From 51c1fc93e36ac90ef1f6273832d3c5ea11f2180e Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 27 Feb 2015 11:23:58 +0000 Subject: [PATCH 1/5] Do not bail out on missing login.defs. For most operations tools have compiled-in defaults, and thus can operate without login.defs present. --- lib/getdef.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/getdef.c b/lib/getdef.c index b5f780ca..c2f2dfb4 100644 --- a/lib/getdef.c +++ b/lib/getdef.c @@ -416,23 +416,26 @@ static void def_load (void) FILE *fp; char buf[1024], *name, *value, *s; + /* + * Set the initialized flag. + * (do it early to prevent recursion in putdef_str()) + */ + def_loaded = true; + /* * Open the configuration definitions file. */ fp = fopen (def_fname, "r"); if (NULL == fp) { + if (errno == ENOENT) + return; + int err = errno; SYSLOG ((LOG_CRIT, "cannot open login definitions %s [%s]", def_fname, strerror (err))); exit (EXIT_FAILURE); } - /* - * Set the initialized flag. - * (do it early to prevent recursion in putdef_str()) - */ - def_loaded = true; - /* * Go through all of the lines in the file. */ From 71c6165dcd6b808fc1bf11e0dfb3692beb06221c Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 27 Feb 2015 12:39:44 +0000 Subject: [PATCH 2/5] Do not report unknown settings, when compiled with PAM. When compiled with PAM certain settings are not used, however they are still defined in the stock login.defs file. Thus every command reports them as "unknown setting contact administrator". Alternative would be to parse stock login.defs and comment out/remove settings that are not applied, when compiled with PAM. --- lib/getdef.c | 64 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 41 insertions(+), 23 deletions(-) diff --git a/lib/getdef.c b/lib/getdef.c index c2f2dfb4..5f050455 100644 --- a/lib/getdef.c +++ b/lib/getdef.c @@ -49,6 +49,32 @@ struct itemdef { /*@null@*/char *value; /* value given, or NULL if no value */ }; +#define PAMDEFS \ + {"CHFN_AUTH", NULL}, \ + {"CHSH_AUTH", NULL}, \ + {"CRACKLIB_DICTPATH", NULL}, \ + {"ENV_HZ", NULL}, \ + {"ENVIRON_FILE", NULL}, \ + {"ENV_TZ", NULL}, \ + {"FAILLOG_ENAB", NULL}, \ + {"FTMP_FILE", NULL}, \ + {"ISSUE_FILE", NULL}, \ + {"LASTLOG_ENAB", NULL}, \ + {"LOGIN_STRING", NULL}, \ + {"MAIL_CHECK_ENAB", NULL}, \ + {"MOTD_FILE", NULL}, \ + {"NOLOGINS_FILE", NULL}, \ + {"OBSCURE_CHECKS_ENAB", NULL}, \ + {"PASS_ALWAYS_WARN", NULL}, \ + {"PASS_CHANGE_TRIES", NULL}, \ + {"PASS_MAX_LEN", NULL}, \ + {"PASS_MIN_LEN", NULL}, \ + {"PORTTIME_CHECKS_ENAB", NULL}, \ + {"QUOTAS_ENAB", NULL}, \ + {"SU_WHEEL_ONLY", NULL}, \ + {"ULIMIT", NULL}, + + #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) static struct itemdef def_table[] = { {"CHFN_RESTRICT", NULL}, @@ -102,29 +128,7 @@ static struct itemdef def_table[] = { {"USERDEL_CMD", NULL}, {"USERGROUPS_ENAB", NULL}, #ifndef USE_PAM - {"CHFN_AUTH", NULL}, - {"CHSH_AUTH", NULL}, - {"CRACKLIB_DICTPATH", NULL}, - {"ENV_HZ", NULL}, - {"ENVIRON_FILE", NULL}, - {"ENV_TZ", NULL}, - {"FAILLOG_ENAB", NULL}, - {"FTMP_FILE", NULL}, - {"ISSUE_FILE", NULL}, - {"LASTLOG_ENAB", NULL}, - {"LOGIN_STRING", NULL}, - {"MAIL_CHECK_ENAB", NULL}, - {"MOTD_FILE", NULL}, - {"NOLOGINS_FILE", NULL}, - {"OBSCURE_CHECKS_ENAB", NULL}, - {"PASS_ALWAYS_WARN", NULL}, - {"PASS_CHANGE_TRIES", NULL}, - {"PASS_MAX_LEN", NULL}, - {"PASS_MIN_LEN", NULL}, - {"PORTTIME_CHECKS_ENAB", NULL}, - {"QUOTAS_ENAB", NULL}, - {"SU_WHEEL_ONLY", NULL}, - {"ULIMIT", NULL}, + PAMDEFS #endif #ifdef USE_SYSLOG {"SYSLOG_SG_ENAB", NULL}, @@ -138,6 +142,13 @@ static struct itemdef def_table[] = { {NULL, NULL} }; +#define NUMKNOWNDEFS (sizeof(knowndef_table)/sizeof(knowndef_table[0])) +static struct itemdef knowndef_table[] = { +#ifdef USE_PAM + PAMDEFS +#endif +}; + #ifndef LOGINDEFS #define LOGINDEFS "/etc/login.defs" #endif @@ -397,10 +408,17 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name) * Item was never found. */ + for (ptr = knowndef_table; NULL != ptr->name; ptr++) { + if (strcmp (ptr->name, name) == 0) { + goto out; + } + } fprintf (stderr, _("configuration error - unknown item '%s' (notify administrator)\n"), name); SYSLOG ((LOG_CRIT, "unknown configuration item `%s'", name)); + +out: return (struct itemdef *) NULL; } From ee43f47f4521eda0ee9773f48de85058965653e8 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 27 Feb 2015 13:17:25 +0000 Subject: [PATCH 3/5] Do not fail on missing files in /etc/, create them instead. passwd, shadow, group, gshadow etc. can be managed via nss - e.g. system default accounts can be specified using nss_altfiles, rather than in /etc/. Thus despite having default accounts, these files can be missing on disk and thus should be opened with O_CREATE whenever they are attempted to be opened in O_RDWR modes. --- src/chage.c | 4 ++-- src/chfn.c | 2 +- src/chgpasswd.c | 4 ++-- src/chpasswd.c | 4 ++-- src/chsh.c | 2 +- src/gpasswd.c | 4 ++-- src/groupadd.c | 4 ++-- src/groupdel.c | 4 ++-- src/groupmems.c | 4 ++-- src/groupmod.c | 6 +++--- src/grpck.c | 4 ++-- src/grpconv.c | 2 +- src/grpunconv.c | 2 +- src/newusers.c | 12 ++++++------ src/passwd.c | 4 ++-- src/pwck.c | 6 +++--- src/pwconv.c | 2 +- src/pwunconv.c | 2 +- src/useradd.c | 12 ++++++------ src/userdel.c | 12 ++++++------ src/usermod.c | 12 ++++++------ 21 files changed, 54 insertions(+), 54 deletions(-) diff --git a/src/chage.c b/src/chage.c index 2df65a94..617e90f1 100644 --- a/src/chage.c +++ b/src/chage.c @@ -592,7 +592,7 @@ static void open_files (bool readonly) } pw_locked = true; } - if (pw_open (readonly ? O_RDONLY: O_RDWR) == 0) { + if (pw_open (readonly ? O_RDONLY: O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", pw_dbname ())); fail_exit (E_NOPERM); @@ -613,7 +613,7 @@ static void open_files (bool readonly) } spw_locked = true; } - if (spw_open (readonly ? O_RDONLY: O_RDWR) == 0) { + if (spw_open (readonly ? O_RDONLY: O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", spw_dbname ())); diff --git a/src/chfn.c b/src/chfn.c index a022c1a3..18aa3de7 100644 --- a/src/chfn.c +++ b/src/chfn.c @@ -463,7 +463,7 @@ static void update_gecos (const char *user, char *gecos) fail_exit (E_NOPERM); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); fail_exit (E_NOPERM); diff --git a/src/chgpasswd.c b/src/chgpasswd.c index 4dd5fbab..13203a46 100644 --- a/src/chgpasswd.c +++ b/src/chgpasswd.c @@ -316,7 +316,7 @@ static void open_files (void) fail_exit (1); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); fail_exit (1); @@ -332,7 +332,7 @@ static void open_files (void) fail_exit (1); } sgr_locked = true; - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); fail_exit (1); diff --git a/src/chpasswd.c b/src/chpasswd.c index 78436d6a..21008f58 100644 --- a/src/chpasswd.c +++ b/src/chpasswd.c @@ -313,7 +313,7 @@ static void open_files (void) fail_exit (1); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); fail_exit (1); @@ -328,7 +328,7 @@ static void open_files (void) fail_exit (1); } spw_locked = true; - if (spw_open (O_RDWR) == 0) { + if (spw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); diff --git a/src/chsh.c b/src/chsh.c index 393a79ff..c89708b9 100644 --- a/src/chsh.c +++ b/src/chsh.c @@ -373,7 +373,7 @@ static void update_shell (const char *user, char *newshell) fail_exit (1); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", pw_dbname ())); fail_exit (1); diff --git a/src/gpasswd.c b/src/gpasswd.c index 8959a35a..27ad9599 100644 --- a/src/gpasswd.c +++ b/src/gpasswd.c @@ -370,7 +370,7 @@ static void open_files (void) add_cleanup (log_gpasswd_failure_system, NULL); - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); @@ -380,7 +380,7 @@ static void open_files (void) #ifdef SHADOWGRP if (is_shadowgrp) { - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); diff --git a/src/groupadd.c b/src/groupadd.c index 39b4ec02..179438fb 100644 --- a/src/groupadd.c +++ b/src/groupadd.c @@ -346,7 +346,7 @@ static void open_files (void) add_cleanup (cleanup_report_add_group, group_name); /* And now open the databases */ - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); exit (E_GRP_UPDATE); @@ -354,7 +354,7 @@ static void open_files (void) #ifdef SHADOWGRP if (is_shadow_grp) { - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); diff --git a/src/groupdel.c b/src/groupdel.c index da993475..c64b6a7e 100644 --- a/src/groupdel.c +++ b/src/groupdel.c @@ -246,7 +246,7 @@ static void open_files (void) add_cleanup (cleanup_report_del_group, group_name); /* An now open the databases */ - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); @@ -255,7 +255,7 @@ static void open_files (void) } #ifdef SHADOWGRP if (is_shadow_grp) { - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); diff --git a/src/groupmems.c b/src/groupmems.c index e4f107f9..4a49e10b 100644 --- a/src/groupmems.c +++ b/src/groupmems.c @@ -536,14 +536,14 @@ static void open_files (void) #endif } - if (gr_open (list ? O_RDONLY : O_RDWR) == 0) { + if (gr_open (list ? O_RDONLY : O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); fail_exit (EXIT_GROUP_FILE); } #ifdef SHADOWGRP if (is_shadowgrp) { - if (sgr_open (list ? O_RDONLY : O_RDWR) == 0) { + if (sgr_open (list ? O_RDONLY : O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); fail_exit (EXIT_GROUP_FILE); } diff --git a/src/groupmod.c b/src/groupmod.c index d9d38071..757c1a40 100644 --- a/src/groupmod.c +++ b/src/groupmod.c @@ -663,7 +663,7 @@ static void lock_files (void) */ static void open_files (void) { - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); exit (E_GRP_UPDATE); @@ -672,7 +672,7 @@ static void open_files (void) #ifdef SHADOWGRP if ( is_shadow_grp && (pflg || nflg)) { - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); @@ -683,7 +683,7 @@ static void open_files (void) #endif /* SHADOWGRP */ if (gflg) { - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); diff --git a/src/grpck.c b/src/grpck.c index 9d1ed903..ea5d3b39 100644 --- a/src/grpck.c +++ b/src/grpck.c @@ -299,7 +299,7 @@ static void open_files (void) * Open the files. Use O_RDONLY if we are in read_only mode, * O_RDWR otherwise. */ - if (gr_open (read_only ? O_RDONLY : O_RDWR) == 0) { + if (gr_open (read_only ? O_RDONLY : O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, grp_file); if (use_system_grp_file) { @@ -308,7 +308,7 @@ static void open_files (void) fail_exit (E_CANT_OPEN); } #ifdef SHADOWGRP - if (is_shadow && (sgr_open (read_only ? O_RDONLY : O_RDWR) == 0)) { + if (is_shadow && (sgr_open (read_only ? O_RDONLY : O_CREAT | O_RDWR) == 0)) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_file); if (use_system_sgr_file) { diff --git a/src/grpconv.c b/src/grpconv.c index ece8095d..f681f07f 100644 --- a/src/grpconv.c +++ b/src/grpconv.c @@ -163,7 +163,7 @@ int main (int argc, char **argv) fail_exit (5); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); fail_exit (1); } diff --git a/src/grpunconv.c b/src/grpunconv.c index ea8914cb..253f06f5 100644 --- a/src/grpunconv.c +++ b/src/grpunconv.c @@ -166,7 +166,7 @@ int main (int argc, char **argv) fail_exit (5); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); fail_exit (1); diff --git a/src/newusers.c b/src/newusers.c index a90d04ee..724cbb40 100644 --- a/src/newusers.c +++ b/src/newusers.c @@ -805,27 +805,27 @@ static void open_files (void) } #endif /* ENABLE_SUBIDS */ - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); fail_exit (EXIT_FAILURE); } - if (is_shadow && (spw_open (O_RDWR) == 0)) { + if (is_shadow && (spw_open (O_CREAT | O_RDWR) == 0)) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); fail_exit (EXIT_FAILURE); } - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); fail_exit (EXIT_FAILURE); } #ifdef SHADOWGRP - if (is_shadow_grp && (sgr_open (O_RDWR) == 0)) { + if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); fail_exit (EXIT_FAILURE); } #endif #ifdef ENABLE_SUBIDS if (is_sub_uid) { - if (sub_uid_open (O_RDWR) == 0) { + if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); @@ -833,7 +833,7 @@ static void open_files (void) } } if (is_sub_gid) { - if (sub_gid_open (O_RDWR) == 0) { + if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); diff --git a/src/passwd.c b/src/passwd.c index 3424f3bf..1191111d 100644 --- a/src/passwd.c +++ b/src/passwd.c @@ -573,7 +573,7 @@ static void update_noshadow (void) exit (E_PWDBUSY); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); @@ -627,7 +627,7 @@ static void update_shadow (void) exit (E_PWDBUSY); } spw_locked = true; - if (spw_open (O_RDWR) == 0) { + if (spw_open (O_CREAT | O_RDWR) == 0) { (void) fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); diff --git a/src/pwck.c b/src/pwck.c index 05df68ec..523135f6 100644 --- a/src/pwck.c +++ b/src/pwck.c @@ -281,7 +281,7 @@ static void open_files (void) * Open the files. Use O_RDONLY if we are in read_only mode, O_RDWR * otherwise. */ - if (pw_open (read_only ? O_RDONLY : O_RDWR) == 0) { + if (pw_open (read_only ? O_RDONLY : O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); if (use_system_pw_file) { @@ -290,7 +290,7 @@ static void open_files (void) fail_exit (E_CANTOPEN); } if (is_shadow && !use_tcb) { - if (spw_open (read_only ? O_RDONLY : O_RDWR) == 0) { + if (spw_open (read_only ? O_RDONLY : O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); if (use_system_spw_file) { @@ -566,7 +566,7 @@ static void check_pw_file (int *errors, bool *changed) continue; } spw_locked = true; - if (spw_open (read_only ? O_RDONLY : O_RDWR) == 0) { + if (spw_open (read_only ? O_RDONLY : O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); diff --git a/src/pwconv.c b/src/pwconv.c index d41d5dd2..e2d61f87 100644 --- a/src/pwconv.c +++ b/src/pwconv.c @@ -200,7 +200,7 @@ int main (int argc, char **argv) fail_exit (E_PWDBUSY); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); fail_exit (E_MISSING); diff --git a/src/pwunconv.c b/src/pwunconv.c index 62e2af04..fabf0237 100644 --- a/src/pwunconv.c +++ b/src/pwunconv.c @@ -166,7 +166,7 @@ int main (int argc, char **argv) fail_exit (5); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); diff --git a/src/useradd.c b/src/useradd.c index 1b65bf44..31ea5845 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -1537,7 +1537,7 @@ static void open_files (void) exit (E_PW_UPDATE); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); fail_exit (E_PW_UPDATE); } @@ -1554,7 +1554,7 @@ static void open_files (void) fail_exit (E_GRP_UPDATE); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); fail_exit (E_GRP_UPDATE); } @@ -1567,7 +1567,7 @@ static void open_files (void) fail_exit (E_GRP_UPDATE); } sgr_locked = true; - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); @@ -1584,7 +1584,7 @@ static void open_files (void) fail_exit (E_SUB_UID_UPDATE); } sub_uid_locked = true; - if (sub_uid_open (O_RDWR) == 0) { + if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); @@ -1599,7 +1599,7 @@ static void open_files (void) fail_exit (E_SUB_GID_UPDATE); } sub_gid_locked = true; - if (sub_gid_open (O_RDWR) == 0) { + if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); @@ -1621,7 +1621,7 @@ static void open_shadow (void) fail_exit (E_PW_UPDATE); } spw_locked = true; - if (spw_open (O_RDWR) == 0) { + if (spw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); diff --git a/src/userdel.c b/src/userdel.c index 19b12bc4..9092b5c1 100644 --- a/src/userdel.c +++ b/src/userdel.c @@ -565,7 +565,7 @@ static void open_files (void) fail_exit (E_PW_UPDATE); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); #ifdef WITH_AUDIT @@ -590,7 +590,7 @@ static void open_files (void) fail_exit (E_PW_UPDATE); } spw_locked = true; - if (spw_open (O_RDWR) == 0) { + if (spw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -616,7 +616,7 @@ static void open_files (void) fail_exit (E_GRP_UPDATE); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, @@ -641,7 +641,7 @@ static void open_files (void) fail_exit (E_GRP_UPDATE); } sgr_locked= true; - if (sgr_open (O_RDWR) == 0) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); #ifdef WITH_AUDIT @@ -669,7 +669,7 @@ static void open_files (void) fail_exit (E_SUB_UID_UPDATE); } sub_uid_locked = true; - if (sub_uid_open (O_RDWR) == 0) { + if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); #ifdef WITH_AUDIT @@ -695,7 +695,7 @@ static void open_files (void) fail_exit (E_SUB_GID_UPDATE); } sub_gid_locked = true; - if (sub_gid_open (O_RDWR) == 0) { + if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); #ifdef WITH_AUDIT diff --git a/src/usermod.c b/src/usermod.c index aa4c2621..25edd1f2 100644 --- a/src/usermod.c +++ b/src/usermod.c @@ -1532,7 +1532,7 @@ static void open_files (void) fail_exit (E_PW_UPDATE); } pw_locked = true; - if (pw_open (O_RDWR) == 0) { + if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); @@ -1545,7 +1545,7 @@ static void open_files (void) fail_exit (E_PW_UPDATE); } spw_locked = true; - if (is_shadow_pwd && (spw_open (O_RDWR) == 0)) { + if (is_shadow_pwd && (spw_open (O_CREAT | O_RDWR) == 0)) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -1564,7 +1564,7 @@ static void open_files (void) fail_exit (E_GRP_UPDATE); } gr_locked = true; - if (gr_open (O_RDWR) == 0) { + if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); @@ -1578,7 +1578,7 @@ static void open_files (void) fail_exit (E_GRP_UPDATE); } sgr_locked = true; - if (is_shadow_grp && (sgr_open (O_RDWR) == 0)) { + if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); @@ -1595,7 +1595,7 @@ static void open_files (void) fail_exit (E_SUB_UID_UPDATE); } sub_uid_locked = true; - if (sub_uid_open (O_RDWR) == 0) { + if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); @@ -1610,7 +1610,7 @@ static void open_files (void) fail_exit (E_SUB_GID_UPDATE); } sub_gid_locked = true; - if (sub_gid_open (O_RDWR) == 0) { + if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); From 46a72bc3420d964af3007f0bf0770cf6db233604 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 27 Feb 2015 14:18:56 +0000 Subject: [PATCH 4/5] Force use shadow, even if missing. --- etc/login.defs | 5 +++++ lib/getdef.c | 1 + lib/sgroupio.c | 2 ++ lib/shadowio.c | 2 ++ 4 files changed, 10 insertions(+) diff --git a/etc/login.defs b/etc/login.defs index 5ac62d63..74312d70 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -393,3 +393,8 @@ USERGROUPS_ENAB yes # #CREATE_HOME yes +# +# Force use shadow, even if shadow passwd & shadow group files are +# missing. +# +#FORCE_SHADOW yes diff --git a/lib/getdef.c b/lib/getdef.c index 5f050455..bea28129 100644 --- a/lib/getdef.c +++ b/lib/getdef.c @@ -139,6 +139,7 @@ static struct itemdef def_table[] = { {"TCB_SYMLINKS", NULL}, {"USE_TCB", NULL}, #endif + {"FORCE_SHADOW", NULL}, {NULL, NULL} }; diff --git a/lib/sgroupio.c b/lib/sgroupio.c index faed0adf..b497cd65 100644 --- a/lib/sgroupio.c +++ b/lib/sgroupio.c @@ -249,6 +249,8 @@ int sgr_setdbname (const char *filename) bool sgr_file_present (void) { + if (getdef_bool ("FORCE_SHADOW")) + return true; return commonio_present (&gshadow_db); } diff --git a/lib/shadowio.c b/lib/shadowio.c index 2930e65d..1fb1bbab 100644 --- a/lib/shadowio.c +++ b/lib/shadowio.c @@ -125,6 +125,8 @@ int spw_setdbname (const char *filename) bool spw_file_present (void) { + if (getdef_bool ("FORCE_SHADOW")) + return true; return commonio_present (&shadow_db); } From bab349b46ef01c68f534f7abe909ccfa2c8463ff Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 27 Feb 2015 16:26:57 +0000 Subject: [PATCH 5/5] Create dbs with correct permissions. --- lib/commonio.c | 7 +++---- lib/commonio.h | 6 ++++++ lib/groupio.c | 3 +++ lib/pwio.c | 3 +++ lib/sgroupio.c | 3 +++ lib/shadowio.c | 3 +++ lib/subordinateio.c | 6 ++++++ 7 files changed, 27 insertions(+), 4 deletions(-) diff --git a/lib/commonio.c b/lib/commonio.c index cc536bf1..b1c2771c 100644 --- a/lib/commonio.c +++ b/lib/commonio.c @@ -968,11 +968,10 @@ int commonio_close (struct commonio_db *db) } else { /* * Default permissions for new [g]shadow files. - * (passwd and group always exist...) */ - sb.st_mode = 0400; - sb.st_uid = 0; - sb.st_gid = 0; + sb.st_mode = db->st_mode; + sb.st_uid = db->st_uid; + sb.st_gid = db->st_gid; } snprintf (buf, sizeof buf, "%s+", db->filename); diff --git a/lib/commonio.h b/lib/commonio.h index 0a316f9c..cb4e9616 100644 --- a/lib/commonio.h +++ b/lib/commonio.h @@ -123,6 +123,12 @@ struct commonio_db { #ifdef WITH_SELINUX /*@null@*/security_context_t scontext; #endif + /* + * Default permissions and owner for newly created data file. + */ + mode_t st_mode; + uid_t st_uid; + gid_t st_gid; /* * Head, tail, current position in linked list. */ diff --git a/lib/groupio.c b/lib/groupio.c index 2a37bfd9..3ad4736b 100644 --- a/lib/groupio.c +++ b/lib/groupio.c @@ -130,6 +130,9 @@ static /*@owned@*/struct commonio_db group_db = { #ifdef WITH_SELINUX NULL, /* scontext */ #endif + 0644, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ NULL, /* head */ NULL, /* tail */ NULL, /* cursor */ diff --git a/lib/pwio.c b/lib/pwio.c index 793c2e5a..7ee85377 100644 --- a/lib/pwio.c +++ b/lib/pwio.c @@ -105,6 +105,9 @@ static struct commonio_db passwd_db = { #ifdef WITH_SELINUX NULL, /* scontext */ #endif + 0644, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ NULL, /* head */ NULL, /* tail */ NULL, /* cursor */ diff --git a/lib/sgroupio.c b/lib/sgroupio.c index b497cd65..f2685779 100644 --- a/lib/sgroupio.c +++ b/lib/sgroupio.c @@ -228,6 +228,9 @@ static struct commonio_db gshadow_db = { #ifdef WITH_SELINUX NULL, /* scontext */ #endif + 0400, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ NULL, /* head */ NULL, /* tail */ NULL, /* cursor */ diff --git a/lib/shadowio.c b/lib/shadowio.c index 1fb1bbab..6e44ab24 100644 --- a/lib/shadowio.c +++ b/lib/shadowio.c @@ -104,6 +104,9 @@ static struct commonio_db shadow_db = { #ifdef WITH_SELINUX NULL, /* scontext */ #endif /* WITH_SELINUX */ + 0400, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ NULL, /* head */ NULL, /* tail */ NULL, /* cursor */ diff --git a/lib/subordinateio.c b/lib/subordinateio.c index 88cc5817..0d64a914 100644 --- a/lib/subordinateio.c +++ b/lib/subordinateio.c @@ -541,6 +541,9 @@ static struct commonio_db subordinate_uid_db = { #ifdef WITH_SELINUX NULL, /* scontext */ #endif + 0644, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ NULL, /* head */ NULL, /* tail */ NULL, /* cursor */ @@ -619,6 +622,9 @@ static struct commonio_db subordinate_gid_db = { #ifdef WITH_SELINUX NULL, /* scontext */ #endif + 0644, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ NULL, /* head */ NULL, /* tail */ NULL, /* cursor */