:G:hl:Lmop:R:s:u:UZ:v:w:V:W:",
|
"Z:"
|
||||||
#else /* !WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
"ac:d:e:f:g:G:hl:Lmop:R:s:u:Uv:w:V:W:",
|
, long_options, NULL)) != -1) {
|
||||||
#endif /* !WITH_SELINUX */
|
|
||||||
long_options, NULL)) != -1) {
|
|
||||||
switch (c) {
|
switch (c) {
|
||||||
case 'a':
|
case 'a':
|
||||||
aflg = true;
|
aflg = true;
|
||||||
@ -1115,6 +1137,7 @@ static void process_flags (int argc, char **argv)
|
|||||||
case 'U':
|
case 'U':
|
||||||
Uflg = true;
|
Uflg = true;
|
||||||
break;
|
break;
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
case 'v':
|
case 'v':
|
||||||
if (prepend_range (optarg, &add_sub_uids) == 0) {
|
if (prepend_range (optarg, &add_sub_uids) == 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
@ -1151,6 +1174,7 @@ static void process_flags (int argc, char **argv)
|
|||||||
}
|
}
|
||||||
Wflg = true;
|
Wflg = true;
|
||||||
break;
|
break;
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
case 'Z':
|
case 'Z':
|
||||||
if (is_selinux_enabled () > 0) {
|
if (is_selinux_enabled () > 0) {
|
||||||
@ -1303,7 +1327,9 @@ static void process_flags (int argc, char **argv)
|
|||||||
|
|
||||||
if (!(Uflg || uflg || sflg || pflg || mflg || Lflg ||
|
if (!(Uflg || uflg || sflg || pflg || mflg || Lflg ||
|
||||||
lflg || Gflg || gflg || fflg || eflg || dflg || cflg
|
lflg || Gflg || gflg || fflg || eflg || dflg || cflg
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|| vflg || Vflg || wflg || Wflg
|
|| vflg || Vflg || wflg || Wflg
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
|| Zflg
|
|| Zflg
|
||||||
#endif /* WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
@ -1435,6 +1461,7 @@ static void close_files (void)
|
|||||||
sgr_locked = false;
|
sgr_locked = false;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (vflg || Vflg) {
|
if (vflg || Vflg) {
|
||||||
if (!is_sub_uid || (sub_uid_close () == 0)) {
|
if (!is_sub_uid || (sub_uid_close () == 0)) {
|
||||||
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
|
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
|
||||||
@ -1461,6 +1488,7 @@ static void close_files (void)
|
|||||||
}
|
}
|
||||||
sub_gid_locked = false;
|
sub_gid_locked = false;
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Close the DBM and/or flat files
|
* Close the DBM and/or flat files
|
||||||
@ -1541,6 +1569,7 @@ static void open_files (void)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (vflg || Vflg) {
|
if (vflg || Vflg) {
|
||||||
if (!is_sub_uid || (sub_uid_lock () == 0)) {
|
if (!is_sub_uid || (sub_uid_lock () == 0)) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
@ -1571,6 +1600,7 @@ static void open_files (void)
|
|||||||
fail_exit (E_SUB_GID_UPDATE);
|
fail_exit (E_SUB_GID_UPDATE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -1672,6 +1702,7 @@ static void usr_update (void)
|
|||||||
fail_exit (E_PW_UPDATE);
|
fail_exit (E_PW_UPDATE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
if (Vflg) {
|
if (Vflg) {
|
||||||
struct ulong_range_list_entry *ptr;
|
struct ulong_range_list_entry *ptr;
|
||||||
for (ptr = del_sub_uids; ptr != NULL; ptr = ptr->next) {
|
for (ptr = del_sub_uids; ptr != NULL; ptr = ptr->next) {
|
||||||
@ -1724,6 +1755,7 @@ static void usr_update (void)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -2059,8 +2091,10 @@ int main (int argc, char **argv)
|
|||||||
#ifdef SHADOWGRP
|
#ifdef SHADOWGRP
|
||||||
is_shadow_grp = sgr_file_present ();
|
is_shadow_grp = sgr_file_present ();
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
is_sub_uid = sub_uid_file_present ();
|
is_sub_uid = sub_uid_file_present ();
|
||||||
is_sub_gid = sub_gid_file_present ();
|
is_sub_gid = sub_gid_file_present ();
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
|
||||||
process_flags (argc, argv);
|
process_flags (argc, argv);
|
||||||
|
|
||||||
@ -2068,7 +2102,11 @@ int main (int argc, char **argv)
|
|||||||
* The home directory, the username and the user's UID should not
|
* The home directory, the username and the user's UID should not
|
||||||
* be changed while the user is logged in.
|
* be changed while the user is logged in.
|
||||||
*/
|
*/
|
||||||
if ( (uflg || lflg || dflg || Vflg || Wflg)
|
if ( (uflg || lflg || dflg
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
|| Vflg || Wflg
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
)
|
||||||
&& (user_busy (user_name, user_id) != 0)) {
|
&& (user_busy (user_name, user_id) != 0)) {
|
||||||
exit (E_USER_BUSY);
|
exit (E_USER_BUSY);
|
||||||
}
|
}
|
||||||
@ -2121,7 +2159,11 @@ int main (int argc, char **argv)
|
|||||||
*/
|
*/
|
||||||
open_files ();
|
open_files ();
|
||||||
if ( cflg || dflg || eflg || fflg || gflg || Lflg || lflg || pflg
|
if ( cflg || dflg || eflg || fflg || gflg || Lflg || lflg || pflg
|
||||||
|| sflg || uflg || Uflg || vflg || Vflg || wflg || Wflg) {
|
|| sflg || uflg || Uflg
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
|| vflg || Vflg || wflg || Wflg
|
||||||
|
#endif /* ENABLE_SUBIDS */
|
||||||
|
) {
|
||||||
usr_update ();
|
usr_update ();
|
||||||
}
|
}
|
||||||
if (Gflg || lflg) {
|
if (Gflg || lflg) {
|
||||||
|
Loading…
Reference in New Issue
Block a user