Commit Graph

28 Commits

Author SHA1 Message Date
Jakub Hrozek
4aaf05d72e Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
    passwd: sss files
    group:  sss files

The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.

Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.

More details about why Fedora chose to use sss before files can be found
on e.g.:
    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html

Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
    getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.

This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-13 14:20:02 +02:00
Serge Hallyn
45b4187596 pwconv and grpconv: rewind after deleting an entry
Otherwise our spw_next() will cause us to skip an entry.
Ideally we'd be able to do an swp_rewind(1), but I don't
see a helper for this.

Closes #60

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2018-03-25 09:18:22 -05:00
Dimitri John Ledkov
ee43f47f45
Do not fail on missing files in /etc/, create them instead.
passwd, shadow, group, gshadow etc. can be managed via nss -
e.g. system default accounts can be specified using nss_altfiles,
rather than in /etc/. Thus despite having default accounts, these
files can be missing on disk and thus should be opened with O_CREATE
whenever they are attempted to be opened in O_RDWR modes.
2015-02-27 17:01:29 +00:00
nekral-guest
82d767d121 * libmisc/root_flag.c, src/gpasswd.c, src/chsh.c: Add splint
annotations.
	* src/pwconv.c, src/pwunconv.c, src/grpconv.c, src/grpunconv.c:
	Ignore return value of spw_rewind, pw_rewind, sgr_rewind, and
	gr_rewind.
	* lib/commonio.h: Both head and tail cannot be owned. Set tail as
	dependent.
	* src/expiry.c: Ignore return value of expire ().
	* src/expiry.c: The catch_signals function does not use its sig
	parameter.
	* src/userdel.c: Last audit_logger parameter is a
	shadow_audit_result, use SHADOW_AUDIT_FAILURE instead of 0.
2011-11-19 21:51:52 +00:00
nekral-guest
f0a63185c9 * src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/faillog.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
	src/groupmems.c, src/groupmod.c, src/grpconv.c, src/grpunconv.c,
	src/lastlog.c, src/newusers.c, src/passwd.c, src/pwconv.c,
	src/pwunconv.c, src/su.c, src/useradd.c, src/userdel.c,
	src/usermod.c, src/vipw.c: Align and sort options.
2011-11-06 18:39:59 +00:00
nekral-guest
bf90350fe7 * NEWS, src/pwconv.c, src/pwunconv.c, src/grpconv.c,
src/grpunconv.c, man/pwconv.8.xml: Add --root option.
	* src/pwconv.c, src/pwunconv.c, src/grpconv.c, src/grpunconv.c:
	Add --help option.
	* src/pwconv.c, src/pwunconv.c, src/grpconv.c, src/grpunconv.c:
	Add process_flags() and usage().
2011-11-06 18:38:04 +00:00
nekral-guest
2b5ba27ff8 * src/grpconv.c: Fail if not called correctly.
* src/grpconv.c: At the end of main, the passwd and shadow files
	are locked. No need to check before unlocking. No need to set the
	lock as false neither since there cannot be anymore failures.
2011-09-18 20:26:27 +00:00
nekral-guest
ab9427420e * src/newgrp.c, src/userdel.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/pwconv.c, src/chpasswd.c, src/logoutd.c,
	src/chfn.c, src/groupmems.c, src/usermod.c, src/pwunconv.c,
	src/expiry.c, src/groupdel.c, src/chgpasswd.c, src/useradd.c,
	src/su.c, src/groupmod.c, src/passwd.c, src/pwck.c, src/chage.c,
	src/groupadd.c, src/login.c, src/grpconv.c, src/groups.c,
	src/grpunconv.c, src/chsh.c: Prog changed to a constant string.
2010-08-22 19:36:09 +00:00
nekral-guest
ee4e367ea8 * src/newgrp.c, src/userdel.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/pwconv.c, src/chpasswd.c, src/logoutd.c,
	src/chfn.c, src/groupmems.c, src/usermod.c, src/pwunconv.c,
	src/expiry.c, src/groupdel.c, src/chgpasswd.c, src/useradd.c,
	src/su.c, src/groupmod.c, src/passwd.c, src/pwck.c,
	src/groupadd.c, src/chage.c, src/login.c, src/grpconv.c,
	src/groups.c, src/grpunconv.c, src/chsh.c: Prog is now global (not
	static to the file) so that it can be used by the helper functions
	of libmisc.
	* lib/prototypes.h: Added extern char *Prog.
	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Indicate the
	program name with the warning.
2008-09-06 12:51:53 +00:00
nekral-guest
bf3e8f290c * src/grpconv.c, src/groups.c: Name the parameters in the
prototypes of the static functions.
	* src/grpconv.c: Fail if unexpected parameters are provided.
	* src/grpconv.c: Indicate that argc is not used in the no
	SHADOWGRP version.
2008-08-31 17:28:12 +00:00
nekral-guest
d7b55ce2bb * src/groupmems.c: Check the return value of gr_update().
* src/chage.c, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
	src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupmems.c,
	src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
	src/passwd.c, src/pwck.c, src/pwconv.c, src/pwunconv.c,
	src/useradd.c, src/userdel.c, src/usermod.c: Harmonize the error
	message sent to stderr in case of *_update () failure.
	* src/chage.c, src/chsh.c, src/groupadd.c, src/passwd.c: Do not
	log to syslog when pw_update() or spw_update() fail.
	* src/newusers.c: Do not log specific error message to stderr when
	sgr_update() fails.
	* src/pwconv.c: Remove duplicated definition of Prog.
2008-08-30 18:27:34 +00:00
nekral-guest
306f19b805 * src/grpconv.c: Use Basename for the definition of Prog. Prog
needs a file visibility.
	* src/grpunconv.c: Likewise.
2008-08-22 02:33:08 +00:00
nekral-guest
a3be8ff055 * src/chfn.c: Do not exit on pw_unlock failures.
* src/grpconv.c, src/grpunconv.c, src/pwconv.c, src/pwunconv.c,
	src/vipw.c: Open syslog with the right identification name.
	* src/vipw.c: Log unlock errors to syslog.
	* src/vipw.c: Log edits to syslog.
	* src/chage.c, src/chfn.c, src/chsh.c, src/gpasswd.c,
	src/groupadd.c, src/groupdel.c, src/groupmod.c, src/grpconv.c,
	src/grpunconv.c, src/passwd.c, src/pwck.c, src/pwunconv.c,
	src/useradd.c, src/usermod.c: Harmonize the syslog levels. Failure
	to close or unlock are errors. Failure to open files are warnings.
2008-08-22 02:30:33 +00:00
nekral-guest
2bdcb9c33d * src/grpck.c: Added function fail_exit(). Check failure to unlock
files. Report errors to stderr and syslog, but continue.
	* src/grpconv.c: Check failure to unlock files. Report errors to
	stderr and syslog, but continue.
2008-08-22 02:26:46 +00:00
nekral-guest
82779cd336 * src/chfn.c, src/chgpasswd.c, src/chpasswd.c, src/gpasswd.c,
src/groupadd.c, src/groupdel.c, src/groupmems.c, src/groupmod.c,
	src/grpconv.c, src/grpunconv.c, src/newusers.c, src/pwconv.c,
	src/pwunconv.c, src/useradd.c, src/userdel.c: Harmonize the name
	of the variables keeping the lock status, to match the shadow
	library prefixes.
2008-08-22 02:22:34 +00:00
nekral-guest
82ed690817 * src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/gpasswd.c, src/groupadd.c, src/groupdel.c, src/groupmems.c,
	src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
	src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
	src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c: In
	case of a lock failure, indicate to the user that she can try
	again later. Do not log to syslog.
2008-08-22 02:20:53 +00:00
nekral-guest
7fc596fb8a * lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
	Added *_dbname() functions to retrieve the name of the databases.
	* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
	lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
	*_name() functions renamed *setname().
	* src/grpck.c, src/pwck.c: Likewise.
	* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
	the name of the arguments to the prototypes.
	* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
	src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
	src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
	src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
	src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
	Harmonize the erro & syslog messages in case of failure of the
	*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
	* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
	capitalized messages.
	* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
	in case of inexistent entries.
	* src/usermod.c:  Harmonize messages in case of already existing
	entries.
	* src/newusers.c, src/useradd.c: Simplify PAM error handling.
	* src/useradd.c: Report failures to unlock files (stderr, syslog,
	and audit). But do not fail (continue).
	* src/useradd.c (open_files): Do not report to syslog & audit
	failures to lock or open the databases. This might be harmless,
	and the logs were not already informed that a change was
	requested.
	* src/usermod.c: It's not the account which is unlocked, but its
	password.
2008-08-06 15:57:31 +00:00
nekral-guest
cd9e4d1b2b * src/grpconv.c: Use a bool when possible instead of int integers.
* src/grpconv.c: Add brackets and parenthesis.
	* src/grpconv.c: Ignore return value of setlocale(),
	bindtextdomain(), and textdomain().
	* src/grpconv.c: Avoid implicit conversion of pointers / integers
	to booleans.
2008-06-10 19:18:34 +00:00
nekral-guest
c7302b61ef Make sure every source files are distributed with a copyright and license.
Files with no license use the default 3-clauses BSD license. The copyright
were mostly not recorded; they were updated according to the Changelog.
"Julianne Frances Haugh and contributors" changed to "copyright holders
and contributors".
2008-04-27 00:40:09 +00:00
nekral-guest
b2120265fd Added the subversion svn:keywords property (Id) for proper identification. 2007-11-10 23:46:11 +00:00
nekral-guest
591830e43b [svn-upgrade] Integrating new upstream version, shadow (4.0.15) 2007-10-07 11:47:22 +00:00
nekral-guest
8451bed8b0 [svn-upgrade] Integrating new upstream version, shadow (4.0.13) 2007-10-07 11:47:01 +00:00
nekral-guest
e89f3546f2 [svn-upgrade] Integrating new upstream version, shadow (4.0.12) 2007-10-07 11:46:52 +00:00
nekral-guest
8e167d28af [svn-upgrade] Integrating new upstream version, shadow (4.0.8) 2007-10-07 11:46:07 +00:00
nekral-guest
effd479bff [svn-upgrade] Integrating new upstream version, shadow (4.0.4) 2007-10-07 11:45:23 +00:00
nekral-guest
9db6abfa42 [svn-upgrade] Integrating new upstream version, shadow (4.0.1) 2007-10-07 11:44:59 +00:00
nekral-guest
efd7efa9f1 [svn-upgrade] Integrating new upstream version, shadow (20000826) 2007-10-07 11:44:14 +00:00
nekral-guest
45c6603cc8 [svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 11:44:02 +00:00