Commit Graph

154 Commits

Author SHA1 Message Date
Serge Hallyn
0f31dc5c2c
Merge pull request #458 from edneville/434_usermod_home_dir_trailing_slash
Remove tailing slash on home dir
2021-12-17 08:41:26 -06:00
Serge Hallyn
2a6164cc4a
Merge pull request #455 from alejandro-colomar/master
usermod: Remove special case for ""
2021-12-17 08:33:47 -06:00
ed neville
53763ae6ee Remove tailing slash on home dir
Closes #434

Signed-off-by: ed neville <ed@s5h.net>
2021-12-17 12:23:52 +00:00
Alejandro Colomar
e2f1fcca0e usermod: Remove special case for ""
That special case is already handled by the called function: strtoday()
so we can simplify the calling code.

Link: <https://github.com/shadow-maint/shadow/issues/454>
Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2021-12-14 12:40:09 +01:00
Andy Zaugg
aaaaf21b6f Adding new option -rG to usermod
Adding a new switch -rG, which provides a similar feature set to
-aG, allowing a person to list exactly what groups to remove a
user from.

https://github.com/shadow-maint/shadow/issues/337
2021-12-13 21:42:48 -08:00
a1346054
7687ae4dbd fix spelling and unify whitespace 2021-08-18 18:06:02 +00:00
Iker Pedrosa
e481437ab9 usermod: allow all group types with -G option
The only way of removing a group from the supplementary list is to use
-G option, and list all groups that the user is a member of except for
the one that wants to be removed. The problem lies when there's a user
that contains both local and remote groups, and the group to be removed
is a local one. As we need to include the remote group with -G option
the command will fail.

This reverts commit 140510de9d. This way,
it would be possible to remove the remote groups from the supplementary
list.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967641
Resolves: https://github.com/shadow-maint/shadow/issues/338

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2021-08-03 11:14:09 +02:00
Iker Pedrosa
8281c82e32 usermod.c: fix covscan RESOURCE_LEAK
Error: RESOURCE_LEAK (CWE-772): [#def31]
shadow-4.8.1/src/usermod.c:813: alloc_fn: Storage is returned from allocation function "__gr_dup".
shadow-4.8.1/src/usermod.c:813: var_assign: Assigning: "ngrp" = storage returned from "__gr_dup(grp)".
shadow-4.8.1/src/usermod.c:892: leaked_storage: Variable "ngrp" going out of scope leaks the storage it points to.
  890|   		}
  891|   	}
  892|-> }
  893|
  894|   #ifdef SHADOWGRP

Error: RESOURCE_LEAK (CWE-772): [#def32]
shadow-4.8.1/src/usermod.c:933: alloc_fn: Storage is returned from allocation function "__sgr_dup".
shadow-4.8.1/src/usermod.c:933: var_assign: Assigning: "nsgrp" = storage returned from "__sgr_dup(sgrp)".
shadow-4.8.1/src/usermod.c:1031: leaked_storage: Variable "nsgrp" going out of scope leaks the storage it points to.
 1029|   		}
 1030|   	}
 1031|-> }
 1032|   #endif				/* SHADOWGRP */
 1033|

Error: RESOURCE_LEAK (CWE-772): [#def34]
shadow-4.8.1/src/usermod.c:1161: alloc_fn: Storage is returned from allocation function "getgr_nam_gid".
shadow-4.8.1/src/usermod.c:1161: var_assign: Assigning: "grp" = storage returned from "getgr_nam_gid(optarg)".
shadow-4.8.1/src/usermod.c:1495: leaked_storage: Variable "grp" going out of scope leaks the storage it points to.
 1493|   	}
 1494|   #endif				/* ENABLE_SUBIDS */
 1495|-> }
 1496|
 1497|   /*

Error: RESOURCE_LEAK (CWE-772): [#def35]
shadow-4.8.1/src/usermod.c:1991: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/src/usermod.c:1991: var_assign: Assigning: "fd" = handle returned from "open("/var/log/lastlog", 2)".
shadow-4.8.1/src/usermod.c:2000: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/usermod.c:2000: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
shadow-4.8.1/src/usermod.c:2003: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/usermod.c:2032: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
 2030|   		}
 2031|   	}
 2032|-> }
 2033|
 2034|   /*

Error: RESOURCE_LEAK (CWE-772): [#def36]
shadow-4.8.1/src/usermod.c:2052: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
shadow-4.8.1/src/usermod.c:2052: var_assign: Assigning: "fd" = handle returned from "open("/var/log/faillog", 2)".
shadow-4.8.1/src/usermod.c:2061: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/usermod.c:2061: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
shadow-4.8.1/src/usermod.c:2064: noescape: Resource "fd" is not freed or pointed-to in "lseek".
shadow-4.8.1/src/usermod.c:2092: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
 2090|   		}
 2091|   	}
 2092|-> }
 2093|
 2094|   #ifndef NO_MOVE_MAILBOX
2021-06-11 11:50:49 +02:00
Serge Hallyn
9d37173b24 usermod, newusers, prefix: enforce absolute paths for homedir
useradd already was enforcing this, but these were not.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-06-01 22:12:24 -05:00
Serge Hallyn
2b22a6909d libsubid: don't print error messages on stderr by default
Closes #325

Add a new subid_init() function which can be used to specify the
stream on which error messages should be printed.  (If you want to
get fancy you can redirect that to memory :)  If subid_init() is
not called, use stderr.  If NULL is passed, then /dev/null will
be used.

This patch also fixes up the 'Prog', which previously had to be
defined by any program linking against libsubid.  Now, by default
in libsubid it will show (subid).  Once subid_init() is called,
it will use the first variable passed to subid_init().

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-15 12:38:55 -05:00
Christian Göttsche
6e4b2fe25d struct commonio_db[selinux]: do not use deprecated type security_context_t
The typedef security_context_t is deprecated, see
9eb9c93275

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2021-05-06 16:58:10 +02:00
Geert Ijewski
fe159b7668 usermod: check if shell exists & is executable 2021-02-07 19:26:55 +01:00
ikerexxe
140510de9d usermod: check only local groups with -G option
Check only local groups when adding new supplementary groups to a user

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
2020-03-30 13:07:32 +02:00
ed
a2cd3e9ef0 chkname.c, pwck.c, useradd.c, usermod.c, newusers.c: Allow names that do not conform to standards
Closes #121.

Changelog: squashed commits fixing tab style
Changelog: update 'return true' to match file's style (no parens).
2019-10-04 18:40:41 -05:00
Stanislav Brabec
fc0ed79e5d usermod.c: Fix invalid variable name
Fix invalid LASTLOG_MAX_UID variable name to correct LASTLOG_UID_MAX.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
2019-07-26 21:39:42 +02:00
Adam Majer
50b23584d7 Add autotools support for BtrFS option
Feature is enabled by default, if headers are available. It can be
turned off explictly.
2019-05-03 22:38:23 -07:00
Adam Majer
c1d36a8acb Add support for btrfs subvolumes for user homes
new switch added to useradd command, --btrfs-subvolume-home. When
specified *and* the filesystem is detected as btrfs, it will create a
subvolume for user's home instead of a plain directory. This is done via
`btrfs subvolume` command.  Specifying the new switch while trying to
create home on non-btrfs will result in an error.

userdel -r will handle and remove this subvolume transparently via
`btrfs subvolume` command. Previosuly this failed as you can't rmdir a
subvolume.

usermod, when moving user's home across devices, will detect if the home
is a subvolume and issue an error messages instead of copying it. Moving
user's home (as subvolume) on same btrfs works transparently.
2019-05-03 22:38:23 -07:00
Serge Hallyn
5837240451 usermod: print "no changes" to stdout, not stderr
Closes #113

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2019-04-21 17:28:12 -05:00
Tomas Mraz
5b41b7d1b1 usermod: Guard against unsafe change of ownership of home directory content
In case the home directory is not a real home directory
(owned by the user) but things like / or /var or similar,
it is unsafe to change ownership of home directory content.

The test checks whether the home directory is owned by the
user him/herself, if not no ownership modification of contents
is performed.
2018-12-18 16:32:13 +01:00
Tomas Mraz
4633164857 login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
As the large uids are usually provided by remote user identity and
authentication service, which also provide user login tracking,
there is no need to create a huge sparse file for them on every local
machine.

fixup! login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
2018-12-10 13:25:56 -06:00
Jakub Hrozek
4aaf05d72e Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
    passwd: sss files
    group:  sss files

The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.

Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.

More details about why Fedora chose to use sss before files can be found
on e.g.:
    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html

Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
    getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.

This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-13 14:20:02 +02:00
fariouche
73a876a056 Fix usermod crash
Return newly allocated pointers when the caller will free them.

Closes #110
2018-05-08 21:17:46 -05:00
fariouche
acaed3deab upstream merge 2018-01-23 23:10:19 +01:00
WheresAlice
1e98b3b559 Make language less binary 2017-09-20 17:00:29 +01:00
Chris Lamb
cb610d54b4 Make the sp_lstchg shadow field reproducible.
The third field in the /etc/shadow file (sp_lstchg) contains the date of
the last password change expressed as the number of days since Jan 1, 1970.
As this is a relative time, creating a user today will result in:

   username:17238:0:99999:7:::

whilst creating the same user tomorrow will result in:

    username:17239:0:99999:7:::

This has an impact for the Reproducible Builds[0] project where we aim to
be independent of as many elements the build environment as possible,
including the current date.

This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1]
environment variable (instead of Jan 1, 1970) if valid.

 [0] https://reproducible-builds.org/
 [1] https://reproducible-builds.org/specs/source-date-epoch/

Signed-off-by: Chris Lamb <lamby@debian.org>
2017-04-10 22:29:21 +01:00
fariouche
b6b2c756c9 add --prefix option 2017-03-01 22:51:09 +01:00
Serge Hallyn
411f540590 Fix s/from/to/ in usermod.c error message
Closes #49

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2016-12-21 12:40:08 -06:00
Tomas Mraz
2b820c534d Audit the home directory ownership change. 2016-11-15 16:03:40 +01:00
Serge Hallyn
e01bad7d3c Merge pull request #4 from xnox/master
Make shadow more robust in hostile environments
2015-11-12 23:07:29 -06:00
Serge Hallyn
a887847ca2 Don't limit subuid/subgid support to local users
The current implementation of subuid/subgid support in usermod requires the
user to be a local user present in /etc/passwd.  There doesn't seem to be a
good reason for this; subuids should work equally well for users whose
records are in other NSS databases.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1475749

Author: Steve Langasek <steve.langasek@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-07-20 12:14:26 -05:00
Dimitri John Ledkov
ee43f47f45
Do not fail on missing files in /etc/, create them instead.
passwd, shadow, group, gshadow etc. can be managed via nss -
e.g. system default accounts can be specified using nss_altfiles,
rather than in /etc/. Thus despite having default accounts, these
files can be missing on disk and thus should be opened with O_CREATE
whenever they are attempted to be opened in O_RDWR modes.
2015-02-27 17:01:29 +00:00
James Le Cuirot
420943657c Fix building without subordinate IDs support
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-09-04 17:29:23 -05:00
Nicolas François
6f8dd000f6 Improve diagnostic.
* src/usermod.c: Check early if /etc/subuid (/etc/subgid) exists
	when option -v/-V (-w/-W) are provided.
2013-08-15 17:30:19 +02:00
Nicolas François
2e46882a9b Fix parse of ranges.
* src/usermod.c: Fix parse of ranges. The hyphen might be followed
	by a negative integer.
2013-08-15 17:30:19 +02:00
Nicolas François
d611d54ed4 Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
	--disable-subordinate-ids. Enabled by default.
	* lib/prototypes.h: Include <config.h> before using its macros.
	* lib/commonio.h, lib/commonio.c: Define commonio_append only when
	ENABLE_SUBIDS is defined.
	* lib/prototypes.h, libmisc/find_new_sub_gids.c,
	libmisc/find_new_sub_uids.c: Likewise.
	* lib/subordinateio.h, lib/subordinateio.c: Likewise.
	* libmisc/user_busy.c: Only check if subordinate IDs are in use if
	ENABLE_SUBIDS is defined.
	* src/Makefile.am: Create newgidmap and newuidmap only if
	ENABLE_SUBIDS is defined.
	* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
	subordinate IDs.
	* src/useradd.c: Likewise.
	* src/userdel.c: Likewise.
	* src/usermod.c: Likewise.
	* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
	* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 (not translated yet).
	* man/generate_mans.mak: Add xsltproc conditionals
	subids/no_subids.
	* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
	condition.
	* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
	* man/usermod.8.xml: Document options for subordinate IDs and
	reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 15:46:59 +02:00
Nicolas François
94c52130be Fix typos.
* src/usermod.c: Fix typos.
2013-08-06 22:29:40 +02:00
Serge Hallyn
c485cfabd8 usermod: add v:w:V:W: to getopt
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
d5b3092331 usermod: Add support for subordinate uids and gids.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
nekral-guest
360f12cd44 * src/usermod.c, man/usermod.8.xml: usermod -Z "" removes the
SELinux user mapping for the modified user.
	* src/useradd.c: Zflg is #defined as user_selinux non empty.
2011-11-21 22:02:15 +00:00
nekral-guest
29050eadb5 * NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
	safe_system().
	* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
	lib/Makefile.am: Added helper functions for semanage.
	* README, src/useradd.c, src/usermod.c, src/userdel.c,
	configure.in: Use libsemanage instead of semanage.
2011-11-17 21:51:07 +00:00
nekral-guest
57f9d5ae9c * src/chage.c, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/groupadd.c, src/groupdel.c, src/groupmems.c,
	src/groupmod.c, src/newusers.c, src/useradd.c, src/userdel.c,
	src/usermod.c: Provide the PAM error
	message instead of our own, and log error to syslog.
	* src/groupmems.c: Exit with exit rather than fail_exit in usage().
	* src/newusers.c: Check the number of arguments.
	* src/newusers.c: Do not create the home directory when it is not
	changed.
	* src/useradd.c: Set the group password to "!" rather "x" if there
	are no gshadow file.
2011-11-13 16:24:57 +00:00
nekral-guest
f0a63185c9 * src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/faillog.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
	src/groupmems.c, src/groupmod.c, src/grpconv.c, src/grpunconv.c,
	src/lastlog.c, src/newusers.c, src/passwd.c, src/pwconv.c,
	src/pwunconv.c, src/su.c, src/useradd.c, src/userdel.c,
	src/usermod.c, src/vipw.c: Align and sort options.
2011-11-06 18:39:59 +00:00
nekral-guest
aa2957e62a * NEWS, src/usermod.c, man/usermod.8.xml: Add --root option. Open
audit and syslog after the potential chroot. userdel's usage split
	in smaller messages.
2011-11-06 18:37:39 +00:00
nekral-guest
603d949ed5 * src/usermod.c: date_to_str() is always called with negativ set
to "never", remove this argument.
	* src/usermod.c: Added missing cast for gr_free argument.
2011-09-18 17:34:21 +00:00
nekral-guest
7c96d6cbcc * src/usermod.c: Do not assign static to NULL.
* src/usermod.c (date_to_str): buf needs to be unique (e.g.
	independent from negativ), and is an out buffer.
	* src/usermod.c: Ignore return value from snprintf, and force
	nul-termination of buffer.
	* src/usermod.c: Improve memory management.
	* src/usermod.c: An audit bloc was not reachable, moved above on
	success to move the home directory.
	* src/usermod.c: Ignore close() return value for the mailbox
	(opened read only).
2011-08-15 09:56:43 +00:00
nekral-guest
00d1ab6454 * src/usermod.c: Add annotations to indicate that fail_exit() does
not return.
	* src/usermod.c: Fix typo in notreached annotation.
2011-07-30 01:41:03 +00:00
nekral-guest
d4e630b8cc * src/usermod.c (process_flags): Indicate that the user name is
invalid, instead of just a 'field'.
2011-07-14 13:29:59 +00:00
nekral-guest
82b92af086 * src/usermod.c (process_flags): Do not display the usage in case
of an invalid -f value (similar to -e).
2011-07-14 13:29:54 +00:00
nekral-guest
c23e851074 * src/usermod.c (new_pwent): Document that pw_locate will not fail
because getpwnam returned successfully.
2011-07-14 13:29:48 +00:00
nekral-guest
2c6782b501 * NEWS, src/usermod.c; man/usermod.8.xml: When the shadow file
exists but there are no shadow entries, an entry has to be created
	if the password is changed and passwd requires a shadow entry, or
	if aging features are used (-e or -f). Document this and also that
	-e and -f require a shadow file.
2011-07-14 13:29:37 +00:00