Commit Graph

1173 Commits

Author SHA1 Message Date
Wolfgang Bumiller
258944e331 Makefile: bail out on error in for-loops
`make` runs each line in a shell and bails out on error,
however, the shell is not started with `-e`, so commands in
`for` loops can fail without the error actually causing
`make` to bail out with a failure status.

For instance, the following make snippet will end
successfully, printing 'SUCCESS', despite the first `chmod`
failing:

    all:
        touch a b
        for i in a-missing-file a b; do \
            chmod 666 $$i; \
        done
        @echo SUCCESS

To prevent wrong paths in install scripts from remaining
unnoticed, let's activate `set -e` in the `for` loop
subshells.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-12-19 18:54:30 +01:00
Patrick McLean
3cc3948d71 Revert "Honor --sbindir and --bindir for binary installation"
This reverts commit e293aa9cfc.

See https://github.com/shadow-maint/shadow/issues/196

Some distros still care about `/bin` vs `/usr/bin`. This commit makes
it so all binaries are always installed to `/bin`/`/sbin`. The only way to
restore the previous behaviour of installing some binaries to
`/usr/bin`/`/usr/sbin` is to revert the patch.
2019-12-01 13:59:52 -08:00
prez
2958bd050b Initial bcrypt support 2019-12-01 11:00:57 -06:00
Lars Wendler
19bac44dde
build: Make build/installation of su and its support files optional
Enabled by default
This is necessary because coreutils and util-linux can also provide su

Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
2019-11-19 11:28:45 +01:00
Michael Vetter
115a4e89e2 Fix typo in access of shell command
Fix typo in 88fa0651bf.
For some reason my git push -f seems not to have worked.
2019-11-12 08:38:08 +01:00
Todd C. Miller
7eca1112fb Fix vipw not resuming correctly when suspended
Closes #185

If vipw is suspended (e.g. via control-Z) and then resumed, it often gets
immediately suspended. This is easier to reproduce on a multi-core system.

root@buster:~# /usr/sbin/vipw

[1]+  Stopped                 /usr/sbin/vipw
root@buster:~# fg
/usr/sbin/vipw

[1]+  Stopped                 /usr/sbin/vipw

root@buster:~# fg
[vipw resumes on the second fg]

The problem is that vipw forks a child process and calls waitpid() with the
WUNTRACED flag. When the child process (running the editor) is suspended, the
parent sends itself SIGSTOP to suspend the main vipw process. However, because
the main vipw is in the same process group as the editor which received the ^Z,
the kernel already sent the main vipw SIGTSTP.

If the main vipw receives SIGTSTP before the child, it will be suspended and
then, once resumed, will proceed to suspend itself again.

To fix this, run the child process in its own process group as the foreground
process group. That way, control-Z will only affect the child process and the
parent can use the existing logic to suspend the parent.
2019-11-11 20:19:57 -06:00
Serge Hallyn
e97df9b1ec
Merge pull request #187 from jubalh/useradd-s
useradd: check for valid shell argument
2019-11-11 18:10:56 -06:00
Michael Vetter
88fa0651bf useradd: check for valid shell argument
Check whether shell argument given with `-s` is actually present and executable.
And is not a directory.

Fix https://github.com/shadow-maint/shadow/issues/186
2019-11-11 13:46:25 +01:00
Christian Göttsche
cbd2472b7c migrate to new SELinux api
Using hard-coded access vector ids is deprecated and can lead to issues with custom SELinux policies.
Switch to `selinux_check_access()`.

Also use the libselinux log callback and log if available to audit.
This makes it easier for users to catch SELinux denials.

Drop legacy shortcut logic for passwd, which avoided a SELinux check if uid 0 changes a password of a user which username equals the current SELinux user identifier.
Nowadays usernames rarely match SELinux user identifiers and the benefit of skipping a SELinux check is negligible.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2019-10-22 14:56:31 +02:00
Serge Hallyn
4e1da34601 compile warnings: Zflg unused when !selinux
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-10-12 20:03:51 -05:00
Serge Hallyn
b03df41906 remove unused variables
parent, user_id, and group_id are unused.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-10-12 20:03:32 -05:00
Serge Hallyn
991fee82df
Merge pull request #180 from thkukuk/libeconf
Add support for a vendor directory and libeconf
2019-10-05 22:34:29 -05:00
Thorsten Kukuk
b52ce71c27 Add support for a vendor directory and libeconf
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where the shadow suite should additional
look for login.defs if this file is not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
2019-10-05 22:17:49 -05:00
Serge Hallyn
e78d22469f
Merge pull request #177 from edneville/conflicts_between_system_users_useradd_and_pwck
pwck.c: only check home dirs if set and not a system user
2019-10-05 22:08:08 -05:00
ed
c4e8b411d4 pwck.c: only check home dirs if set and not a system user
Closes #126

Changelog: pwck, better to look at array than to use strnlen.
2019-10-05 22:04:37 -05:00
Serge Hallyn
3a51b90145
Merge pull request #176 from edneville/force_bad_name
chkname.c, pwck.c, useradd.c, usermod.c, newusers.c: Allow names that…
2019-10-04 16:41:39 -07:00
ed
a2cd3e9ef0 chkname.c, pwck.c, useradd.c, usermod.c, newusers.c: Allow names that do not conform to standards
Closes #121.

Changelog: squashed commits fixing tab style
Changelog: update 'return true' to match file's style (no parens).
2019-10-04 18:40:41 -05:00
Serge Hallyn
a74587a4ea
Merge pull request #173 from edneville/issue_105_106
useradd.c: including directory name in directory existence error message
2019-08-07 22:44:51 -05:00
Serge Hallyn
1e13749483
Merge pull request #172 from edneville/master
chage.c: add support for YYYY-MM-DD date printing
2019-08-07 22:42:03 -05:00
ed
23262b249c src/useradd.c: including directory name in dir existence error. Prefixing output lines with program name. 2019-08-07 19:41:12 +01:00
ed
5687be5f31 chage.c: add support for YYYY-MM-DD date printing 2019-08-06 19:40:36 +01:00
Dave Reisner
e293aa9cfc Honor --sbindir and --bindir for binary installation
Some distros don't care about the split between /bin, /sbin, /usr/bin,
and /usr/sbin, so let them easily stuff binaries wherever they want.
2019-08-02 18:45:19 -04:00
Dave Reisner
edf7547ad5 Fix failing chmod calls on installation for suidubins
suidubins should be suidusbins, since these binaries are installed
${prefix}/sbin. This historically hasn't broken the build because
chmod of newgidmap/newuidmap succeeds, causing make to think the command
succeeded. Configuring shadow with --with-fcaps removes these final two
entries and exposes the chmod failure to make.
2019-08-02 18:42:34 -04:00
Stanislav Brabec
fc0ed79e5d usermod.c: Fix invalid variable name
Fix invalid LASTLOG_MAX_UID variable name to correct LASTLOG_UID_MAX.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
2019-07-26 21:39:42 +02:00
Adam Majer
50b23584d7 Add autotools support for BtrFS option
Feature is enabled by default, if headers are available. It can be
turned off explictly.
2019-05-03 22:38:23 -07:00
Adam Majer
c1d36a8acb Add support for btrfs subvolumes for user homes
new switch added to useradd command, --btrfs-subvolume-home. When
specified *and* the filesystem is detected as btrfs, it will create a
subvolume for user's home instead of a plain directory. This is done via
`btrfs subvolume` command.  Specifying the new switch while trying to
create home on non-btrfs will result in an error.

userdel -r will handle and remove this subvolume transparently via
`btrfs subvolume` command. Previosuly this failed as you can't rmdir a
subvolume.

usermod, when moving user's home across devices, will detect if the home
is a subvolume and issue an error messages instead of copying it. Moving
user's home (as subvolume) on same btrfs works transparently.
2019-05-03 22:38:23 -07:00
Serge Hallyn
5837240451 usermod: print "no changes" to stdout, not stderr
Closes #113

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2019-04-21 17:28:12 -05:00
Serge Hallyn
2c8171f8c8
Merge pull request #146 from lamby/reproducible-shadow-files
Make the sp_lstchg shadow field reproducible (re. #71)
2019-04-21 17:13:58 -05:00
Serge Hallyn
fbb59823c5
Merge pull request #143 from t8m/fedora
usermod: Guard against unsafe change of ownership of home contents
2019-04-21 16:56:36 -05:00
Serge Hallyn
fe87a1ad96
Merge pull request #158 from nathanruiz/master
Fix chpasswd long line handling
2019-04-21 16:50:07 -05:00
Nathan Ruiz
a8f7132113 Fix chpasswd long line handling 2019-04-10 07:56:59 +10:00
Chris Lamb
fe34a2a0e4 Make the sp_lstchg shadow field reproducible (re. #71)
From <https://github.com/shadow-maint/shadow/pull/71>:

```
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

username:17238:0:99999:7:::
whilst creating the same user tomorrow will result in:

username:17239:0:99999:7:::
This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.
```

This updated PR adds some missing calls to gettime (). This was originally
filed by Johannes Schauer in Debian as #917773 [2].

[0] https://reproducible-builds.org/
[1] https://reproducible-builds.org/specs/source-date-epoch/
[2] https://bugs.debian.org/917773
2019-03-31 16:00:01 +01:00
Charlie Vuillemez
dd2033c40c Do not flush nscd and sssd cache in read-only mode
Fix #155

signed-off-by: Charlie Vuillemez <cvuillemez@users.noreply.github.com>
2019-02-27 17:40:04 +01:00
Tomas Mraz
5b41b7d1b1 usermod: Guard against unsafe change of ownership of home directory content
In case the home directory is not a real home directory
(owned by the user) but things like / or /var or similar,
it is unsafe to change ownership of home directory content.

The test checks whether the home directory is owned by the
user him/herself, if not no ownership modification of contents
is performed.
2018-12-18 16:32:13 +01:00
Tomas Mraz
4633164857 login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
As the large uids are usually provided by remote user identity and
authentication service, which also provide user login tracking,
there is no need to create a huge sparse file for them on every local
machine.

fixup! login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
2018-12-10 13:25:56 -06:00
Serge Hallyn
bb3f810611
Merge pull request #136 from giuseppe/fcap-newuidmap-newgidmap
newuidmap/newgidmap: install with file capabilities
2018-10-27 11:26:31 -05:00
Serge Hallyn
d5255da20b
Merge pull request #132 from giuseppe/no-cap-sys-admin
newuidmap/newgidmap: do not require CAP_SYS_ADMIN in the parent user namespace
2018-10-27 11:22:37 -05:00
Giuseppe Scrivano
70971457b7
newuidmap/newgidmap: install with file capabilities
do not install newuidmap/newgidmap as suid binaries.  Running these
tools with the same euid as the owner of the user namespace to
configure requires only CAP_SETUID and CAP_SETGID instead of requiring
CAP_SYS_ADMIN when it is installed as a suid binary.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2018-10-24 23:10:59 +02:00
Serge Hallyn
ff8b1ebafa
Merge pull request #118 from AdelieLinux/utmpx-only-support
[WIP] Support systems that only have utmpx
2018-10-23 22:35:19 -05:00
Serge Hallyn
83f1380600
Merge pull request #133 from t8m/trivial
Fix some issues found in Coverity scan.
2018-10-23 22:21:12 -05:00
Giuseppe Scrivano
1ecca8439d
new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS
if the euid!=owner of the userns, the kernel returns EPERM when trying
to write the uidmap and there is no CAP_SYS_ADMIN in the parent
namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2018-10-22 16:57:50 +02:00
Tomas Mraz
10e388efc2 useradd: fix segfault trying to overwrite const data with mkstemp
Also fix memory leaks in error paths.
2018-10-12 10:14:02 +02:00
Jakub Hrozek
4aaf05d72e Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
    passwd: sss files
    group:  sss files

The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.

Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.

More details about why Fedora chose to use sss before files can be found
on e.g.:
    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html

Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
    getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.

This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-13 14:20:02 +02:00
Serge Hallyn
6bf2d74dfc
Merge pull request #122 from ivladdalvi/nologin-uid
Log UID in nologin
2018-08-13 18:37:02 -05:00
Vladimir Ivanov
4be18d3299 Log UID in nologin
Sometimes getlogin() may fail, e.g., in a chroot() environment or due to NSS
misconfiguration. Loggin UID allows for investigation and troubleshooting in
such situation.
2018-08-13 16:46:04 +08:00
Michael Vogt
89b96cb85c su.c: run pam_getenvlist() after setup_env
When "su -l" is used the behaviour is described as similar to
a direct login. However login.c is doing a setup_env(pw) and then a
pam_getenvlist() in this scenario. But su.c is doing it the other
way around. Which means that the value of PATH from /etc/environment
is overriden. I think this is a bug because:

The man-page claims that "-l": "provides an environment similar
to what the user would expect had the user logged in directly."

And login.c is using the PATH from /etc/environment.

This will fix:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/984390
2018-06-25 16:00:21 +02:00
A. Wilcox
99dbd4b9ee
Support systems that only have utmpx
This allows shadow-utils to build on systems like Adélie, which have no
<utmp.h> header or `struct utmp`.  We use a <utmpx.h>-based daemon,
utmps[1], which uses `struct utmpx` only.

Tested both `login` and `logoutd` with utmps and both work correctly.

[1]: http://skarnet.org/software/utmps/
2018-06-24 00:13:12 -05:00
Michael Vetter
b3b6d9d77c Create parent dirs for useradd -m
Equivalent of `mkdir -p`. It will create all parent directories.
Example: `useradd -d /home2/testu1 -m testu1`

Based on https://github.com/shadow-maint/shadow/pull/2 by Thorsten Kukuk
and Thorsten Behrens which was Code from pwdutils 3.2.2 with slight adaptations.

Adapted to so it applies to current code.
2018-05-15 17:30:34 +02:00
fariouche
73a876a056 Fix usermod crash
Return newly allocated pointers when the caller will free them.

Closes #110
2018-05-08 21:17:46 -05:00
Serge Hallyn
164dcfe65b
Merge pull request #103 from HarmtH/be-predictable
su.c: be more predictable
2018-03-29 23:10:51 -07:00
Serge Hallyn
fb356b1344
Merge pull request #21 from fariouche/master
Add --prefix argument
2018-03-29 22:36:28 -07:00
fariouche
65b4f58703 add --prefix option: some fixes + fixed pwd.lock file location 2018-03-28 21:14:12 +02:00
fariouche
54551c7d6e Merge remote-tracking branch 'upstream/master' 2018-03-28 21:11:36 +02:00
Harm te Hennepe
d877e3fcac su.c: be more predictable
Always parse first non-option as username.
2018-03-27 00:57:21 +02:00
Harm te Hennepe
dbfe7dd42e su.c: fix '--' slurping
All arguments are already reordered and parsed by getopt_long since e663c69, so manual '--' slurping is wrong.

Closes #101
2018-03-26 22:37:56 +02:00
Serge Hallyn
45b4187596 pwconv and grpconv: rewind after deleting an entry
Otherwise our spw_next() will cause us to skip an entry.
Ideally we'd be able to do an swp_rewind(1), but I don't
see a helper for this.

Closes #60

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-25 09:18:22 -05:00
Serge Hallyn
44c63795a7 userdel: fix wrong variable name in tcb case
Found in mandriva distro patch, and with a test build.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-24 23:44:09 -05:00
Serge Hallyn
36244ac1ff src/Makefile.am: tcb fixes from mandriva
1. suidubins -= was breaking build with WITH_TCB.
2. stick libtcb at end of ldlibs list.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-24 23:41:23 -05:00
Serge Hallyn
d3790feac0 pwck.c: do not pass O_CREAT
It causes a crash later when we try to close files.

Closes #96

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-24 20:29:48 -05:00
Serge Hallyn
b63aca9a2c src/Makefile.am: drop duplicate inclusion of chage
Closes #80

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-24 16:27:20 -05:00
Serge Hallyn
8f2f2a0d9d
Merge pull request #98 from jsoref/spelling
Spelling
2018-03-24 15:54:51 -05:00
Serge Hallyn
5f3e3c2c62
Merge pull request #93 from rahul1809/master
Double freeing up pointers , Causing Segmentation fault
2018-02-19 14:45:13 -06:00
Aleksa Sarai
fb28c99b8a
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.

This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).

We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".

Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Reported-by: Craig Furman <craig.furman89@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-16 17:56:35 +11:00
fariouche
acaed3deab upstream merge 2018-01-23 23:10:19 +01:00
rahul
bb47fdf25e indentation fix 2018-01-22 17:07:27 +05:30
rahul
97bb5b2b6d added a check to avoid freeing null pointer 2018-01-22 17:05:52 +05:30
Alex Kretzschmar
e91b0f0517 Fixes mispelling of MAX_DAYS help text 2018-01-17 12:21:48 +00:00
Tomas Mraz
2c57c399bf Make userdel to work with -R.
The userdel checks for users with getpwnam() which might not work
properly in chroot. Check for the user's presence in local files only.
2017-12-21 09:12:58 +01:00
Josh Soref
34669aa651 spelling: unrecognized 2017-10-22 21:30:30 +00:00
Josh Soref
6671b44434 spelling: remove 2017-10-22 21:12:29 +00:00
Josh Soref
60891cd197 spelling: logout 2017-10-22 20:28:57 +00:00
Josh Soref
74fcf6f28d spelling: interactive 2017-10-22 20:24:32 +00:00
Josh Soref
62ace035c6 spelling: getxxyyy 2017-10-22 19:16:30 +00:00
Josh Soref
4be6d423e4 spelling: changed 2017-10-22 08:24:23 +00:00
Josh Soref
d0c05b0143 spelling: cannot 2017-10-22 08:05:45 +00:00
Serge Hallyn
056f7352ef Merge pull request #86 from WheresAlice/master
Make language more inclusive
2017-10-06 17:47:31 -05:00
WheresAlice
1e98b3b559 Make language less binary 2017-09-20 17:00:29 +01:00
Tomas Mraz
33f1f69e9c newgrp: avoid unnecessary group lookups
In case a system uses remote identity server (LDAP) the group lookup
can be very slow. We avoid it when we already know the user has the
group membership.
2017-08-14 11:38:46 +02:00
sbts
59fa2c0763 implement and document additional error codes for groupmod add E_CLEANUP_SERVICE, E_PAM_USERNAME, E_PAM_ERROR to groupmod.c and groupmod.8.xml 2017-07-10 21:50:49 -05:00
Adam Majer
992fab50ee support dynamically added users via pam_group
Dynamically added users via pam_group are not listed in groups
databases but are still valid.
2017-05-22 13:42:35 +02:00
Tobias Stoeckmann
7d82f203ee Reset pid_child only if waitpid was successful.
Do not reset the pid_child to 0 if the child process is still
running. This else-condition can be reached with pid being -1,
therefore explicitly test this condition.

This is a regression fix for CVE-2017-2616. If su receives a
signal like SIGTERM, it is not propagated to the child.

Reported-by: Radu Duta <raduduta@gmail.com>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2017-05-14 17:58:10 +02:00
Chris Lamb
cb610d54b4 Make the sp_lstchg shadow field reproducible.
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

   username:17238:0:99999:7:::

whilst creating the same user tomorrow will result in:

    username:17239:0:99999:7:::

This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.

 [0] https://reproducible-builds.org/
 [1] https://reproducible-builds.org/specs/source-date-epoch/

Signed-off-by: Chris Lamb <lamby@debian.org>
2017-04-10 22:29:21 +01:00
fariouche
b6b2c756c9 add --prefix option 2017-03-01 22:51:09 +01:00
Tobias Stoeckmann
08fd4b69e8 su: properly clear child PID
If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
2017-02-23 09:47:29 -06:00
Adam Majer
759f94e17a Remove extra parenthesis 2017-02-20 14:50:30 +01:00
Adam Majer
90c0525c7e Remove unnecessary static variable usage 2017-02-20 14:48:55 +01:00
Josef Möllers
5ac4918bdd Add error handling in case exec fails
We should print error message if exec fails, for some reason.
2017-02-20 14:32:37 +01:00
David Michael
c6b0664f52 useradd: Read defaults after changing root directories
This reverts the behavior of "useradd --root" to using the settings
from login.defs in the target root directory, not the root of the
executed useradd command.
2017-02-11 08:59:49 -06:00
Josef Moellers
e36c0a418a Deleted a misplaced semicolon. 2017-02-11 08:55:07 -06:00
Micah Anderson
578d495f91 Last bits of enabling subuids
This patch has been carried by Debian, originally
submitted to BTS in #739981
2017-01-18 18:06:05 +01:00
Serge Hallyn
5fc99f02cf Merge pull request #58 from juiceme/master
shadow: Add auditing support to su
2016-12-21 12:41:39 -06:00
Serge Hallyn
411f540590 Fix s/from/to/ in usermod.c error message
Closes #49

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2016-12-21 12:40:08 -06:00
Michael Vetter
b2bd56a012 Reset user in tallylog
The useradd application resets the user data in /var/log/faillog, if it
exists and a new user is created.

pam_tally2 is used in many distributions.

Check for /var/log/tallylog and reset the user there.

Patch was written by Josef Moellers <jmoellers@suse.de>.

https://bugzilla.suse.com/show_bug.cgi?id=980486
2016-12-21 12:36:11 -06:00
Jussi Ohenoja
a3bf32fe87 shadow: Add auditing support to su
This patch extends the auditing feature used in login to su.

Signed-off-by: Jussi Ohenoja <jussi.ohenoja@nokia.com>
2016-12-13 18:44:19 +02:00
Serge Hallyn
9e93c984f7 Merge pull request #17 from wking/includes-to-am-cppflags
*/Makefile.am: Replace INCLUDES with AM_CPPFLAGS
2016-12-07 00:01:54 -06:00
Serge Hallyn
d886cf40ef Merge pull request #48 from t8m/fedora
Four simple patches from the Fedora package to merge
2016-12-02 16:14:24 -06:00
Tomas Mraz
2b820c534d Audit the home directory ownership change. 2016-11-15 16:03:40 +01:00
Tomas Mraz
765993846d Print error message if SELinux file context manipulation fails. 2016-11-15 16:00:51 +01:00
Wolfgang Bumiller
61abb4645c buildsys: fix suidubins assignments
These assignments were pasted as is into the Makefile and
ended up as part of a rule. (Usually the .PRECIOUS rule
which is why the build system never attempted to execute it
as commands, hiding the problem.)

Signed-off-by: Wolfgang Bumiller <wry.git@bumiller.com>
Reported-by: Rahel A <ra00177@surrey.ac.uk>
2016-11-05 16:09:07 +01:00
Matias A. Fonzo
b7fffe8f7e Remove non-POSIX option in chmod(1) used for src/Makefile.am 2016-10-18 15:46:27 -03:00
Serge Hallyn
6564241674 Merge pull request #33 from t8m/master
Fix regression in useradd not loading defaults properly.
2016-09-21 09:12:15 -05:00
Adam Sampson
924cc34647 Use sizeof rather than hardcoding snprintf's size argument. 2016-09-20 08:04:14 +01:00
Serge Hallyn
67d2bb6e0a su.c: fix missing length argument to snprintf 2016-09-18 21:31:18 -05:00
Tomas Mraz
507f96cdeb Fix regression in useradd not loading defaults properly.
The get_defaults() has to be called before processing the flags.

Signed-off-by: Tomáš Mráz <tmraz@fedoraproject.org>
2016-08-25 11:20:34 +02:00
Serge Hallyn
5b017af90d Merge pull request #29 from hemio-ev/lower-su-syslog-priority
Reduces syslog priority of common usage events
2016-08-05 11:59:15 -05:00
Serge Hallyn
ca0ccaba27 Merge pull request #24 from stoeckmann/typos
Fixed typos in new{g,u}idmap tools.
2016-08-04 23:39:25 -05:00
Michael Herold
61fc90b268 Reduces syslog priority of common usage events
- Log INFO instead of ERR on `su missing-user`
- Log NOTICE/WARN instead of ERR on pam_authenticate failure (wrong password for example)
2016-08-04 22:17:31 +02:00
Tobias Stoeckmann
dd50014055 Fixed signal races in shadow tools.
Some of the supplied tools use functions which are not signal-safe.

Most of the times it's exit() vs. _exit().

In other times it's how the standard output or standard error is
handled. FILE-related functions shall be avoided, therefore I replaced
them with write().

Also there is no need to call closelog(). At worst, it allows to
trigger a deadlock by issuing different signal types at bad timings.
But as these fixes are about race conditions, expect bad timings in
general for these bugs to be triggered. :)
2016-07-02 18:11:09 +02:00
Tobias Stoeckmann
a84b0cafdd Fixed typos in new{g,u}idmap tools.
Fixed small typos in manual pages and code comments.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2016-07-02 16:39:18 +02:00
W. Trevor King
c07397695a */Makefile.am: Replace INCLUDES with AM_CPPFLAGS
Catch up with Automake's [1], which was part of v1.6b, cut 2002-07-28
[2].  Avoids:

  $ autoreconf -v -f --install
  ...
  libmisc/Makefile.am:4: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
  ...
  src/Makefile.am:10: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
  ...

Consolidating with the earlier AM_CPPFLAGS avoids:

  $ autoreconf -v -f --install
  src/Makefile.am:72: warning: AM_CPPFLAGS multiply defined in condition TRUE ...
  src/Makefile.am:10: ... 'AM_CPPFLAGS' previously defined here
  autoreconf-2.69: Leaving directory `.'

[1]: http://git.savannah.gnu.org/cgit/automake.git/commit/?id=1415d22f6203206bc393fc4ea233123ba579222d
     Summary: automake.in (generate_makefile): Suggest using AM_CPPFLAGS instead of INCLUDES
     Date: 2002-07-09
[2]: http://git.savannah.gnu.org/cgit/automake.git/tag/?id=Release-1-6b
2016-04-29 17:30:18 -07:00
Tomas Mraz
66897b6f6d Add ability to clear or set lastlog record for user via lastlog command
This functionality is useful because there is now a feature
of Linux-PAM's pam_lastlog module to block expired users (users
which did not login recently enough) from login. This commit
complements it so the sysadmin is able to unblock such expired user.

Signed-off-by: Tomáš Mráz <tmraz@fedoraproject.org>
2016-03-03 15:37:01 +01:00
Serge Hallyn
af064545bf useradd: respect -r flag when allocating subuids
We intend to not create subuids for system users. However we are
checking for command line flags after we check whether -r flag
was set, so it was never found to be true.  Fix that.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-02-18 09:20:43 -08:00
Stéphane Graber
65c2617140
Tweak uid/gid map default configuration
- Use an allocation of 65536 uids and gids to allow for POSIX-compliant
   user owned namespaces.
 - Don't allocate a uid/gid map to system users.
   Unfortunately checking for --system isn't quite enough as some
   distribution wrappers always call useradd without --system and take care
   of choosing a uid and gid themselves, so also check whether the
   requested uid/gid is in the user range.

This is taken from a patch I wrote for Ubuntu a couple years ago and
which somehow didn't make it upstream.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2016-02-15 18:11:10 -05:00
Serge Hallyn
e01bad7d3c Merge pull request #4 from xnox/master
Make shadow more robust in hostile environments
2015-11-12 23:07:29 -06:00
Serge Hallyn
f68f813073 Fix a resource leak in syslog_sg
Reported at https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=315135&group_id=30580
by Alejandro Joya (afjoyacr-guest)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-08-06 00:25:01 -05:00
Serge Hallyn
a887847ca2 Don't limit subuid/subgid support to local users
The current implementation of subuid/subgid support in usermod requires the
user to be a local user present in /etc/passwd.  There doesn't seem to be a
good reason for this; subuids should work equally well for users whose
records are in other NSS databases.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1475749

Author: Steve Langasek <steve.langasek@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-07-20 12:14:26 -05:00
Jesse W. Hathaway
3c32fd4a29 Allow deleting the group even if it is the primary group of a user
This is helpful when using configuration management tools such as
Puppet, where you are managing the groups in a central location and you
don't need this safeguard.

Signed-off-by: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-06-16 14:18:44 -05:00
Hank Leininger
884895ae25 Expand the error message when newuidmap / newgidmap do not like the user/group ownership of their target process.
Currently the error is just:

newuidmap: Target [pid] is owned by a different user

With this patch it will be like:

newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99

Why is this useful?  Well, in my case...

The grsecurity kernel-hardening patch includes an option to make parts
of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
the current uid.  This comes with an option to make /proc/pid/
directories readable by a specific gid; sysadmins and the like are then
put into that group so they can see a full 'ps'.

This means that the check in new[ug]idmap fails, as in the above quoted
error - /proc/[targetpid] is owned by root, but the group is 99 so that
users in group 99 can see the process.

Some Googling finds dozens of people hitting this problem, but not
*knowing* that they have hit this problem, because the errors and
circumstances are non-obvious.

Some graceful way of handling this and not failing, will be next ;)  But
in the meantime it'd be nice to have new[ug]idmap emit a more useful
error, so that it's easier to troubleshoot.

Thanks!

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-04-06 08:23:36 -05:00
Dimitri John Ledkov
ee43f47f45
Do not fail on missing files in /etc/, create them instead.
passwd, shadow, group, gshadow etc. can be managed via nss -
e.g. system default accounts can be specified using nss_altfiles,
rather than in /etc/. Thus despite having default accounts, these
files can be missing on disk and thus should be opened with O_CREATE
whenever they are attempted to be opened in O_RDWR modes.
2015-02-27 17:01:29 +00:00
Duncan Eastoe
17887b216d Suppress pwconv passwd- chmod failure message
Prevent chmod failure message from displaying if the failure
was due to the backup file not existing.

If there is no backup file present and if no changes have been
made, then this error would always appear since the backup
file isn't created in this situation.

Signed-off-by: Duncan Eastoe <deastoe@Brocade.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-02-17 10:15:02 -06:00
James Le Cuirot
420943657c Fix building without subordinate IDs support
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-09-04 17:29:23 -05:00
Serge Hallyn
4911773b77 From: Svante Signell <svante.signell@gmail.com>
Currently shadow fails to build from source and is flagged as
out-of-date. This is due to a usage of PATH_MAX, which is not defined
on GNU/Hurd. The attached patch solves this problem by allocating a
fixed number of 32 bytes for the string proc_dir_name in files
src/procuidmap.c and src/procgidmap.c. (In fact only 18 bytes are
needed)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-06-26 16:48:56 -05:00
Nicolas François
5e87ff0615 Improve vipw error report when editor fails
* src/vipw.c: After waitpid(), use errno only if waitpid returned
	-1. Debian#688260
	* src/vipw.c: Likewise for system().
2013-08-25 16:27:58 +02:00
Nicolas François
6f8dd000f6 Improve diagnostic.
* src/usermod.c: Check early if /etc/subuid (/etc/subgid) exists
	when option -v/-V (-w/-W) are provided.
2013-08-15 17:30:19 +02:00
Nicolas François
2e46882a9b Fix parse of ranges.
* src/usermod.c: Fix parse of ranges. The hyphen might be followed
	by a negative integer.
2013-08-15 17:30:19 +02:00
Nicolas François
00f573fce2 Fix copyright dates. 2013-08-13 23:13:26 +02:00
Nicolas François
9951b1f569 Fail in case arguments are provided after options.
* src/vipw.c: Fail in case arguments are provided after options.
	Debian#677812
2013-08-13 23:13:09 +02:00
Nicolas François
8781aff637 Terminate the child before closing the PAM session.
* src/su.c: Terminate the child (if needed) before closing the PAM
	session. This is probably more correct, and avoid reporting
	termination from signals possibly sent by PAM modules (e.g. former
	versions of pam_systemd). Debian#670132
2013-08-13 19:48:53 +02:00
Nicolas François
a5e3dbb0e3 Reset caught variable when signal is handled by su.
* src/su.c: When a SIGTSTP is caught, reset caught to 0. There is
	no need to kill the child in such case after su is resumed. This
	remove the "Session terminated, terminating shell...
	...terminated." messages in such case.
2013-08-13 19:42:50 +02:00
Nicolas François
9126425a21 Improve error reporting.
* src/useradd.c: Change message in case of find_new_sub_uids /
	find_new_sub_gids failure. This complements the messages already
	provided by these APIs.
2013-08-13 00:13:12 +02:00
Nicolas François
d611d54ed4 Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
	--disable-subordinate-ids. Enabled by default.
	* lib/prototypes.h: Include <config.h> before using its macros.
	* lib/commonio.h, lib/commonio.c: Define commonio_append only when
	ENABLE_SUBIDS is defined.
	* lib/prototypes.h, libmisc/find_new_sub_gids.c,
	libmisc/find_new_sub_uids.c: Likewise.
	* lib/subordinateio.h, lib/subordinateio.c: Likewise.
	* libmisc/user_busy.c: Only check if subordinate IDs are in use if
	ENABLE_SUBIDS is defined.
	* src/Makefile.am: Create newgidmap and newuidmap only if
	ENABLE_SUBIDS is defined.
	* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
	subordinate IDs.
	* src/useradd.c: Likewise.
	* src/userdel.c: Likewise.
	* src/usermod.c: Likewise.
	* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
	* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 (not translated yet).
	* man/generate_mans.mak: Add xsltproc conditionals
	subids/no_subids.
	* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
	condition.
	* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
	* man/usermod.8.xml: Document options for subordinate IDs and
	reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 15:46:59 +02:00
Nicolas François
1fb1486c8a Ignore generated newgidmap and newuidmap 2013-08-11 14:48:39 +02:00
Nicolas François
94c52130be Fix typos.
* src/usermod.c: Fix typos.
2013-08-06 22:29:40 +02:00
Nicolas François
95d1e146b2 Fix typos.
* man/login.defs.d/SUB_GID_COUNT.xml: Fix typo.
	* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
	* man/login.defs.d/SUB_UID_COUNT.xml: Fix copy-paste issue from
	SUB_GID_COUNT.
	* man/newgidmap.1.xml: Fix Typo.
	* src/useradd.c: Fix typos.
	* lib/subordinateio.c: Fix typos.
2013-08-06 20:59:13 +02:00
Eric W. Biederman
673c2a6f9a newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:46 -05:00
Serge Hallyn
c485cfabd8 usermod: add v:w:V:W: to getopt
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:45 -05:00
Serge Hallyn
5f2e4b18f8 Add LIBSELINUX to newuidmap and newgidmap LDADD
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
2cc8c2c0dc newusers: Add support for assiging subordinate uids and gids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
d5b3092331 usermod: Add support for subordinate uids and gids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
87253ca906 useradd: Add support for subordinate user identifiers
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
7296cbdbfe userdel: Add support for removing subordinate user and group ids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Nicolas François
e8ab31d009 Review 52a38d5509
* Changelog: Update documentation of 2013-07-28  mancha entry.
	* lib/prototypes.h, lib/encrypt.c: Update splint marker,
	pw_encrypt can return NULL.
	* lib/encrypt.c: Fix outdated statement on GNU crypt.
	* src/chgpasswd.c: Improve diagnostic to user when pw_encrypt
	fails and use fail_exit() instead of exit().
	* src/chpasswd.c: Likewise.
	* src/newusers.c: Likewise.
	* src/passwd.c: Likewise when new password is encrypted.
	* src/newgrp.c: Improve diagnostic to user and syslog when
	pw_encrypt fails.  Do not apply 1s penalty as this is not an
	invalid password issue.
	* src/passwd.c: Likewise when password is checked.
2013-08-04 00:27:53 +02:00
mancha
52a38d5509 crypt() in glibc/eglibc 2.17 now fails if passed
a salt that violates specs. On Linux, crypt() also fails with
DES/MD5 salts in FIPS140 mode. Rather than exit() on NULL returns
we send them back to the caller for appropriate handling.
2013-07-28 18:41:11 +02:00
Colin Watson
d172cccd07 Kill the child process group, rather than just the immediate child;
this is needed now that su no longer starts a controlling terminal
when not running an interactive shell (closes: Debian#713979)
2013-07-28 14:38:12 +02:00
nekral-guest
9151e673e4 * NEWS: Set release date. 2012-05-25 11:51:53 +00:00
nekral-guest
f100b5ea7e * src/su.c: non PAM enabled versions: do not fail if su is called
without a controlling terminal. Ignore ENXIO errors when opening
	/dev/tty.
2012-05-20 16:15:14 +00:00
nekral-guest
8690c74d6a * src/useradd.c: Cleanup, return code 13 no more used.
* man/useradd.8.xml: Document return code 14, and remove return
	code 13.
2012-05-20 12:26:54 +00:00
nekral-guest
1a7960421e * src/useradd.c: Keep the default file as much as possible to
avoid issue in case of crash. Use link instead of rename.
2012-05-18 20:28:16 +00:00
nekral-guest
1e0450dfb1 * src/pwunconv.c: Do not check spw_close() return value (file is
opened readonly).
	* src/grpunconv.c: Do not check sgr_close() return value (file is
	opened readonly).
2012-05-18 19:32:32 +00:00
nekral-guest
17deaa39f5 * NEWS, src/userdel.c: Fix segfault when userdel removes the
user's group.
2012-05-18 18:56:24 +00:00
nekral-guest
f243d4077d * NEWS, src/login.c: Log in utmp / utmpx / wtmp also when PAM is
enabled. This is not done by pam_lastlog. This was broken on
	2011-07-23.
	* NEWS, libmisc/utmp.c: Do not log in wtmp when PAM is enabled.
	This is done by pam_lastlog.
2012-05-18 17:57:52 +00:00
nekral-guest
0c1cbaede8 2012-02-13 Mike Frysinger <vapier@gentoo.org>
* src/passwd.c: (non PAM flavour) Report permission denied when
	access to /etc/shadow fails with EACCES.
2012-02-13 20:32:00 +00:00
nekral-guest
cc8be680ca * src/vipw.c: Do not use a hardcoded program name in the usage
message.
2011-12-09 21:35:57 +00:00
nekral-guest
a92f55b609 * src/newusers.c, src/chpasswd.c, src/chgpasswd.c: Harmonize
usage messages.
2011-12-09 21:31:39 +00:00
nekral-guest
360f12cd44 * src/usermod.c, man/usermod.8.xml: usermod -Z "" removes the
SELinux user mapping for the modified user.
	* src/useradd.c: Zflg is #defined as user_selinux non empty.
2011-11-21 22:02:15 +00:00
nekral-guest
bd4a6c9966 * src/passwd.c: Add missing cast.
* lib/commonio.c: Avoid multiple statements per line.
	* lib/commonio.c: Ignore fclose return value when the file was
	open read only or was not changed, or if an error is already
	reported.
2011-11-19 22:00:00 +00:00
nekral-guest
4049c0e69e * src/chage.c: Cast 3rd date_to_str parameter to a time_t 2011-11-19 21:56:10 +00:00
nekral-guest
82d767d121 * libmisc/root_flag.c, src/gpasswd.c, src/chsh.c: Add splint
annotations.
	* src/pwconv.c, src/pwunconv.c, src/grpconv.c, src/grpunconv.c:
	Ignore return value of spw_rewind, pw_rewind, sgr_rewind, and
	gr_rewind.
	* lib/commonio.h: Both head and tail cannot be owned. Set tail as
	dependent.
	* src/expiry.c: Ignore return value of expire ().
	* src/expiry.c: The catch_signals function does not use its sig
	parameter.
	* src/userdel.c: Last audit_logger parameter is a
	shadow_audit_result, use SHADOW_AUDIT_FAILURE instead of 0.
2011-11-19 21:51:52 +00:00
nekral-guest
6e2c6ffdf7 * src/faillog.c: The fail_max field is a short, use a short also
for the max argument of setmax / setmax_one.
	* src/faillog.c: Fail with an error message when faillog fails to
	write to the faillog database.
2011-11-19 21:44:34 +00:00
nekral-guest
653d22c3e9 * src/gpasswd.c: Change of group password enforces gshadow
password. Set /etc/group password to "x".
2011-11-19 14:27:48 +00:00
nekral-guest
29050eadb5 * NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
	safe_system().
	* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
	lib/Makefile.am: Added helper functions for semanage.
	* README, src/useradd.c, src/usermod.c, src/userdel.c,
	configure.in: Use libsemanage instead of semanage.
2011-11-17 21:51:07 +00:00
nekral-guest
ae0229549d 2011-11-16 Peter Vrabec <pvrabec@redhat.com>
* src/Makefile.am: useradd may need the LIBATTR library.
2011-11-16 21:17:43 +00:00
nekral-guest
d2a516a75d * src/useradd.c: Compil fix when SHADOWGRP is not enabled. 2011-11-16 19:33:51 +00:00
nekral-guest
57f9d5ae9c * src/chage.c, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/groupadd.c, src/groupdel.c, src/groupmems.c,
	src/groupmod.c, src/newusers.c, src/useradd.c, src/userdel.c,
	src/usermod.c: Provide the PAM error
	message instead of our own, and log error to syslog.
	* src/groupmems.c: Exit with exit rather than fail_exit in usage().
	* src/newusers.c: Check the number of arguments.
	* src/newusers.c: Do not create the home directory when it is not
	changed.
	* src/useradd.c: Set the group password to "!" rather "x" if there
	are no gshadow file.
2011-11-13 16:24:57 +00:00
nekral-guest
f64c88d629 * src/pwck.c: Removed pw_opened.
* src/pwck.c: optind cannot be greater than argc.
	* src/pwck.c: If spw_opened, then is_shadow is implicitly set.
	* src/pwck.c: Do not report passwd entry without x password and a
	shadow entry in --quiet mode (no interaction with the caller)
	* src/pwck.c: Do not check if the last password change is in the
	future if the time is set to 0.
2011-11-13 16:24:39 +00:00
nekral-guest
f54a68ac76 * src/pwck.c: Compile fix for TCB. 2011-11-11 12:00:05 +00:00
nekral-guest
f3afeb9c04 * NEWS, src/newusers.c, man/newusers.8.xml: Add --root option. 2011-11-06 18:40:22 +00:00
nekral-guest
2a2c8190ec * src/vipw.c: Remove unused variable a. 2011-11-06 18:40:17 +00:00
nekral-guest
f0a63185c9 * src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/faillog.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
	src/groupmems.c, src/groupmod.c, src/grpconv.c, src/grpunconv.c,
	src/lastlog.c, src/newusers.c, src/passwd.c, src/pwconv.c,
	src/pwunconv.c, src/su.c, src/useradd.c, src/userdel.c,
	src/usermod.c, src/vipw.c: Align and sort options.
2011-11-06 18:39:59 +00:00
nekral-guest
7d8ca29bea * NEWS, src/pwck.c, man/pwck.8.xm, src/grpck.c, man/grpck.8.xml:
Add --root option.
2011-11-06 18:39:53 +00:00
nekral-guest
f4d95eecc0 Re-indent. 2011-11-06 18:39:42 +00:00
nekral-guest
900943192f * src/pwck.c, man/pwck.8.xml: Add support for long options.
* src/pwck.c, man/pwck.8.xml: Add -h/--help option
	* src/grpck.c, man/grpck.8.xml: Add support for long options.
	* src/grpck.c, man/grpck.8.xml: Add -h/--help option
2011-11-06 18:39:36 +00:00
nekral-guest
b9163f6348 * src/expiry.c, man/expiry.1.xml: Add support for long options.
* src/expiry.c, man/expiry.1.xml: Add -h/--help option
2011-11-06 18:39:30 +00:00
nekral-guest
0530588266 * NEWS, src/chfn.c, man/chfn.1.xml: Add --root option. 2011-11-06 18:39:24 +00:00
nekral-guest
b26f73f427 * src/chfn.c, man/chfn.1.xml: Add support for long options.
* src/chfn.c, man/chfn.1.xml: Add -u/--help option
2011-11-06 18:39:19 +00:00
nekral-guest
e2068416c9 * NEWS, src/vipw.c, man/vipw.8.xml: Add --root option. 2011-11-06 18:39:09 +00:00
nekral-guest
a2d23700e4 * NEWS, src/faillog.c, man/faillog.8.xml: Add --root option.
* NEWS, src/lastlog.c, man/lastlog.8.xml: Likewise.
	* src/faillog.c: Add Prog variable, and prefix error messages with
	Prog rather than "faillog".
	* src/lastlog.c: Likewise.
	* src/lastlog.c: Split usage in smaller messages.
2011-11-06 18:39:03 +00:00
nekral-guest
0857837e64 * NEWS, src/chage.c, man/chage.1.xml: Add --root option. Open
audit and syslog after the potential chroot. chage's usage split
	in smaller messages.
2011-11-06 18:38:57 +00:00
nekral-guest
d15f2c6214 * src/login.c: re-indent.
* src/login.c: Fix support for sub-logins.
2011-11-06 18:38:51 +00:00
nekral-guest
6eb0500d3d * src/faillog.c, src/chage.c, src/newusers.c, src/su.c: The getopt
index of long options is not used.
2011-11-06 18:38:45 +00:00
nekral-guest
7b8c4952a8 * NEWS, src/gpasswd.c, man/gpasswd.1.xml: Add --root option.
* src/gpasswd.c: The getopt index of long options is not used.
2011-11-06 18:38:39 +00:00
nekral-guest
4beca611fb * NEWS, src/chsh.c, man/chsh.1.xml: Add --root option.
chsh's usage split in smaller messages.
	* src/chsh.c: The getopt index of long options is not used.
2011-11-06 18:38:32 +00:00
nekral-guest
1aa30ba551 * NEWS, src/groupmems.c, man/groupmems.8.xml: Add --root option.
Open syslog after the potential chroot.
	* src/groupmems.c: The getopt index of long options is not used.
2011-11-06 18:38:26 +00:00
nekral-guest
ec2b9f59f7 * NEWS, src/passwd.c, man/passwd.1.xml: Add --root option.
passwd's usage split in smaller messages.
	* src/passwd.c: Call sanitize_env() before setting the locales.
2011-11-06 18:38:16 +00:00
nekral-guest
799f30b08d * NEWS, src/chpasswd.c, man/chpasswd.8.xml, src/chgpasswd.c,
man/chgpasswd.8.xml: Add --root option.
	* src/chpasswd.c, src/chgpasswd.c: The getopt index of long
	options is not used.
2011-11-06 18:38:10 +00:00
nekral-guest
bf90350fe7 * NEWS, src/pwconv.c, src/pwunconv.c, src/grpconv.c,
src/grpunconv.c, man/pwconv.8.xml: Add --root option.
	* src/pwconv.c, src/pwunconv.c, src/grpconv.c, src/grpunconv.c:
	Add --help option.
	* src/pwconv.c, src/pwunconv.c, src/grpconv.c, src/grpunconv.c:
	Add process_flags() and usage().
2011-11-06 18:38:04 +00:00
nekral-guest
c017dd73aa * src/groupdel.c: Add process_flags().
* src/groupdel.c, man/groupdel.8.xml: Add --help option.
	* NEWS, src/groupdel.c, man/groupdel.8.xml: Add --root option. Open
	audit and syslog after the potential chroot.
	* src/groupdel.c: Check atexit failures.
2011-11-06 18:37:57 +00:00
nekral-guest
9195f6085d * NEWS, src/groupadd.c, man/groupadd.8.xml: Add --root option. Open
audit and syslog after the potential chroot.
	* src/groupmod.c: The index of long options is not used.
2011-11-06 18:37:51 +00:00
nekral-guest
057cbaa4ae * NEWS, src/groupadd.c, man/groupadd.8.xml: Add --root option. Open
audit after the potential chroot.
	* src/groupadd.c: Check atexit failures.
	* src/groupadd.c: Return E_SUCCESS instead of exit'ing at the end
	of main().
2011-11-06 18:37:45 +00:00
nekral-guest
aa2957e62a * NEWS, src/usermod.c, man/usermod.8.xml: Add --root option. Open
audit and syslog after the potential chroot. userdel's usage split
	in smaller messages.
2011-11-06 18:37:39 +00:00
nekral-guest
50eafd769b * NEWS, src/userdel.c, man/userdel.8.xml: Add --root option. Open
audit and syslog after the potential chroot. userdel's usage split
	in smaller messages.
2011-11-06 18:37:32 +00:00
nekral-guest
cecae46ccf * NEWS, src/useradd.c, man/useradd.8.xml: Add --root option. Open
audit after the potential chroot.
2011-11-06 18:37:25 +00:00
nekral-guest
2afa955401 * src/sulogin.c (main): env is only used when USE_PAM is not set. 2011-10-18 20:28:01 +00:00
nekral-guest
704f28df98 * lib/prototypes.h, libmisc/cleanup.c, lib/spawn.c, src/chage.c:
Add splint annotations.
2011-10-18 20:23:33 +00:00
nekral-guest
d3195c6b5f * src/newusers.c: Fix typo.
* src/useradd.c: Likewise.
2011-10-18 20:13:37 +00:00
nekral-guest
f870cc7eab Miscellaneous:
* lib/prototypes, libmisc/basename.c (Basename): Input is a
	constant string.
	* lib/prototypes.h, lib/spawn.h, lib/spawn.c, src/userdel.c,
	lib/nscd.c, lib/Makefile.am: Delete spawn.h. Move from spawn.h to
	prototypes.h.
	* src/userdel.c: Remove unused variables.
	* lib/nscd.c: Remove unused header files.
	* lib/nscd.c: Add the program name to error messages.
	* lib/nscd.c: Indicate when nscd does not terminate normally (signal).
	* lib/spawn.c: Updated header.
	* lib/spawn.c: Flush stdout and stderr to avoid inheriting from
	ongoing buffers.
	* lib/spawn.c: Avoid implicit conversion of pointer to boolean.
	* lib/spawn.c: Replace perror by a complete message.
	* lib/spawn.c: Continue to wait for the child if another child
	terminates.
	* lib/prototypes.h: The name field from cleanup_info_mod is a
	constant string. (username).
2011-09-18 21:02:43 +00:00
nekral-guest
2b5ba27ff8 * src/grpconv.c: Fail if not called correctly.
* src/grpconv.c: At the end of main, the passwd and shadow files
	are locked. No need to check before unlocking. No need to set the
	lock as false neither since there cannot be anymore failures.
2011-09-18 20:26:27 +00:00
nekral-guest
fa96d1bb78 * src/chage.c: EPOCH is not needed, it's converted to -1 by
strtoday(). But we need to support "-1" specifically.
	* src/chage.c: Fix usage: LOGIN is mandatory.
	* src/chage.c: Display disabled expiry or last change as "-1"
	instead of 1969-12-31. 1969-12-31 is still supported as input from
	the user.
	* src/chage.c: Exit cleanly with fail_exit() (lock files were not
	removed).
2011-09-18 20:24:36 +00:00
nekral-guest
23afb3fd07 * src/useradd.c: Remove def_file. It was always set to
USER_DEFAULTS_FILE.
	* src/useradd.c: Fix cut&paste issue causing bad warning when
	the useradd.default file contains an invalid INACTIVE= value.
	* src/useradd.c: Added missing end of line for rename errors.
	* src/useradd.c: Added -D synopsis to the usage message.
	* src/useradd.c: Do not scale_age(-1), just use -1.
	* src/useradd.c: Added FIXME to be fixed later.
	* src/useradd.c: Allow -e -1 when there is no shadow file.
	* src/useradd.c: Fail, but do not print the usage message when the
	-e argument is not valid.
	* src/useradd.c: No need to check for oflg since uflg is
	already checked.
2011-09-18 18:00:06 +00:00
nekral-guest
6f05b866bc * src/su.c: Too much const were added on 2011-08-15. pw in
save_caller_context() is allocated and freed.
	* src/su.c: Added missing #endif indication
	* src/su.c save_caller_context(): password only needed if
	SU_ACCESS and !USE_PAM.
2011-09-18 17:47:03 +00:00
nekral-guest
603d949ed5 * src/usermod.c: date_to_str() is always called with negativ set
to "never", remove this argument.
	* src/usermod.c: Added missing cast for gr_free argument.
2011-09-18 17:34:21 +00:00
nekral-guest
4ce849a5ed * src/pwconv.c: Fail if not called correctly.
* src/pwconv.c: At the end of main, the passwd and shadow files
	are locked. No need to check before unlocking.
2011-09-18 17:32:04 +00:00
nekral-guest
7b0116c5b4 * src/newusers.c: Initially set the passwd's password to '*'
instead of 'x'. Only when it is confirmed that a shadow entry is
	(will be) added, set the passwd's password to 'x'.
	* src/newusers.c: An invalid line is an error. A failure needs to
	be reported.
2011-09-18 17:29:52 +00:00
nekral-guest
a52a8d8a5d * src/gpasswd.c: Remove log_gpasswd_success_gshadow(). Writing in
gshadowis the last sub-task.
2011-09-18 17:27:18 +00:00
nekral-guest
75936bf9f7 * src/chsh.c: No needto remove lines tarting with '#' from
/etc/shells. This is already done by getusershell() and these
	shell would fail the access(X_OK) test.
2011-09-18 17:24:15 +00:00
nekral-guest
fc0057ff35 2011-08-20 Jonathan Nieder <jrnieder@gmail.com>
* lib/Makefile.am: Added lib/spawn.c and lib/spawn.h.
	* lib/nscd.c, lib/spawn.c, lib/spawn.h: It is not possible to
	differentiate between an nscd failure, and a failure to execute
	due to no nscd with posix_spawn. Use our own run_command routine.
	* src/userdel.c: Use run_command()
2011-08-20 13:33:38 +00:00
nekral-guest
ec309dcac8 re-indent. 2011-08-15 14:40:42 +00:00
nekral-guest
ee0e0f9943 * src/groupmod.c: Check atexit failures. 2011-08-15 14:38:49 +00:00
nekral-guest
7f842bdf4f * src/groupmod.c: Ignore return value from snprintf.
* src/groupmod.c: Add static qualifier to the cleanup structures.
2011-08-15 14:22:33 +00:00
nekral-guest
7c96d6cbcc * src/usermod.c: Do not assign static to NULL.
* src/usermod.c (date_to_str): buf needs to be unique (e.g.
	independent from negativ), and is an out buffer.
	* src/usermod.c: Ignore return value from snprintf, and force
	nul-termination of buffer.
	* src/usermod.c: Improve memory management.
	* src/usermod.c: An audit bloc was not reachable, moved above on
	success to move the home directory.
	* src/usermod.c: Ignore close() return value for the mailbox
	(opened read only).
2011-08-15 09:56:43 +00:00
nekral-guest
5eb9ed0aaf * src/su.c: Added const modifiers.
* lib/prototypes: Synchronize splint annotations.
2011-08-15 09:25:58 +00:00
nekral-guest
94c1763f71 * src/su.c: Add splint annotations.
* src/su.c: Set caller_on_console as boolean.
	* src/su.c: Ignore retunr value from fputs (usage) / puts (prompt).
	* src/su.c: Improved memory management.
2011-08-14 21:44:46 +00:00
nekral-guest
1304a3106b * src/chgpasswd.c, src/chpasswd.c, src/newusers.c: Replace cflg by
a test on crypt_method.
2011-08-14 14:44:35 +00:00
nekral-guest
a9c38f4902 * src/chgpasswd.c: Add splint annotations.
* src/chpasswd.c: Likewise.
	* src/newusers.c: Likewise.
	* libmisc/salt.c, lib/prototypes.h (crypt_make_salt): Likewise.
2011-08-14 14:37:17 +00:00
nekral-guest
745bcb5406 * src/su.c: Add annotations to indicate that su_failure() does
not return.
2011-08-14 13:15:20 +00:00
nekral-guest
905e14ee83 * src/useradd.c: Remove unused Zflg. 2011-07-30 01:47:52 +00:00
nekral-guest
f8d47df43b * src/chgpasswd.c: Fix typo sp -> sg. sg_namp -> sg_name
* src/chgpasswd.c: Always update the group file when SHADOWGRP is
	not enabled.
2011-07-30 01:46:23 +00:00
nekral-guest
934bfa5969 * src/newgrp.c: Fix typo in notreached annotation. 2011-07-30 01:41:56 +00:00
nekral-guest
00d1ab6454 * src/usermod.c: Add annotations to indicate that fail_exit() does
not return.
	* src/usermod.c: Fix typo in notreached annotation.
2011-07-30 01:41:03 +00:00
nekral-guest
75fa697526 * NEWS, src/chpasswd.c: Create a shadow entry if the password is
set to 'x' in passwd and there are no entry in shadow for the
	user.
	* NEWS, src/chgpasswd.c: Create a gshadow entry if the password is 
	set to 'x' in group and there are no entry in gshadow for the 
	group.
2011-07-28 15:17:28 +00:00
nekral-guest
771a3624f5 * src/pwunconv.c: Exit after printing usage when arguments or
options are provided.
	* src/pwunconv.c: Re-indent.
	* src/pwunconv.c: Open the shadow file read only.
	* src/grpunconv.c: Exit after printing usage when arguments or
	options are provided.
	* src/grpunconv.c: Open the gshadow file read only.
2011-07-28 14:40:56 +00:00
nekral-guest
7fed07f1e9 * src/chgpasswd.c: Fix typo. 2011-07-28 14:36:24 +00:00
nekral-guest
2aefca0f2e * NEWS, src/login.c: Do not log in utmp / utmpx / wtmp when PAM is
enabled. This is already done by pam_lastlog.
2011-07-23 11:03:50 +00:00
nekral-guest
7e8aa5429a * src/chpasswd.c: Add annotations to indicate that usage() does
not return.
	* src/chpasswd.c: Reindent.
	* src/chpasswd.c: Remove dead code. No need to set crypt_method
	to NULL when it is already NULL. sflg is only set if crypt_method
	is not NULL.
2011-07-23 08:14:15 +00:00
nekral-guest
2be8650d2c * src/lastlog.c: Add annotations to indicate that usage() does not
return.
2011-07-23 08:10:27 +00:00
nekral-guest
495125415b * src/faillog.c: Add annotations to indicate that usage() does not
return.
	* src/faillog.c: Fix message: this is faillog, not lastlog.
	* src/faillog.c: Check that there are no extra arguments after
	parsing the options.
2011-07-22 23:59:57 +00:00
nekral-guest
1def4ef49d * src/chgpasswd.c: Add annotations to indicate that usage() does
not return.
	* src/chgpasswd.c: Split usage in smaller parts. Those parts are
	already translated for chpasswd. Usage is now closer to
	chpasswd's.
	* src/chgpasswd.c: Remove dead code. No need to set crypt_method
	to NULL when it is already NULL. sflg is only set if crypt_method
	is not NULL.
2011-07-22 23:52:08 +00:00
nekral-guest
bb67476209 * src/expiry.c: Remove dead code.
* src/expiry.c: Improve comments.
2011-07-22 22:39:30 +00:00
nekral-guest
e8373305b4 * src/grpck.c: Added comments.
* src/grpck.c: Avoid implicit conversion of pointer to boolean.
	* src/grpck.c: Remove dead code. argc cannot be lower than optind.
	Avoid checking twice in a row for NULL != list[i].
2011-07-22 22:07:23 +00:00
nekral-guest
8bce7fc016 * src/passwd.c: Overflow when computing the number of days based
on the scaling. Use of long long needed.
2011-07-14 14:03:19 +00:00
nekral-guest
a7fee9db00 * NEWS, src/groupmod.c: When the gshadow file exists but there are
no gshadow entries, an entry is created if the password is changed
	and group requires a shadow entry.
2011-07-14 13:30:05 +00:00
nekral-guest
d4e630b8cc * src/usermod.c (process_flags): Indicate that the user name is
invalid, instead of just a 'field'.
2011-07-14 13:29:59 +00:00
nekral-guest
82b92af086 * src/usermod.c (process_flags): Do not display the usage in case
of an invalid -f value (similar to -e).
2011-07-14 13:29:54 +00:00
nekral-guest
c23e851074 * src/usermod.c (new_pwent): Document that pw_locate will not fail
because getpwnam returned successfully.
2011-07-14 13:29:48 +00:00
nekral-guest
2c6782b501 * NEWS, src/usermod.c; man/usermod.8.xml: When the shadow file
exists but there are no shadow entries, an entry has to be created
	if the password is changed and passwd requires a shadow entry, or
	if aging features are used (-e or -f). Document this and also that
	-e and -f require a shadow file.
2011-07-14 13:29:37 +00:00
nekral-guest
c2f5088067 * src/usermod.c (update_group, update_gshadow): Reduce complexity
and document checks. Some checks were always true/false within
	their call context.
2011-07-14 13:29:32 +00:00
nekral-guest
8195a2b5d8 * src/usermod.c (update_gshadow): is_member was computed twice. 2011-07-14 13:29:27 +00:00
nekral-guest
2798e35d86 * src/usermod.c: usage() does not return. Add annotations. 2011-07-14 13:29:22 +00:00
nekral-guest
d1753cc25d * src/usermod.c (process_flags): Check for oflg is not needed to
check if changes are needed.
2011-07-14 13:29:16 +00:00
nekral-guest
a5ded26850 * src/usermod.c (process_flags): Report usage if no options are
provided. Update the error message.
	* src/usermod.c (process_flags): Check option compatibility and
	dependency before options are discarded when no changes are
	requested.
2011-07-14 13:29:10 +00:00
nekral-guest
d51420bb01 * src/usermod.c (move_home): It is always an error to use -m if
the new home directory already exist (independently from the
	existence of the old home directory did not exist)
2011-07-14 13:29:05 +00:00
nekral-guest
aec025dbf6 * src/usermod.c: Fix typo in comment. 2011-07-14 13:28:59 +00:00
nekral-guest
95257d63a1 * src/groupmod.c: Avoid implicit conversion of pointer to boolean.
* src/groupmod.c: osgrp can be set only if pflg || nflg. No need
	to check for pflg || nflg again
2011-07-08 19:58:40 +00:00
nekral-guest
13873a8799 * lib/fields.c: Fixed typo from 2010-02-15. field insteadof cp
ought to be checked.
	* src/vipw.c: Use Prog instead of progname. This is needed since
	Prog is used in the library.
2011-07-08 19:56:18 +00:00
nekral-guest
cc6eaf9584 Fix typo in comment. 2011-07-08 19:51:32 +00:00
nekral-guest
1a164919f1 Fixed typo. user_home -> mailfile. 2011-07-08 19:50:42 +00:00
nekral-guest
907025eb40 * src/su.c: environ is provided by <unistd.h>.
* src/su.c: Added function prototypes.
	* src/su.c: Rename shellstr parameter to shellname to avoid
	collision with static variable.
	* NEWS, src/su.c: Added support for PAM modules which change
	PAM_USER.
2011-06-16 21:21:29 +00:00
nekral-guest
66d71aafb7 Cleanup. 2011-06-13 18:27:51 +00:00
nekral-guest
317939e821 * src/su.c: After prepare_pam_close_session() there is no need to
close the session in the child. Added pam_setcred to
	prepare_pam_close_session().
2011-06-13 18:27:46 +00:00
nekral-guest
1340beed16 * src/su.c: Also drop the controlling terminal when PAM is not
used.
	* src/su.c: Remove run_shell().
2011-06-13 18:27:40 +00:00