Compare commits
25 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 4c944d236c | |||
| 46cc41933b | |||
| 388cb97893 | |||
| 81c4e06c3b | |||
| 4fcb8d510b | |||
| 2ff61e3c80 | |||
| 61472718df | |||
| b63aced4b3 | |||
| b532614a3b | |||
| 02f8995749 | |||
| cb56b9d10e | |||
| bdb2aa7202 | |||
| 7a3935ef98 | |||
| 9d0f797494 | |||
| 862809e6de | |||
| 0e71b4600c | |||
| fcee2d4028 | |||
| 3ee8ec58bb | |||
| d20c220441 | |||
| 451264e2b2 | |||
| d2ea0055d4 | |||
| d48226e507 | |||
| 1a19ece5ee | |||
| a70f9f8694 | |||
| 02ea908972 |
@@ -1,34 +0,0 @@
|
||||
image: alpine/latest
|
||||
# apk add --update alpine-sdk
|
||||
packages:
|
||||
- cmd:setcap
|
||||
- autoconf
|
||||
- automake
|
||||
- byacc
|
||||
- expect
|
||||
- gettext
|
||||
- gettext-dev
|
||||
- gettext-lang
|
||||
- libbsd-dev
|
||||
- libcap-dev
|
||||
- libtool
|
||||
- linux-pam-dev
|
||||
- pkgconf
|
||||
- sed
|
||||
sources:
|
||||
- https://github.com/shadow-maint/shadow
|
||||
tasks:
|
||||
- build: |
|
||||
cd shadow
|
||||
./autogen.sh --without-selinux --disable-man --disable-nls
|
||||
grep ENABLE_ config.status
|
||||
- tasks: |
|
||||
cd shadow
|
||||
cat /proc/self/uid_map
|
||||
cat /proc/self/status
|
||||
make
|
||||
make DESTDIR=/tmp/shadow-inst install
|
||||
sudo make install
|
||||
#TODO - fix up the tests. Let's merge what's here now as it
|
||||
#at least tests build.
|
||||
#(cd tests; sudo ./run_some || { cat testsuite.log; false; })
|
||||
@@ -1,33 +0,0 @@
|
||||
image: fedora/latest
|
||||
packages:
|
||||
- autoconf
|
||||
- automake
|
||||
- byacc
|
||||
- expect
|
||||
- findutils
|
||||
- gettext
|
||||
- gettext-devel
|
||||
- git
|
||||
- libbsd-devel
|
||||
- libselinux-devel
|
||||
- libsemanage-devel
|
||||
- libtool
|
||||
- libxslt
|
||||
- pkgconf
|
||||
sources:
|
||||
- https://github.com/shadow-maint/shadow
|
||||
tasks:
|
||||
- build: |
|
||||
cd shadow
|
||||
./autogen.sh --with-selinux --enable-man
|
||||
grep ENABLE_ config.status
|
||||
- tasks: |
|
||||
cd shadow
|
||||
cat /proc/self/uid_map
|
||||
cat /proc/self/status
|
||||
make
|
||||
make DESTDIR=/tmp/shadow-inst install
|
||||
sudo make install
|
||||
#TODO - fix up the tests. Let's merge what's here now as it
|
||||
#at least tests build.
|
||||
#(cd tests; sudo ./run_some || { cat testsuite.log; false; })
|
||||
@@ -1,28 +0,0 @@
|
||||
image: ubuntu/focal
|
||||
packages:
|
||||
- automake
|
||||
- autopoint
|
||||
- xsltproc
|
||||
- libbsd-dev
|
||||
- libselinux1-dev
|
||||
- gettext
|
||||
- expect
|
||||
- byacc
|
||||
- libtool
|
||||
- pkgconf
|
||||
sources:
|
||||
- https://github.com/shadow-maint/shadow
|
||||
tasks:
|
||||
- build: |
|
||||
cd shadow
|
||||
./autogen.sh --without-selinux --disable-man
|
||||
grep ENABLE_ config.status
|
||||
- tasks: |
|
||||
cd shadow
|
||||
cat /proc/self/uid_map
|
||||
cat /proc/self/status
|
||||
systemd-detect-virt
|
||||
make
|
||||
make DESTDIR=/tmp/shadow-inst install
|
||||
sudo make install
|
||||
(cd tests; sudo ./run_some || { cat testsuite.log; false; })
|
||||
@@ -1,28 +0,0 @@
|
||||
image: ubuntu/22.04
|
||||
packages:
|
||||
- automake
|
||||
- autopoint
|
||||
- xsltproc
|
||||
- libbsd-dev
|
||||
- libselinux1-dev
|
||||
- gettext
|
||||
- expect
|
||||
- byacc
|
||||
- libtool
|
||||
- pkgconf
|
||||
sources:
|
||||
- https://github.com/shadow-maint/shadow
|
||||
tasks:
|
||||
- build: |
|
||||
cd shadow
|
||||
./autogen.sh --without-selinux --enable-man
|
||||
grep ENABLE_ config.status
|
||||
- tasks: |
|
||||
cat /proc/self/uid_map
|
||||
cat /proc/self/status
|
||||
systemd-detect-virt
|
||||
cd shadow
|
||||
make
|
||||
make DESTDIR=/tmp/shadow-inst install
|
||||
sudo make install
|
||||
(cd tests; sudo ./run_some || { cat testsuite.log; false; })
|
||||
@@ -1,4 +0,0 @@
|
||||
root = true
|
||||
|
||||
[*.{c,h}]
|
||||
indent_style = tab
|
||||
@@ -1,12 +0,0 @@
|
||||
name: 'Install dependencies'
|
||||
description: 'Install dependencies to build shadow-utils'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- shell: bash
|
||||
run: |
|
||||
sudo apt-get update -y
|
||||
sudo apt-get install -y ubuntu-dev-tools libbsd-dev
|
||||
sudo sed -Ei 's/^# deb-src /deb-src /' /etc/apt/sources.list
|
||||
sudo apt-get update -y
|
||||
sudo apt-get -y build-dep shadow
|
||||
@@ -1,108 +0,0 @@
|
||||
name: CI
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ master ]
|
||||
pull_request:
|
||||
branches: [ master ]
|
||||
# Allows you to run this workflow manually from the Actions tab
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: debug
|
||||
run: |
|
||||
id
|
||||
which bash
|
||||
whoami
|
||||
env
|
||||
ps -ef
|
||||
pwd
|
||||
cat /proc/self/uid_map
|
||||
cat /proc/self/status
|
||||
systemd-detect-virt
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
sudo cat /etc/apt/sources.list
|
||||
sudo sed -i '/deb-src/d' /etc/apt/sources.list
|
||||
sudo sed -i '/^deb /p;s/ /-src /' /etc/apt/sources.list
|
||||
export DEBIAN_PRIORITY=critical
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
# let's try to work around upgrade breakage in a pkg we don't care about
|
||||
sudo apt-mark hold grub-efi-amd64-bin grub-efi-amd64-signed
|
||||
sudo apt-get update
|
||||
sudo apt-get -y dist-upgrade
|
||||
sudo apt-get -y install ubuntu-dev-tools automake autopoint xsltproc gettext expect byacc libtool libbsd-dev pkgconf
|
||||
sudo apt-get -y build-dep shadow
|
||||
- name: configure
|
||||
run: |
|
||||
autoreconf -v -f --install
|
||||
./autogen.sh --without-selinux --disable-man --with-yescrypt
|
||||
- run: make
|
||||
- run: make install DESTDIR=${HOME}/rootfs
|
||||
- run: sudo make install
|
||||
- name: run tests in shell with tty
|
||||
shell: 'script -q -e -c "bash {0}"'
|
||||
run: |
|
||||
set -e
|
||||
cd tests
|
||||
sudo ./run_some
|
||||
cat testsuite.log
|
||||
|
||||
# Make sure that 'make dist' makes a usable tarball with no missing files
|
||||
dist-build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
sudo cat /etc/apt/sources.list
|
||||
sudo sed -i '/deb-src/d' /etc/apt/sources.list
|
||||
sudo sed -i '/^deb /p;s/ /-src /' /etc/apt/sources.list
|
||||
export DEBIAN_PRIORITY=critical
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
# let's try to work around upgrade breakage in a pkg we don't care about
|
||||
sudo apt-mark hold grub-efi-amd64-bin grub-efi-amd64-signed
|
||||
sudo apt-get update
|
||||
sudo apt-get -y dist-upgrade
|
||||
sudo apt-get -y install ubuntu-dev-tools automake autopoint xsltproc gettext expect byacc libtool libbsd-dev pkgconf
|
||||
sudo apt-get -y build-dep shadow
|
||||
|
||||
- name: Test make dist
|
||||
run: |
|
||||
./autogen.sh
|
||||
make dist
|
||||
f=shadow-*.tar.gz
|
||||
tar -zxf $f
|
||||
d=$(basename $f .tar.gz)
|
||||
cd $d
|
||||
./configure
|
||||
make -j5
|
||||
|
||||
container-build:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
os: [alpine, debian, fedora]
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Build container
|
||||
run: |
|
||||
docker buildx build -f ./share/containers/${{ matrix.os }}.dockerfile . --output build-out
|
||||
|
||||
- name: Store artifacts
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: ${{ matrix.os }}-build
|
||||
path: |
|
||||
./build-out/config.log
|
||||
./build-out/config.h
|
||||
if-no-files-found: ignore
|
||||
@@ -1,61 +0,0 @@
|
||||
name: "Static code analysis"
|
||||
on:
|
||||
push:
|
||||
branches: [master]
|
||||
pull_request:
|
||||
branches: [master]
|
||||
schedule:
|
||||
# Everyday at midnight
|
||||
- cron: '0 0 * * *'
|
||||
jobs:
|
||||
codeql:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
security-events: write
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Install dependencies
|
||||
id: dependencies
|
||||
uses: ./.github/actions/install-dependencies
|
||||
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v2
|
||||
with:
|
||||
languages: cpp
|
||||
queries: +security-and-quality
|
||||
|
||||
- name: Configure shadow-utils
|
||||
run: ./autogen.sh --without-selinux --disable-man
|
||||
|
||||
- name: Build shadow-utils
|
||||
run: |
|
||||
PROCESSORS=$(/usr/bin/getconf _NPROCESSORS_ONLN)
|
||||
make -kj$PROCESSORS || true
|
||||
|
||||
- name: Check build errors
|
||||
run: make
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v2
|
||||
|
||||
differential-shellcheck:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
# Doc: https://github.com/redhat-plumbers-in-action/differential-shellcheck#usage
|
||||
- name: Differential ShellCheck
|
||||
uses: redhat-plumbers-in-action/differential-shellcheck@v3
|
||||
with:
|
||||
severity: warning
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
-51
@@ -1,51 +0,0 @@
|
||||
*~
|
||||
lib*.a
|
||||
*.o
|
||||
*.lo
|
||||
*.la
|
||||
*.gmo
|
||||
.deps
|
||||
.libs
|
||||
|
||||
*.patch
|
||||
*.rej
|
||||
*.orig
|
||||
|
||||
Makefile
|
||||
Makefile.in
|
||||
|
||||
/ABOUT-NLS
|
||||
/aclocal.m4
|
||||
/autom4te.cache
|
||||
/compile
|
||||
/config.cache
|
||||
/config.guess
|
||||
/config.h
|
||||
/config.h.in
|
||||
/config.log
|
||||
/config.rpath
|
||||
/config.status
|
||||
/config.sub
|
||||
/configure
|
||||
/depcomp
|
||||
/install-sh
|
||||
/libtool
|
||||
/ltmain.sh
|
||||
/m4
|
||||
/missing
|
||||
/stamp-h1
|
||||
/ylwrap
|
||||
|
||||
/po/*.header
|
||||
/po/*.sed
|
||||
/po/*.sin
|
||||
/po/Makefile.in.in
|
||||
/po/Makevars.template
|
||||
/po/POTFILES
|
||||
/po/Rules-quot
|
||||
/po/stamp-po
|
||||
|
||||
/shadow.spec
|
||||
/shadow-*.tar.*
|
||||
/lib/getdate.c
|
||||
/libsubid/subid.h
|
||||
-52
@@ -1,52 +0,0 @@
|
||||
dist: bionic
|
||||
sudo: false
|
||||
|
||||
language: c
|
||||
|
||||
compiler:
|
||||
- gcc
|
||||
- clang
|
||||
|
||||
arch:
|
||||
- amd64
|
||||
- arm64
|
||||
- ppc64le
|
||||
- s390x
|
||||
|
||||
before_install:
|
||||
- sudo apt-get update -qq
|
||||
- sudo apt-get -y install -qq automake autopoint xsltproc libselinux1-dev gettext expect
|
||||
- sudo apt-get -y install -qq byacc libtool
|
||||
script:
|
||||
- ./autogen.sh --without-selinux --disable-man
|
||||
- grep ENABLE_ config.status
|
||||
- make
|
||||
|
||||
env:
|
||||
global:
|
||||
- secure: "G47VYFrtzqalrVjixTqBG9Qsa8EZRcaqsh1k6fq5JgEyHmMQActpvTUDs9FXf1MEqiY5XX3VDVfBsZgKPHgmHsMzD1bX11xpnpGByB8g7gr8I3u2ZkCREqgi77a5l3LeBh+seWiambe/DYOgvPCNa6pCynLgR9advqtgKhpCruU="
|
||||
|
||||
addons:
|
||||
coverity_scan:
|
||||
|
||||
project:
|
||||
name: "shadow-maint/shadow"
|
||||
description: "Upstream shadow utils tree"
|
||||
|
||||
notification_email: christian.brauner@ubuntu.com,serge@hallyn.com
|
||||
|
||||
build_command_prepend: "./autogen.sh --without-selinux --disable-man"
|
||||
build_command: "make -kj4 || make"
|
||||
branch_pattern: master
|
||||
|
||||
script:
|
||||
- cat /proc/self/uid_map
|
||||
- cat /proc/self/status
|
||||
- systemd-detect-virt
|
||||
- ./autogen.sh --without-selinux --disable-man
|
||||
- grep ENABLE_ config.status
|
||||
- make
|
||||
- sudo make install
|
||||
- (cd tests; sudo ./run_some; cat testsuite.log)
|
||||
|
||||
# vim:et:ts=2:sw=2
|
||||
-90
@@ -1,90 +0,0 @@
|
||||
Thanks to at least the following people for sending patches, bug
|
||||
reports and various comments. This list may be incomplete, I received
|
||||
a lot of mail...
|
||||
|
||||
# Maintainers
|
||||
* Marek Michałkiewicz <marekm72@gmail.com> (1995-2000)
|
||||
* Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
|
||||
* Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
|
||||
* Serge E. Hallyn <serge@hallyn.com> (2014-now)
|
||||
* Christian Brauner <christian@brauner.io> (2019-now)
|
||||
* Iker Pedrosa <ipedrosa@redhat.com> (2022-now)
|
||||
|
||||
# Authors and contributors
|
||||
* Adam Rudnicki <adam@v-lo.krakow.pl>
|
||||
* Alan Curry <pacman@tardis.mars.net>
|
||||
* Aleksa Sarai <cyphar@cyphar.com>
|
||||
* Alexander O. Yuriev <alex@bach.cis.temple.edu>
|
||||
* Algis Rudys <arudys@rice.edu>
|
||||
* Andreas Jaeger <aj@arthur.rhein-neckar.de>
|
||||
* Andy Zaugg <andy.zaugg@gmail.com>
|
||||
* Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
|
||||
* Anton Gluck <gluc@midway.uchicago.edu>
|
||||
* Arkadiusz Miskiewicz <misiek@pld.org.pl>
|
||||
* Ben Collins <bcollins@debian.org>
|
||||
* Brian R. Gaeke <brg@dgate.org>
|
||||
* Calle Karlsson <ckn@kash.se>
|
||||
* Chip Rosenthal <chip@unicom.com>
|
||||
* Chris Evans <lady0110@sable.ox.ac.uk>
|
||||
* Chris Lamb <chris@chris-lamb.co.uk>
|
||||
* Cristian Gafton <gafton@sorosis.ro>
|
||||
* Dan Walsh <dwalsh@redhat.com>
|
||||
* Darcy Boese <possum@chardonnay.niagara.com>
|
||||
* Dave Hagewood <admin@arrowweb.com>
|
||||
* David A. Holland <dholland@hcs.harvard.edu>
|
||||
* David Frey <David.Frey@lugs.ch>
|
||||
* Ed Carp <ecarp@netcom.com>
|
||||
* Ed Neville <ed@s5h.net>
|
||||
* Eric W. Biederman" <ebiederm@xmission.com>
|
||||
* Floody <flood@evcom.net>
|
||||
* Frank Denis <j@4u.net>
|
||||
* George Kraft IV <gk4@us.ibm.com>
|
||||
* Greg Mortensen <loki@world.std.com>
|
||||
* Guido van Rooij
|
||||
* Guy Maor <maor@debian.org>
|
||||
* Hrvoje Dogan <hdogan@bjesomar.srce.hr>
|
||||
* Jakub Hrozek <jhrozek@redhat.com>
|
||||
* Janos Farkas <chexum@bankinf.banki.hu>
|
||||
* Jason Franklin <jason.franklin@quoininc.com>
|
||||
* Jay Soffian <jay@lw.net>
|
||||
* Jesse Thilo <Jesse.Thilo@pobox.com>
|
||||
* Joey Hess <joey@kite.ml.org>
|
||||
* John Adelsberger <jja@umr.edu>
|
||||
* Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
|
||||
* Jon Lewis <jlewis@lewis.org>
|
||||
* Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
|
||||
* Judd Bourgeois <shagboy@bluesky.net>
|
||||
* Juergen Heinzl <unicorn@noris.net>
|
||||
* Juha Virtanen <jiivee@iki.fi>
|
||||
* Julian Pidancet <julian.pidancet@gmail.com>
|
||||
* Julianne Frances Haugh <julie78787@gmail.com>
|
||||
* Leonard N. Zubkoff <lnz@dandelion.com>
|
||||
* Luca Berra <bluca@www.polimi.it>
|
||||
* Lukáš Kuklínek <lkukline@redhat.com>
|
||||
* Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
|
||||
* Marc Ewing <marc@redhat.com>
|
||||
* Martin Bene <mb@sime.com>
|
||||
* Martin Mares <mj@gts.cz>
|
||||
* Michael Meskes <meskes@topsystem.de>
|
||||
* Michael Talbot-Wilson <mike@calypso.bns.com.au>
|
||||
* Michael Vetter <jubalh@iodoru.org>
|
||||
* Mike Frysinger <vapier@gentoo.org>
|
||||
* Mike Pakovic <mpakovic@users.southeast.net>
|
||||
* Nicolas François <nicolas.francois@centraliens.net>
|
||||
* Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
|
||||
* Pavel Machek <pavel@bug.ucw.cz>
|
||||
* Peter Vrabec <pvrabec@redhat.com>
|
||||
* Phillip Street
|
||||
* Rafał Maszkowski <rzm@icm.edu.pl>
|
||||
* Rani Chouha <ranibey@smartec.com>
|
||||
* Sami Kerola <kerolasa@rocketmail.com>
|
||||
* Scott Garman <scott.a.garman@intel.com>
|
||||
* Sebastian Rick Rijkers <srrijkers@gmail.com>
|
||||
* Seraphim Mellos <mellos@ceid.upatras.gr>
|
||||
* Shane Watts <shane@nexus.mlckew.edu.au>
|
||||
* Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
|
||||
* Thorsten Kukuk <kukuk@suse.de>
|
||||
* Tim Hockin <thockin@eagle.ais.net>
|
||||
* Timo Karjalainen <timok@iki.fi>
|
||||
* Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
|
||||
* Werner Fink <werner@suse.de>
|
||||
@@ -1,41 +0,0 @@
|
||||
SPDX-License-Identifier: BSD-3-Clause
|
||||
|
||||
All files under this project either
|
||||
|
||||
1. fall under the BSD 3 clause license (by default).
|
||||
|
||||
2. carry an SPDX header declaring what license applies.
|
||||
|
||||
or
|
||||
|
||||
3. list a full custom license
|
||||
|
||||
This software is originally
|
||||
|
||||
* Copyright (c) 1989 - 1994, Julianne Frances Haugh
|
||||
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the copyright holders or contributors may not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
||||
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
-15
@@ -1,15 +0,0 @@
|
||||
## Process this file with automake to produce Makefile.in
|
||||
|
||||
EXTRA_DIST = NEWS README TODO shadow.spec.in
|
||||
|
||||
SUBDIRS = lib
|
||||
|
||||
if ENABLE_SUBIDS
|
||||
SUBDIRS += libsubid
|
||||
endif
|
||||
|
||||
SUBDIRS += src po contrib doc etc
|
||||
|
||||
if ENABLE_REGENERATE_MAN
|
||||
SUBDIRS += man
|
||||
endif
|
||||
@@ -1,41 +0,0 @@
|
||||
# shadow-utils
|
||||
|
||||
## Introduction
|
||||
The shadow-utils package includes the necessary programs for
|
||||
converting UNIX password files to the shadow password format, plus
|
||||
programs for managing user and group accounts. The pwconv command
|
||||
converts passwords to the shadow password format. The pwunconv command
|
||||
unconverts shadow passwords and generates a passwd file (a standard
|
||||
UNIX password file). The pwck command checks the integrity of password
|
||||
and shadow files. The lastlog command prints out the last login times
|
||||
for all users. The useradd, userdel, and usermod commands are used for
|
||||
managing user accounts. The groupadd, groupdel, and groupmod commands
|
||||
are used for managing group accounts.
|
||||
|
||||
## Sites
|
||||
* [Homepage](https://github.com/shadow-maint/shadow)
|
||||
* [Issue tracker](https://github.com/shadow-maint/shadow/issues)
|
||||
* [Releases](https://github.com/shadow-maint/shadow/releases)
|
||||
|
||||
## Contacts
|
||||
There are several ways to contact us:
|
||||
* [the general discussion mailing list](
|
||||
https://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel)
|
||||
* the #shadow IRC channel on libera.chat:
|
||||
* irc://irc.libera.chat/shadow
|
||||
|
||||
### Mailing archives
|
||||
* [the general discussion mailing list archive](
|
||||
https://alioth-lists.debian.net/pipermail/pkg-shadow-devel/)
|
||||
* [the commit mailing list archive](
|
||||
https://alioth-lists-archive.debian.net/pipermail/pkg-shadow-commits/),
|
||||
only used for historical purposes
|
||||
|
||||
## Contributions
|
||||
|
||||
Contributions are welcome. Follow the
|
||||
[guidelines](doc/contributions/introduction.md) before posting any patches.
|
||||
|
||||
## Authors and maintainers
|
||||
Authors and maintainers are listed in [AUTHORS.md](
|
||||
https://github.com/shadow-maint/shadow/blob/master/AUTHORS.md).
|
||||
-12
@@ -1,12 +0,0 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
At the moment only the latest release is supported.
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Security vulnerabilities may be reported to
|
||||
* Serge Hallyn <serge@hallyn.com> (B175CFA98F192AF2)
|
||||
* Christian Brauner <christian@brauner.io> (4880B8C9BD0E5106FC070F4F7B3C391EFEA93624)
|
||||
* Iker Pedrosa <ipedrosa@redhat.com> (4E80EF49C7987B6DE2F81F5005079C6C3A653E57)
|
||||
@@ -1,127 +0,0 @@
|
||||
* Create a common usage function that'd take the array of
|
||||
long options and an array of descriptions and output that so things would
|
||||
be standardized across the utils.
|
||||
Usage strings should be normalized and split first.
|
||||
Investigate optparse.
|
||||
|
||||
|
||||
/etc/default/useradd
|
||||
* GROUP=1000 should accept a group name.
|
||||
|
||||
Check when RLOGIN is enabled if ruserok() exists
|
||||
|
||||
Move selinux_file_context out of lib/copydir.c
|
||||
|
||||
Review hardcoded root account?
|
||||
|
||||
review all call to strto
|
||||
|
||||
lib/cleanup_user.c
|
||||
cleanup needed (cleanup_report_add_user* not used)
|
||||
|
||||
|
||||
libxcrypt support
|
||||
* http://wiki.linuxfromscratch.org/patches/browser/trunk/shadow/shadow-4.0.18.1-owl_blowfish-1.patch
|
||||
|
||||
implement getlong, getulong.
|
||||
avoid atoi, atol, atoul, strtol, strtoul, ...
|
||||
|
||||
manpages: comment the RLOGIN parts
|
||||
|
||||
Replace build_list (in lib/gshadow.c) and list (in lib/sgetgrent.c) by
|
||||
comma_to_list()
|
||||
|
||||
Revert the modified files if all files could not be changed.
|
||||
* or warn and indicate which files were modified and which were not.
|
||||
* check the order the files are modified.
|
||||
|
||||
report nscd_flush_cache failures?
|
||||
call nscd from the programs or from lib (commonio?)
|
||||
|
||||
PAM: check if a non-interactive conversation function could be used to set
|
||||
the password in chpasswd and newusers
|
||||
|
||||
WITH_SELINUX
|
||||
- review all tools to check that the strategies are consistent
|
||||
|
||||
chage, chfn, chsh: same change needed as in passwd.
|
||||
- probably need moving check_selinux_access to a separate file.
|
||||
|
||||
testsuite
|
||||
- newgrp
|
||||
- test with unknown user's GID
|
||||
|
||||
newusers
|
||||
- add logging to SYSLOG & AUDIT
|
||||
- use CREATE_HOME
|
||||
- Add a -Z option (see useradd / usermod)
|
||||
|
||||
Document when/where option appeared, document whether an option is standard
|
||||
or not.
|
||||
|
||||
Check all the expiry semantics
|
||||
|
||||
ALL:
|
||||
- move base passwd/shadow/group/gshadow operation to module for allow write
|
||||
different backend modules for db, NIS, LDAP and others. Default backend it
|
||||
will be goot if will be chosen depending on /etc/nsswitch.conf and allow
|
||||
override this by -r <repository> options (where the <repository> can be
|
||||
file, db, nis nisplus, ldap .. like on /etc/nsswitch.conf in service column).
|
||||
passwd have old piece of code with handling -r option and it will be good
|
||||
finish this and propagate on other shadow tools for allow operate on other
|
||||
user databases by well known tools.
|
||||
- Protect against signals. Register do_cleanups in a signal handler.
|
||||
|
||||
- login.defs
|
||||
- generate depending on configuration
|
||||
|
||||
- useradd:
|
||||
- add handle create user mail spool in maildir format.
|
||||
- Add support for -k in -D mode
|
||||
- Add support for -K in -D mode
|
||||
- Add option to create or not the mail spool (and set the default in -D
|
||||
mode)
|
||||
- Change -l to reset the entry if an entry was already there
|
||||
- set the mask in mkdir?
|
||||
|
||||
- userdel:
|
||||
- add backup option for the removal of user resources,
|
||||
- user_busy: check that the user is not running any processes.
|
||||
- missing "deleting group" FAILED
|
||||
- home dir removed, but userdel may fail and may leave the user
|
||||
=> warning needed
|
||||
|
||||
- usermod
|
||||
- add an option equivalent to useradd's -l (only when uid is changed)
|
||||
- the mode of new home directories should be set according to the
|
||||
original mode. Does copy_tree does this?
|
||||
- user renamed, order is not kept in /etc/group (see
|
||||
47_usermod-l_no_shadow_file). This is a problem when the first user is
|
||||
considered as the admin.
|
||||
- see mail "user ID change" on April, 15
|
||||
+ fix call to chown (combination of -m and -u/-g)
|
||||
+ add tests
|
||||
|
||||
- passwd:
|
||||
- check combination of options (e.g. -u/-l)
|
||||
- when -u refuse to unlock because it would create an empty password, it
|
||||
should not display "Password changed."
|
||||
exit instead?
|
||||
|
||||
- newgrp: check the USE_PAM section.
|
||||
|
||||
- pwck
|
||||
- Add check to move passwd passwords to shadow if there is a shadow
|
||||
entry (with a password).
|
||||
- Add check to move passwd passwords to shadow if there is a shadow
|
||||
file.
|
||||
- Support an alternative /etc/tcb directory as second parameter.
|
||||
- add options -g / -G to specify alternative group / gshadow files
|
||||
|
||||
- su
|
||||
- add a login.defs configuration parameter to add variables to keep in
|
||||
the environment with "su -l" (TERM/TERMCOLOR/...)
|
||||
|
||||
- vipw
|
||||
- set ACLs and XATTRs on the temporary file (and backups?)
|
||||
- vipw + selinux -> use lib/selinux.c
|
||||
@@ -1,54 +0,0 @@
|
||||
# Checks the location of the XML Catalog
|
||||
# Usage:
|
||||
# JH_PATH_XML_CATALOG([ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
|
||||
# Defines XMLCATALOG and XML_CATALOG_FILE substitutions
|
||||
AC_DEFUN([JH_PATH_XML_CATALOG],
|
||||
[
|
||||
# check for the presence of the XML catalog
|
||||
AC_ARG_WITH([xml-catalog],
|
||||
AS_HELP_STRING([--with-xml-catalog=CATALOG],
|
||||
[path to xml catalog to use]),,
|
||||
[with_xml_catalog=/etc/xml/catalog])
|
||||
jh_found_xmlcatalog=true
|
||||
XML_CATALOG_FILE="$with_xml_catalog"
|
||||
AC_SUBST([XML_CATALOG_FILE])
|
||||
AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
|
||||
if test -f "$XML_CATALOG_FILE"; then
|
||||
AC_MSG_RESULT([found])
|
||||
else
|
||||
jh_found_xmlcatalog=false
|
||||
AC_MSG_RESULT([not found])
|
||||
fi
|
||||
|
||||
# check for the xmlcatalog program
|
||||
AC_PATH_PROG(XMLCATALOG, xmlcatalog, no)
|
||||
if test "x$XMLCATALOG" = xno; then
|
||||
jh_found_xmlcatalog=false
|
||||
fi
|
||||
|
||||
if $jh_found_xmlcatalog; then
|
||||
ifelse([$1],,[:],[$1])
|
||||
else
|
||||
ifelse([$2],,[AC_MSG_ERROR([could not find XML catalog])],[$2])
|
||||
fi
|
||||
])
|
||||
|
||||
# Checks if a particular URI appears in the XML catalog
|
||||
# Usage:
|
||||
# JH_CHECK_XML_CATALOG(URI, [FRIENDLY-NAME], [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
|
||||
AC_DEFUN([JH_CHECK_XML_CATALOG],
|
||||
[
|
||||
AC_REQUIRE([JH_PATH_XML_CATALOG],[JH_PATH_XML_CATALOG(,[:])])dnl
|
||||
AC_MSG_CHECKING([for ifelse([$2],,[$1],[$2]) in XML catalog])
|
||||
if $jh_found_xmlcatalog && \
|
||||
AC_RUN_LOG([$XMLCATALOG --noout "$XML_CATALOG_FILE" "$1" >&2]); then
|
||||
AC_MSG_RESULT([found])
|
||||
ifelse([$3],,,[$3
|
||||
])dnl
|
||||
else
|
||||
AC_MSG_RESULT([not found])
|
||||
ifelse([$4],,
|
||||
[AC_MSG_ERROR([could not find ifelse([$2],,[$1],[$2]) in XML catalog])],
|
||||
[$4])
|
||||
fi
|
||||
])
|
||||
-13
@@ -1,13 +0,0 @@
|
||||
#! /bin/sh
|
||||
|
||||
autoreconf -v -f --install || exit 1
|
||||
|
||||
./configure \
|
||||
CFLAGS="-O2 -Wall" \
|
||||
--enable-lastlog \
|
||||
--enable-man \
|
||||
--enable-maintainer-mode \
|
||||
--enable-shared \
|
||||
--without-libpam \
|
||||
--with-selinux \
|
||||
"$@"
|
||||
-796
@@ -1,796 +0,0 @@
|
||||
dnl Process this file with autoconf to produce a configure script.
|
||||
AC_PREREQ([2.69])
|
||||
m4_define([libsubid_abi_major], 4)
|
||||
m4_define([libsubid_abi_minor], 0)
|
||||
m4_define([libsubid_abi_micro], 0)
|
||||
m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
|
||||
AC_INIT([shadow], [4.14.5], [pkg-shadow-devel@lists.alioth.debian.org], [],
|
||||
[https://github.com/shadow-maint/shadow])
|
||||
AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
|
||||
AC_CONFIG_MACRO_DIRS([m4])
|
||||
AM_SILENT_RULES([yes])
|
||||
AC_CONFIG_HEADERS([config.h])
|
||||
|
||||
AC_SUBST([LIBSUBID_ABI_MAJOR], [libsubid_abi_major])
|
||||
AC_SUBST([LIBSUBID_ABI_MINOR], [libsubid_abi_minor])
|
||||
AC_SUBST([LIBSUBID_ABI_MICRO], [libsubid_abi_micro])
|
||||
AC_SUBST([LIBSUBID_ABI], [libsubid_abi])
|
||||
|
||||
dnl Some hacks...
|
||||
test "$prefix" = "NONE" && prefix="/usr"
|
||||
test "$prefix" = "/usr" && exec_prefix=""
|
||||
|
||||
AC_USE_SYSTEM_EXTENSIONS
|
||||
|
||||
AC_ENABLE_STATIC
|
||||
AC_ENABLE_SHARED
|
||||
|
||||
AM_MAINTAINER_MODE
|
||||
|
||||
dnl Checks for programs.
|
||||
AC_PROG_CC
|
||||
AC_PROG_LN_S
|
||||
AC_PROG_YACC
|
||||
LT_INIT
|
||||
LT_LIB_DLLOAD
|
||||
|
||||
dnl Checks for libraries.
|
||||
|
||||
dnl Checks for header files.
|
||||
AC_CHECK_HEADERS(crypt.h utmp.h \
|
||||
termio.h sgtty.h sys/ioctl.h paths.h \
|
||||
sys/capability.h sys/random.h \
|
||||
gshadow.h lastlog.h rpc/key_prot.h acl/libacl.h \
|
||||
attr/libattr.h attr/error_context.h)
|
||||
|
||||
dnl shadow now uses the libc's shadow implementation
|
||||
AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])
|
||||
|
||||
AC_CHECK_FUNCS(arc4random_buf futimes \
|
||||
getentropy getrandom getspnam getusershell \
|
||||
initgroups lckpwdf lutimes mempcpy \
|
||||
setgroups updwtmp updwtmpx innetgr \
|
||||
getspnam_r \
|
||||
rpmatch \
|
||||
memset_explicit explicit_bzero stpecpy stpeprintf)
|
||||
AC_SYS_LARGEFILE
|
||||
|
||||
dnl Checks for typedefs, structures, and compiler characteristics.
|
||||
|
||||
AC_CHECK_MEMBERS([struct utmp.ut_type,
|
||||
struct utmp.ut_id,
|
||||
struct utmp.ut_name,
|
||||
struct utmp.ut_user,
|
||||
struct utmp.ut_host,
|
||||
struct utmp.ut_syslen,
|
||||
struct utmp.ut_addr,
|
||||
struct utmp.ut_addr_v6,
|
||||
struct utmp.ut_time,
|
||||
struct utmp.ut_xtime,
|
||||
struct utmp.ut_tv],,,[[#include <utmp.h>]])
|
||||
|
||||
dnl Checks for library functions.
|
||||
AC_TYPE_GETGROUPS
|
||||
AC_FUNC_UTIME_NULL
|
||||
AC_REPLACE_FUNCS(putgrent putpwent putspent)
|
||||
AC_REPLACE_FUNCS(sgetgrent sgetpwent sgetspent)
|
||||
|
||||
AC_CHECK_FUNC(setpgrp)
|
||||
AC_CHECK_FUNC(secure_getenv, [AC_DEFINE(HAS_SECURE_GETENV,
|
||||
1,
|
||||
[Defined to 1 if you have the declaration of 'secure_getenv'])])
|
||||
|
||||
if test "$ac_cv_header_shadow_h" = "yes"; then
|
||||
AC_CACHE_CHECK(for working shadow group support,
|
||||
ac_cv_libc_shadowgrp,
|
||||
AC_RUN_IFELSE([AC_LANG_SOURCE([
|
||||
#include <shadow.h>
|
||||
#ifdef HAVE_GSHADOW_H
|
||||
#include <gshadow.h>
|
||||
#endif
|
||||
int
|
||||
main()
|
||||
{
|
||||
struct sgrp *sg = sgetsgent("test:x::");
|
||||
/* NYS libc on Red Hat 3.0.3 has broken shadow group support */
|
||||
return !sg || !sg->sg_adm || !sg->sg_mem;
|
||||
}]
|
||||
)],
|
||||
[ac_cv_libc_shadowgrp=yes],
|
||||
[ac_cv_libc_shadowgrp=no],
|
||||
[ac_cv_libc_shadowgrp=no]
|
||||
)
|
||||
)
|
||||
|
||||
if test "$ac_cv_libc_shadowgrp" = "yes"; then
|
||||
AC_DEFINE(HAVE_SHADOWGRP, 1, [Have working shadow group support in libc])
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_CACHE_CHECK([location of shared mail directory], shadow_cv_maildir,
|
||||
[for shadow_cv_maildir in /var/mail /var/spool/mail /usr/spool/mail /usr/mail none; do
|
||||
if test -d $shadow_cv_maildir; then
|
||||
break
|
||||
fi
|
||||
done])
|
||||
if test $shadow_cv_maildir != none; then
|
||||
AC_DEFINE_UNQUOTED(MAIL_SPOOL_DIR, "$shadow_cv_maildir",
|
||||
[Location of system mail spool directory.])
|
||||
fi
|
||||
|
||||
AC_CACHE_CHECK([location of user mail file], shadow_cv_mailfile,
|
||||
[for shadow_cv_mailfile in Mailbox mailbox Mail mail .mail none; do
|
||||
if test -f $HOME/$shadow_cv_mailfile; then
|
||||
break
|
||||
fi
|
||||
done])
|
||||
if test $shadow_cv_mailfile != none; then
|
||||
AC_DEFINE_UNQUOTED(MAIL_SPOOL_FILE, "$shadow_cv_mailfile",
|
||||
[Name of user's mail spool file if stored in user's home directory.])
|
||||
fi
|
||||
|
||||
AC_CACHE_CHECK([location of utmp], shadow_cv_utmpdir,
|
||||
[for shadow_cv_utmpdir in /var/run /var/adm /usr/adm /etc none; do
|
||||
if test -f $shadow_cv_utmpdir/utmp; then
|
||||
break
|
||||
fi
|
||||
done])
|
||||
if test "$shadow_cv_utmpdir" = "none"; then
|
||||
AC_MSG_WARN(utmp file not found)
|
||||
fi
|
||||
AC_DEFINE_UNQUOTED(_UTMP_FILE, "$shadow_cv_utmpdir/utmp",
|
||||
[Path for utmp file.])
|
||||
|
||||
AC_CACHE_CHECK([location of faillog/lastlog/wtmp], shadow_cv_logdir,
|
||||
[for shadow_cv_logdir in /var/log /var/adm /usr/adm /etc; do
|
||||
if test -d $shadow_cv_logdir; then
|
||||
break
|
||||
fi
|
||||
done])
|
||||
AC_DEFINE_UNQUOTED(_WTMP_FILE, "$shadow_cv_logdir/wtmp",
|
||||
[Path for wtmp file.])
|
||||
AC_DEFINE_UNQUOTED(LASTLOG_FILE, "$shadow_cv_logdir/lastlog",
|
||||
[Path for lastlog file.])
|
||||
AC_DEFINE_UNQUOTED(FAILLOG_FILE, "$shadow_cv_logdir/faillog",
|
||||
[Path for faillog file.])
|
||||
|
||||
AC_CACHE_CHECK([location of the passwd program], shadow_cv_passwd_dir,
|
||||
[if test -f /usr/bin/passwd; then
|
||||
shadow_cv_passwd_dir=/usr/bin
|
||||
else
|
||||
shadow_cv_passwd_dir=/bin
|
||||
fi])
|
||||
AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd",
|
||||
[Path to passwd program.])
|
||||
|
||||
dnl XXX - quick hack, should disappear before anyone notices :).
|
||||
dnl XXX - I just read the above message :).
|
||||
if test "$ac_cv_func_ruserok" = "yes"; then
|
||||
AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag for rlogind.])
|
||||
AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return value (0 or 1).])
|
||||
fi
|
||||
|
||||
AC_ARG_ENABLE(shadowgrp,
|
||||
[AS_HELP_STRING([--enable-shadowgrp], [enable shadow group support @<:@default=yes@:>@])],
|
||||
[case "${enableval}" in
|
||||
yes) enable_shadowgrp="yes" ;;
|
||||
no) enable_shadowgrp="no" ;;
|
||||
*) AC_MSG_ERROR(bad value ${enableval} for --enable-shadowgrp) ;;
|
||||
esac],
|
||||
[enable_shadowgrp="yes"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(man,
|
||||
[AS_HELP_STRING([--enable-man],
|
||||
[regenerate roff man pages from Docbook @<:@default=no@:>@])],
|
||||
[enable_man="${enableval}"],
|
||||
[enable_man="no"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(account-tools-setuid,
|
||||
[AS_HELP_STRING([--enable-account-tools-setuid],
|
||||
[Install the user and group management tools setuid and authenticate the callers. This requires --with-libpam.])],
|
||||
[case "${enableval}" in
|
||||
yes) enable_acct_tools_setuid="yes" ;;
|
||||
no) enable_acct_tools_setuid="no" ;;
|
||||
*) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
|
||||
;;
|
||||
esac],
|
||||
[enable_acct_tools_setuid="no"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(subordinate-ids,
|
||||
[AS_HELP_STRING([--enable-subordinate-ids],
|
||||
[support subordinate ids @<:@default=yes@:>@])],
|
||||
[enable_subids="${enableval}"],
|
||||
[enable_subids="maybe"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(lastlog,
|
||||
[AS_HELP_STRING([--enable-lastlog],
|
||||
[enable lastlog @<:@default=no@:>@])],
|
||||
[enable_lastlog="${enableval}"],
|
||||
[enable_lastlog="no"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(logind,
|
||||
[AS_HELP_STRING([--enable-logind],
|
||||
[enable logind @<:@default=yes@:>@])],
|
||||
[enable_logind="${enableval}"],
|
||||
[enable_logind="yes"]
|
||||
)
|
||||
|
||||
AC_ARG_WITH(audit,
|
||||
[AS_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
|
||||
[with_audit=$withval], [with_audit=maybe])
|
||||
AC_ARG_WITH(libpam,
|
||||
[AS_HELP_STRING([--with-libpam], [use libpam for PAM support @<:@default=yes if found@:>@])],
|
||||
[with_libpam=$withval], [with_libpam=maybe])
|
||||
AC_ARG_WITH(btrfs,
|
||||
[AS_HELP_STRING([--with-btrfs], [add BtrFS support @<:@default=yes if found@:>@])],
|
||||
[with_btrfs=$withval], [with_btrfs=maybe])
|
||||
AC_ARG_WITH(selinux,
|
||||
[AS_HELP_STRING([--with-selinux], [use SELinux support @<:@default=yes if found@:>@])],
|
||||
[with_selinux=$withval], [with_selinux=maybe])
|
||||
AC_ARG_WITH(acl,
|
||||
[AS_HELP_STRING([--with-acl], [use ACL support @<:@default=yes if found@:>@])],
|
||||
[with_acl=$withval], [with_acl=maybe])
|
||||
AC_ARG_WITH(attr,
|
||||
[AS_HELP_STRING([--with-attr], [use Extended Attribute support @<:@default=yes if found@:>@])],
|
||||
[with_attr=$withval], [with_attr=maybe])
|
||||
AC_ARG_WITH(skey,
|
||||
[AS_HELP_STRING([--with-skey], [use S/Key support @<:@default=no@:>@])],
|
||||
[with_skey=$withval], [with_skey=no])
|
||||
AC_ARG_WITH(tcb,
|
||||
[AS_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
|
||||
[with_tcb=$withval], [with_tcb=maybe])
|
||||
AC_ARG_WITH(libcrack,
|
||||
[AS_HELP_STRING([--with-libcrack], [use libcrack @<:@default=no@:>@])],
|
||||
[with_libcrack=$withval], [with_libcrack=no])
|
||||
AC_ARG_WITH(sha-crypt,
|
||||
[AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
|
||||
[with_sha_crypt=$withval], [with_sha_crypt=yes])
|
||||
AC_ARG_WITH(bcrypt,
|
||||
[AS_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])],
|
||||
[with_bcrypt=$withval], [with_bcrypt=no])
|
||||
AC_ARG_WITH(yescrypt,
|
||||
[AS_HELP_STRING([--with-yescrypt], [allow the yescrypt password encryption algorithm @<:@default=no@:>@])],
|
||||
[with_yescrypt=$withval], [with_yescrypt=no])
|
||||
AC_ARG_WITH(nscd,
|
||||
[AS_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
|
||||
[with_nscd=$withval], [with_nscd=yes])
|
||||
AC_ARG_WITH(sssd,
|
||||
[AS_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
|
||||
[with_sssd=$withval], [with_sssd=yes])
|
||||
AC_ARG_WITH(group-name-max-length,
|
||||
[AS_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=32@:>@])],
|
||||
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
|
||||
AC_ARG_WITH(su,
|
||||
[AS_HELP_STRING([--with-su], [build and install su program and man page @<:@default=yes@:>@])],
|
||||
[with_su=$withval], [with_su=yes])
|
||||
AC_ARG_WITH(libbsd,
|
||||
[AS_HELP_STRING([--with-libbsd], [use libbsd support @<:@default=yes if found@:>@])],
|
||||
[with_libbsd=$withval], [with_libbsd=yes])
|
||||
|
||||
if test "$with_group_name_max_length" = "no" ; then
|
||||
with_group_name_max_length=0
|
||||
elif test "$with_group_name_max_length" = "yes" ; then
|
||||
with_group_name_max_length=32
|
||||
fi
|
||||
AC_DEFINE_UNQUOTED(GROUP_NAME_MAX_LENGTH, $with_group_name_max_length, [max group name length])
|
||||
AC_SUBST(GROUP_NAME_MAX_LENGTH)
|
||||
GROUP_NAME_MAX_LENGTH="$with_group_name_max_length"
|
||||
|
||||
AM_CONDITIONAL(USE_SHA_CRYPT, test "x$with_sha_crypt" = "xyes")
|
||||
if test "$with_sha_crypt" = "yes"; then
|
||||
AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
|
||||
fi
|
||||
|
||||
AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
|
||||
if test "$with_bcrypt" = "yes"; then
|
||||
AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
|
||||
fi
|
||||
|
||||
AM_CONDITIONAL(USE_YESCRYPT, test "x$with_yescrypt" = "xyes")
|
||||
if test "$with_yescrypt" = "yes"; then
|
||||
AC_DEFINE(USE_YESCRYPT, 1, [Define to allow the yescrypt password encryption algorithm])
|
||||
fi
|
||||
|
||||
if test "$with_nscd" = "yes"; then
|
||||
AC_CHECK_FUNC(posix_spawn,
|
||||
[AC_DEFINE(USE_NSCD, 1, [Define to support flushing of nscd caches])],
|
||||
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
|
||||
fi
|
||||
|
||||
if test "$with_sssd" = "yes"; then
|
||||
AC_CHECK_FUNC(posix_spawn,
|
||||
[AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
|
||||
[AC_MSG_ERROR([posix_spawn is needed for sssd support])])
|
||||
fi
|
||||
|
||||
AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su]))
|
||||
AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"])
|
||||
|
||||
dnl Check for some functions in libc first, only if not found check for
|
||||
dnl other libraries. This should prevent linking libnsl if not really
|
||||
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
|
||||
|
||||
AC_SEARCH_LIBS(gethostbyname, nsl)
|
||||
|
||||
AC_CHECK_LIB([econf],[econf_readDirs],[LIBECONF="-leconf"],[LIBECONF=""])
|
||||
if test -n "$LIBECONF"; then
|
||||
AC_DEFINE_UNQUOTED([VENDORDIR], ["$enable_vendordir"],
|
||||
[Directory for distribution provided configuration files])
|
||||
ECONF_CPPFLAGS="-DUSE_ECONF=1"
|
||||
AC_ARG_ENABLE([vendordir],
|
||||
AS_HELP_STRING([--enable-vendordir=DIR], [Directory for distribution provided configuration files]),,[])
|
||||
fi
|
||||
AC_SUBST(ECONF_CPPFLAGS)
|
||||
AC_SUBST(LIBECONF)
|
||||
AC_SUBST([VENDORDIR], [$enable_vendordir])
|
||||
if test "x$enable_vendordir" != x; then
|
||||
AC_DEFINE(HAVE_VENDORDIR, 1, [Define to support vendor settings.])
|
||||
fi
|
||||
AM_CONDITIONAL([HAVE_VENDORDIR], [test "x$enable_vendordir" != x])
|
||||
|
||||
if test "$enable_shadowgrp" = "yes"; then
|
||||
AC_DEFINE(SHADOWGRP, 1, [Define to support the shadow group file.])
|
||||
fi
|
||||
AM_CONDITIONAL(SHADOWGRP, test "x$enable_shadowgrp" = "xyes")
|
||||
|
||||
if test "$enable_man" = "yes"; then
|
||||
dnl
|
||||
dnl Check for xsltproc
|
||||
dnl
|
||||
AC_PATH_PROG([XSLTPROC], [xsltproc])
|
||||
if test -z "$XSLTPROC"; then
|
||||
enable_man=no
|
||||
AC_MSG_ERROR([xsltproc is missing.])
|
||||
fi
|
||||
|
||||
dnl check for DocBook DTD and stylesheets in the local catalog.
|
||||
JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.5//EN],
|
||||
[DocBook XML DTD V4.5], [], enable_man=no)
|
||||
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
|
||||
[DocBook XSL Stylesheets >= 1.70.1], [], enable_man=no)
|
||||
fi
|
||||
AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test "x$enable_man" != "xno")
|
||||
|
||||
if test "$enable_subids" != "no"; then
|
||||
dnl
|
||||
dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
|
||||
dnl
|
||||
AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
|
||||
AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
|
||||
|
||||
if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
|
||||
AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
|
||||
enable_subids="yes"
|
||||
else
|
||||
if test "x$enable_subids" = "xyes"; then
|
||||
AC_MSG_ERROR([Cannot enable support the subordinate IDs on systems where gid_t or uid_t has less than 32 bits])
|
||||
fi
|
||||
enable_subids="no"
|
||||
fi
|
||||
fi
|
||||
AM_CONDITIONAL(ENABLE_SUBIDS, test "x$enable_subids" != "xno")
|
||||
|
||||
if test "$enable_lastlog" = "yes" && test "$ac_cv_header_lastlog_h" = "yes"; then
|
||||
AC_CACHE_CHECK(for ll_host in struct lastlog,
|
||||
ac_cv_struct_lastlog_ll_host,
|
||||
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <lastlog.h>],
|
||||
[struct lastlog ll; char *cp = ll.ll_host;]
|
||||
)],
|
||||
[ac_cv_struct_lastlog_ll_host=yes],
|
||||
[ac_cv_struct_lastlog_ll_host=no]
|
||||
)
|
||||
)
|
||||
|
||||
if test "$ac_cv_struct_lastlog_ll_host" = "yes"; then
|
||||
AC_DEFINE(HAVE_LL_HOST, 1,
|
||||
[Define if struct lastlog has ll_host])
|
||||
AC_DEFINE(ENABLE_LASTLOG, 1, [Define to support lastlog.])
|
||||
enable_lastlog="yes"
|
||||
else
|
||||
AC_MSG_ERROR([Cannot enable support for lastlog on systems where the data structures aren't available])
|
||||
enable_subids="no"
|
||||
fi
|
||||
fi
|
||||
AM_CONDITIONAL(ENABLE_LASTLOG, test "x$enable_lastlog" != "xno")
|
||||
|
||||
AC_SUBST(LIBSYSTEMD)
|
||||
if test "$enable_logind" = "yes"; then
|
||||
AC_CHECK_LIB(systemd, sd_session_get_remote_host,
|
||||
[enable_logind="yes"; [LIBSYSTEMD=-lsystemd];
|
||||
AC_DEFINE(ENABLE_LOGIND, 1,
|
||||
[Define to manage session support with logind.])],
|
||||
[enable_logind="no"])
|
||||
fi
|
||||
AM_CONDITIONAL(ENABLE_LOGIND, test "x$enable_logind" != "xno")
|
||||
|
||||
AC_SUBST(LIBCRYPT)
|
||||
AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
|
||||
[AC_MSG_ERROR([crypt() not found])])
|
||||
|
||||
AC_SUBST(LIYESCRYPT)
|
||||
AC_CHECK_LIB(crypt, crypt, [LIYESCRYPT=-lcrypt],
|
||||
[AC_MSG_ERROR([crypt() not found])])
|
||||
|
||||
AC_SUBST(LIBBSD)
|
||||
if test "$with_libbsd" != "no"; then
|
||||
AC_SEARCH_LIBS([readpassphrase], [bsd], [], [
|
||||
AC_MSG_ERROR([readpassphrase() is missing, either from libc or libbsd])
|
||||
])
|
||||
AS_IF([test "$ac_cv_search_readpassphrase" = "-lbsd"], [
|
||||
PKG_CHECK_MODULES([LIBBSD], [libbsd-overlay])
|
||||
])
|
||||
dnl Make sure either the libc or libbsd provide the header.
|
||||
save_CFLAGS="$CFLAGS"
|
||||
CFLAGS="$CFLAGS $LIBBSD_CFLAGS"
|
||||
AC_CHECK_HEADERS([readpassphrase.h])
|
||||
AS_IF([test "$ac_cv_header_readpassphrase_h" != "yes"], [
|
||||
AC_MSG_ERROR([readpassphrase.h is missing])
|
||||
])
|
||||
CFLAGS="$save_CFLAGS"
|
||||
AC_DEFINE(WITH_LIBBSD, 1, [Build shadow with libbsd support])
|
||||
else
|
||||
AC_DEFINE(WITH_LIBBSD, 0, [Build shadow without libbsd support])
|
||||
AC_CHECK_FUNC(strlcpy, [], [AC_MSG_ERROR([strlcpy is required from glibc >= 2.38 or libbsd])])
|
||||
fi
|
||||
AM_CONDITIONAL(WITH_LIBBSD, test x$with_libbsd = xyes)
|
||||
|
||||
AC_SUBST(LIBACL)
|
||||
if test "$with_acl" != "no"; then
|
||||
AC_CHECK_HEADERS(acl/libacl.h attr/error_context.h, [acl_header="yes"], [acl_header="no"])
|
||||
if test "$acl_header$with_acl" = "noyes" ; then
|
||||
AC_MSG_ERROR([acl/libacl.h or attr/error_context.h is missing])
|
||||
elif test "$acl_header" = "yes" ; then
|
||||
AC_CHECK_LIB(acl, perm_copy_file,
|
||||
[AC_CHECK_LIB(acl, perm_copy_fd,
|
||||
[acl_lib="yes"],
|
||||
[acl_lib="no"])],
|
||||
[acl_lib="no"])
|
||||
if test "$acl_lib$with_acl" = "noyes" ; then
|
||||
AC_MSG_ERROR([libacl not found])
|
||||
elif test "$acl_lib" = "no" ; then
|
||||
with_acl="no"
|
||||
else
|
||||
AC_DEFINE(WITH_ACL, 1,
|
||||
[Build shadow with ACL support])
|
||||
LIBACL="-lacl"
|
||||
with_acl="yes"
|
||||
fi
|
||||
else
|
||||
with_acl="no"
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBATTR)
|
||||
if test "$with_attr" != "no"; then
|
||||
AC_CHECK_HEADERS(attr/libattr.h attr/error_context.h, [attr_header="yes"], [attr_header="no"])
|
||||
if test "$attr_header$with_attr" = "noyes" ; then
|
||||
AC_MSG_ERROR([attr/libattr.h or attr/error_context.h is missing])
|
||||
elif test "$attr_header" = "yes" ; then
|
||||
AC_CHECK_LIB(attr, attr_copy_file,
|
||||
[AC_CHECK_LIB(attr, attr_copy_fd,
|
||||
[attr_lib="yes"],
|
||||
[attr_lib="no"])],
|
||||
[attr_lib="no"])
|
||||
if test "$attr_lib$with_attr" = "noyes" ; then
|
||||
AC_MSG_ERROR([libattr not found])
|
||||
elif test "$attr_lib" = "no" ; then
|
||||
with_attr="no"
|
||||
else
|
||||
AC_DEFINE(WITH_ATTR, 1,
|
||||
[Build shadow with Extended Attributes support])
|
||||
LIBATTR="-lattr"
|
||||
with_attr="yes"
|
||||
fi
|
||||
else
|
||||
with_attr="no"
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBAUDIT)
|
||||
if test "$with_audit" != "no"; then
|
||||
AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
|
||||
if test "$audit_header$with_audit" = "noyes" ; then
|
||||
AC_MSG_ERROR([libaudit.h is missing])
|
||||
elif test "$audit_header" = "yes"; then
|
||||
AC_CHECK_DECL(AUDIT_ADD_USER,,[audit_header="no"],[#include <libaudit.h>])
|
||||
AC_CHECK_DECL(AUDIT_DEL_USER,,[audit_header="no"],[#include <libaudit.h>])
|
||||
AC_CHECK_DECL(AUDIT_ADD_GROUP,,[audit_header="no"],[#include <libaudit.h>])
|
||||
AC_CHECK_DECL(AUDIT_DEL_GROUP,,[audit_header="no"],[#include <libaudit.h>])
|
||||
if test "$audit_header$with_audit" = "noyes" ; then
|
||||
AC_MSG_ERROR([AUDIT_ADD_USER AUDIT_DEL_USER AUDIT_ADD_GROUP or AUDIT_DEL_GROUP missing from libaudit.h])
|
||||
fi
|
||||
fi
|
||||
if test "$audit_header" = "yes"; then
|
||||
AC_CHECK_LIB(audit, audit_log_acct_message,
|
||||
[audit_lib="yes"], [audit_lib="no"])
|
||||
if test "$audit_lib$with_audit" = "noyes" ; then
|
||||
AC_MSG_ERROR([libaudit not found])
|
||||
elif test "$audit_lib" = "no" ; then
|
||||
with_audit="no"
|
||||
else
|
||||
AC_DEFINE(WITH_AUDIT, 1,
|
||||
[Define if you want to enable Audit messages])
|
||||
LIBAUDIT="-laudit"
|
||||
with_audit="yes"
|
||||
fi
|
||||
else
|
||||
with_audit="no"
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBCRACK)
|
||||
if test "$with_libcrack" = "yes"; then
|
||||
echo "checking cracklib flavour, don't be surprised by the results"
|
||||
AC_CHECK_LIB(crack, FascistCheck,
|
||||
[LIBCRACK=-lcrack AC_DEFINE(HAVE_LIBCRACK, 1, [Defined if you have libcrack.])])
|
||||
AC_CHECK_LIB(crack, FascistHistory,
|
||||
AC_DEFINE(HAVE_LIBCRACK_HIST, 1, [Defined if you have the ts&szs cracklib.]))
|
||||
AC_CHECK_LIB(crack, FascistHistoryPw,
|
||||
AC_DEFINE(HAVE_LIBCRACK_PW, 1, [Defined if it includes *Pw functions.]))
|
||||
fi
|
||||
|
||||
if test "$with_btrfs" != "no"; then
|
||||
AC_CHECK_HEADERS([sys/statfs.h linux/magic.h linux/btrfs_tree.h], \
|
||||
[btrfs_headers="yes"], [btrfs_headers="no"])
|
||||
if test "$btrfs_headers$with_btrfs" = "noyes" ; then
|
||||
AC_MSG_ERROR([One of sys/statfs.h linux/magic.h linux/btrfs_tree.h is missing])
|
||||
fi
|
||||
|
||||
if test "$btrfs_headers" = "yes" ; then
|
||||
AC_DEFINE(WITH_BTRFS, 1, [Build shadow with BtrFS support])
|
||||
with_btrfs="yes"
|
||||
fi
|
||||
fi
|
||||
AM_CONDITIONAL(WITH_BTRFS, test x$with_btrfs = xyes)
|
||||
|
||||
AC_SUBST(LIBSELINUX)
|
||||
AC_SUBST(LIBSEMANAGE)
|
||||
if test "$with_selinux" != "no"; then
|
||||
AC_CHECK_HEADERS(selinux/selinux.h, [selinux_header="yes"], [selinux_header="no"])
|
||||
if test "$selinux_header$with_selinux" = "noyes" ; then
|
||||
AC_MSG_ERROR([selinux/selinux.h is missing])
|
||||
fi
|
||||
|
||||
AC_CHECK_HEADERS(semanage/semanage.h, [semanage_header="yes"], [semanage_header="no"])
|
||||
if test "$semanage_header$with_selinux" = "noyes" ; then
|
||||
AC_MSG_ERROR([semanage/semanage.h is missing])
|
||||
fi
|
||||
|
||||
if test "$selinux_header$semanage_header" = "yesyes" ; then
|
||||
AC_CHECK_LIB(selinux, is_selinux_enabled, [selinux_lib="yes"], [selinux_lib="no"])
|
||||
if test "$selinux_lib$with_selinux" = "noyes" ; then
|
||||
AC_MSG_ERROR([libselinux not found])
|
||||
fi
|
||||
|
||||
AC_CHECK_LIB(semanage, semanage_connect, [semanage_lib="yes"], [semanage_lib="no"])
|
||||
if test "$semanage_lib$with_selinux" = "noyes" ; then
|
||||
AC_MSG_ERROR([libsemanage not found])
|
||||
fi
|
||||
|
||||
if test "$selinux_lib$semanage_lib" = "yesyes" ; then
|
||||
AC_DEFINE(WITH_SELINUX, 1,
|
||||
[Build shadow with SELinux support])
|
||||
LIBSELINUX="-lselinux"
|
||||
LIBSEMANAGE="-lsemanage"
|
||||
with_selinux="yes"
|
||||
else
|
||||
with_selinux="no"
|
||||
fi
|
||||
else
|
||||
with_selinux="no"
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBTCB)
|
||||
if test "$with_tcb" != "no"; then
|
||||
AC_CHECK_HEADERS(tcb.h, [tcb_header="yes"], [tcb_header="no"])
|
||||
if test "$tcb_header$with_tcb" = "noyes" ; then
|
||||
AC_MSG_ERROR([tcb.h is missing])
|
||||
elif test "$tcb_header" = "yes" ; then
|
||||
AC_CHECK_LIB(tcb, tcb_is_suspect, [tcb_lib="yes"], [tcb_lib="no"])
|
||||
if test "$tcb_lib$with_tcb" = "noyes" ; then
|
||||
AC_MSG_ERROR([libtcb not found])
|
||||
elif test "$tcb_lib" = "no" ; then
|
||||
with_tcb="no"
|
||||
else
|
||||
AC_DEFINE(WITH_TCB, 1, [Build shadow with tcb support (incomplete)])
|
||||
LIBTCB="-ltcb"
|
||||
with_tcb="yes"
|
||||
fi
|
||||
else
|
||||
with_tcb="no"
|
||||
fi
|
||||
fi
|
||||
AM_CONDITIONAL(WITH_TCB, test x$with_tcb = xyes)
|
||||
|
||||
AC_SUBST(LIBPAM)
|
||||
if test "$with_libpam" != "no"; then
|
||||
AC_CHECK_LIB(pam, pam_start,
|
||||
[pam_lib="yes"], [pam_lib="no"])
|
||||
if test "$pam_lib$with_libpam" = "noyes" ; then
|
||||
AC_MSG_ERROR(libpam not found)
|
||||
fi
|
||||
|
||||
LIBPAM="-lpam"
|
||||
pam_conv_function="no"
|
||||
|
||||
AC_CHECK_LIB(pam, openpam_ttyconv,
|
||||
[pam_conv_function="openpam_ttyconv"],
|
||||
AC_CHECK_LIB(pam_misc, misc_conv,
|
||||
[pam_conv_function="misc_conv"; LIBPAM="$LIBPAM -lpam_misc"])
|
||||
)
|
||||
|
||||
if test "$pam_conv_function$with_libpam" = "noyes" ; then
|
||||
AC_MSG_ERROR(PAM conversation function not found)
|
||||
fi
|
||||
|
||||
pam_headers_found=no
|
||||
AC_CHECK_HEADERS( [security/openpam.h security/pam_misc.h],
|
||||
[ pam_headers_found=yes ; break ], [],
|
||||
[ #include <security/pam_appl.h> ] )
|
||||
if test "$pam_headers_found$with_libpam" = "noyes" ; then
|
||||
AC_MSG_ERROR(PAM headers not found)
|
||||
fi
|
||||
|
||||
|
||||
if test "$pam_lib$pam_headers_found" = "yesyes" -a "$pam_conv_function" != "no" ; then
|
||||
with_libpam="yes"
|
||||
else
|
||||
with_libpam="no"
|
||||
unset LIBPAM
|
||||
fi
|
||||
fi
|
||||
dnl Now with_libpam is either yes or no
|
||||
if test "$with_libpam" = "yes"; then
|
||||
AC_CHECK_DECLS([PAM_ESTABLISH_CRED,
|
||||
PAM_DELETE_CRED,
|
||||
PAM_NEW_AUTHTOK_REQD,
|
||||
PAM_DATA_SILENT],
|
||||
[], [], [#include <security/pam_appl.h>])
|
||||
|
||||
|
||||
save_libs=$LIBS
|
||||
LIBS="$LIBS $LIBPAM"
|
||||
# We do not use AC_CHECK_FUNCS to avoid duplicated definition with
|
||||
# Linux PAM.
|
||||
AC_CHECK_FUNC(pam_fail_delay, [AC_DEFINE(HAS_PAM_FAIL_DELAY, 1, [Define to 1 if you have the declaration of 'pam_fail_delay'])])
|
||||
LIBS=$save_libs
|
||||
|
||||
AC_DEFINE(USE_PAM, 1, [Define to support Pluggable Authentication Modules])
|
||||
AC_DEFINE_UNQUOTED(SHADOW_PAM_CONVERSATION, [$pam_conv_function],[PAM conversation to use])
|
||||
AM_CONDITIONAL(USE_PAM, [true])
|
||||
|
||||
AC_MSG_CHECKING(use login and su access checking if PAM not used)
|
||||
AC_MSG_RESULT(no)
|
||||
else
|
||||
AC_DEFINE(SU_ACCESS, 1, [Define to support /etc/suauth su access control.])
|
||||
AM_CONDITIONAL(USE_PAM, [false])
|
||||
AC_MSG_CHECKING(use login and su access checking if PAM not used)
|
||||
AC_MSG_RESULT(yes)
|
||||
fi
|
||||
|
||||
if test "$enable_acct_tools_setuid" != "no"; then
|
||||
if test "$with_libpam" != "yes"; then
|
||||
if test "$enable_acct_tools_setuid" = "yes"; then
|
||||
AC_MSG_ERROR(PAM support is required for --enable-account-tools-setuid)
|
||||
else
|
||||
enable_acct_tools_setuid="no"
|
||||
fi
|
||||
else
|
||||
enable_acct_tools_setuid="yes"
|
||||
fi
|
||||
if test "$enable_acct_tools_setuid" = "yes"; then
|
||||
AC_DEFINE(ACCT_TOOLS_SETUID,
|
||||
1,
|
||||
[Define if account management tools should be installed setuid and authenticate the callers])
|
||||
fi
|
||||
fi
|
||||
AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
|
||||
|
||||
|
||||
AC_ARG_WITH(fcaps,
|
||||
[AS_HELP_STRING([--with-fcaps], [use file capabilities instead of suid binaries for newuidmap/newgidmap @<:@default=no@:>@])],
|
||||
[with_fcaps=$withval], [with_fcaps=no])
|
||||
AM_CONDITIONAL(FCAPS, test "x$with_fcaps" = "xyes")
|
||||
|
||||
if test "x$with_fcaps" = "xyes"; then
|
||||
AC_CHECK_PROGS(capcmd, "setcap")
|
||||
if test "x$capcmd" = "x" ; then
|
||||
AC_MSG_ERROR([setcap command not available])
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBSKEY)
|
||||
AC_SUBST(LIBMD)
|
||||
if test "$with_skey" = "yes"; then
|
||||
AC_CHECK_LIB(md, MD5Init, [LIBMD=-lmd])
|
||||
AC_CHECK_LIB(skey, skeychallenge, [LIBSKEY=-lskey],
|
||||
[AC_MSG_ERROR([liskey missing. You can download S/Key source code from http://rsync1.it.gentoo.org/gentoo/distfiles/skey-1.1.5.tar.bz2])])
|
||||
AC_DEFINE(SKEY, 1, [Define to support S/Key logins.])
|
||||
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
||||
#include <stdio.h>
|
||||
#include <skey.h>
|
||||
]], [[
|
||||
skeychallenge((void*)0, (void*)0, (void*)0, 0);
|
||||
]])],[AC_DEFINE(SKEY_BSD_STYLE, 1, [Define to support newer BSD S/Key API])],[])
|
||||
fi
|
||||
|
||||
AC_CHECK_FUNC(fgetpwent_r, [AC_DEFINE(HAVE_FGETPWENT_R, 1, [Defined to 1 if you have the declaration of 'fgetpwent_r'])])
|
||||
|
||||
AC_DEFINE_UNQUOTED(SHELL, ["$SHELL"], [The default shell.])
|
||||
|
||||
AM_GNU_GETTEXT_VERSION([0.19])
|
||||
AM_GNU_GETTEXT([external], [need-ngettext])
|
||||
AM_CONDITIONAL(USE_NLS, test "x$USE_NLS" = "xyes")
|
||||
|
||||
AC_CONFIG_FILES([
|
||||
Makefile
|
||||
po/Makefile.in
|
||||
doc/Makefile
|
||||
man/Makefile
|
||||
man/config.xml
|
||||
man/po/Makefile
|
||||
man/cs/Makefile
|
||||
man/da/Makefile
|
||||
man/de/Makefile
|
||||
man/es/Makefile
|
||||
man/fi/Makefile
|
||||
man/fr/Makefile
|
||||
man/hu/Makefile
|
||||
man/id/Makefile
|
||||
man/it/Makefile
|
||||
man/ja/Makefile
|
||||
man/ko/Makefile
|
||||
man/pl/Makefile
|
||||
man/pt_BR/Makefile
|
||||
man/ru/Makefile
|
||||
man/sv/Makefile
|
||||
man/tr/Makefile
|
||||
man/uk/Makefile
|
||||
man/zh_CN/Makefile
|
||||
man/zh_TW/Makefile
|
||||
lib/Makefile
|
||||
libsubid/Makefile
|
||||
libsubid/subid.h
|
||||
src/Makefile
|
||||
contrib/Makefile
|
||||
etc/Makefile
|
||||
etc/pam.d/Makefile
|
||||
etc/shadow-maint/Makefile
|
||||
shadow.spec
|
||||
])
|
||||
AC_OUTPUT
|
||||
|
||||
echo
|
||||
echo "shadow will be compiled with the following features:"
|
||||
echo
|
||||
echo " auditing support: $with_audit"
|
||||
echo " CrackLib support: $with_libcrack"
|
||||
echo " PAM support: $with_libpam"
|
||||
if test "$with_libpam" = "yes"; then
|
||||
echo " suid account management tools: $enable_acct_tools_setuid"
|
||||
fi
|
||||
echo " SELinux support: $with_selinux"
|
||||
echo " BtrFS support: $with_btrfs"
|
||||
echo " ACL support: $with_acl"
|
||||
echo " Extended Attributes support: $with_attr"
|
||||
echo " tcb support (incomplete): $with_tcb"
|
||||
echo " shadow group support: $enable_shadowgrp"
|
||||
echo " S/Key support: $with_skey"
|
||||
echo " SHA passwords encryption: $with_sha_crypt"
|
||||
echo " bcrypt passwords encryption: $with_bcrypt"
|
||||
echo " yescrypt passwords encryption: $with_yescrypt"
|
||||
echo " nscd support: $with_nscd"
|
||||
echo " sssd support: $with_sssd"
|
||||
echo " subordinate IDs support: $enable_subids"
|
||||
echo " enable lastlog: $enable_lastlog"
|
||||
echo " enable logind: $enable_logind"
|
||||
echo " use file caps: $with_fcaps"
|
||||
echo " install su: $with_su"
|
||||
echo " enabled vendor dir: $enable_vendordir"
|
||||
echo
|
||||
@@ -1,6 +0,0 @@
|
||||
# This is a dummy Makefile.am to get automake work flawlessly,
|
||||
# and also cooperate to make a distribution for `make dist'
|
||||
|
||||
EXTRA_DIST = README adduser.c adduser.sh adduser2.sh \
|
||||
atudel groupmems.shar shadow-anonftp.patch \
|
||||
udbachk.tgz
|
||||
@@ -1,10 +0,0 @@
|
||||
People keep sending various adduser programs and scripts... They are
|
||||
all in this directory. I haven't tested them, use at your own risk.
|
||||
Anyway, the best one I've seen so far is adduser-3.x from Debian.
|
||||
|
||||
atudel is a perl script to remove at jobs owned by the specified user
|
||||
(atrm in at-2.9 for Linux can't do that).
|
||||
|
||||
udbachk.tgz is a passwd/group/shadow file integrity checker.
|
||||
|
||||
--marekm
|
||||
@@ -1,502 +0,0 @@
|
||||
/****
|
||||
** 04/21/96
|
||||
** hacked even more, replaced gets() with something slightly harder to buffer
|
||||
** overflow. Added support for setting a default quota on new account, with
|
||||
** edquota -p. Other cleanups for security, I let some users run adduser suid
|
||||
** root to add new accounts. (overflow checks, clobber environment, valid
|
||||
** shell checks, restrictions on gid + home dir settings).
|
||||
|
||||
** Added max. username length. Used syslog() a bit for important events.
|
||||
** Support to immediately expire account with passwd -e.
|
||||
|
||||
** Called it version 2.0! Because I felt like it!
|
||||
|
||||
** -- Chris, chris@ferret.lmh.ox.ac.uk
|
||||
|
||||
** 03/17/96
|
||||
** hacked a bit more, removed unused code, cleaned up for gcc -Wall.
|
||||
** --marekm
|
||||
**
|
||||
** 02/26/96
|
||||
** modified to call shadow utils (useradd,chage,passwd) on shadowed
|
||||
** systems - Cristian Gafton, gafton@sorosis.ro
|
||||
**
|
||||
** 6/27/95
|
||||
** shadow-adduser 1.4:
|
||||
**
|
||||
** now it copies the /etc/skel dir into the person's dir,
|
||||
** makes the mail folders, changed some defaults and made a 'make
|
||||
** install' just for the hell of it.
|
||||
**
|
||||
** Greg Gallagher
|
||||
** CIN.Net
|
||||
**
|
||||
** 1/28/95
|
||||
** shadow-adduser 1.3:
|
||||
**
|
||||
** Basically a bug-fix on my additions in 1.2. Thanks to Terry Stewart
|
||||
** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
|
||||
** It was such a stupid bug that I would have never seen it myself.
|
||||
**
|
||||
** Brandon
|
||||
*****
|
||||
** 01/27/95
|
||||
**
|
||||
** shadow-adduser 1.2:
|
||||
** I took the C source from adduser-shadow (credits are below) and made
|
||||
** it a little more worthwhile. Many small changes... Here's
|
||||
** the ones I can remember:
|
||||
**
|
||||
** Removed support for non-shadowed systems (if you don't have shadow,
|
||||
** use the original adduser, don't get this shadow version!)
|
||||
** Added support for the correct /etc/shadow fields (Min days before
|
||||
** password change, max days before password change, Warning days,
|
||||
** and how many days from expiry date does the account go invalid)
|
||||
** The previous version just left all of those fields blank.
|
||||
** There is still one field left (expiry date for the account, period)
|
||||
** which I have left blank because I do not use it and didn't want to
|
||||
** spend any more time on this. I'm sure someone will put it in and
|
||||
** tack another plethora of credits on here. :)
|
||||
** Added in the password date field, which should always reflect the last
|
||||
** date the password was changed, for expiry purposes. "passwd" always
|
||||
** updates this field, so the adduser program should set it up right
|
||||
** initially (or a user could keep their initial password forever ;)
|
||||
** The number is in days since Jan 1st, 1970.
|
||||
**
|
||||
** Have fun with it, and someone please make
|
||||
** a real version(this is still just a hack)
|
||||
** for us all to use (and Email it to me???)
|
||||
**
|
||||
** Brandon
|
||||
** photon@usis.com
|
||||
**
|
||||
*****
|
||||
** adduser 1.0: add a new user account (For systems not using shadow)
|
||||
** With a nice little interface and a will to do all the work for you.
|
||||
**
|
||||
** Craig Hagan
|
||||
** hagan@opine.cs.umass.edu
|
||||
**
|
||||
** Modified to really work, look clean, and find unused uid by Chris Cappuccio
|
||||
** chris@slinky.cs.umass.edu
|
||||
**
|
||||
*****
|
||||
**
|
||||
** 01/19/95
|
||||
**
|
||||
** FURTHER modifications to enable shadow passwd support (kludged, but
|
||||
** no more so than the original) by Dan Crowson - dcrowson@mo.net
|
||||
**
|
||||
** Search on DAN for all changes...
|
||||
**
|
||||
*****
|
||||
**
|
||||
** cc -O -o adduser adduser.c
|
||||
** Use gcc if you have it... (political reasons beyond my control) (chris)
|
||||
**
|
||||
** I've gotten this program to work with success under Linux (without
|
||||
** shadow) and SunOS 4.1.3. I would assume it should work pretty well
|
||||
** on any system that uses no shadow. (chris)
|
||||
**
|
||||
** If you have no crypt() then try
|
||||
** cc -DNO_CRYPT -O -o adduser adduser.c xfdes.c
|
||||
** I'm not sure how login operates with no crypt()... I guess
|
||||
** the same way we're doing it here.
|
||||
*/
|
||||
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/stat.h>
|
||||
#include <syslog.h>
|
||||
|
||||
#define IMMEDIATE_CHANGE /* Expire newly created password, must be changed
|
||||
* immediately upon next login */
|
||||
#define HAVE_QUOTAS /* Obvious */
|
||||
#define EXPIRE_VALS_SET /* If defined, 'normal' users can't change
|
||||
* password expiry values (if running suid root) */
|
||||
|
||||
#define HAVE_GETUSERSHELL /* FIXME: Isn't this defined in config.h too? */
|
||||
#define LOGGING /* If we want to log various things to syslog */
|
||||
#define MAX_USRNAME 8 /* Longer usernames seem to work on my system....
|
||||
* But they're probably a poor idea */
|
||||
|
||||
|
||||
#define DEFAULT_SHELL "/bin/bash" /* because BASH is your friend */
|
||||
#define DEFAULT_HOME "/home"
|
||||
#define USERADD_PATH "/usr/sbin/useradd"
|
||||
#define CHAGE_PATH "/usr/bin/chage"
|
||||
#define PASSWD_PATH "/usr/bin/passwd"
|
||||
#define EDQUOTA_PATH "/usr/sbin/edquota"
|
||||
#define QUOTA_DEFAULT "defuser"
|
||||
#define DEFAULT_GROUP 100
|
||||
|
||||
#define DEFAULT_MIN_PASS 0
|
||||
#define DEFAULT_MAX_PASS 100
|
||||
#define DEFAULT_WARN_PASS 14
|
||||
#define DEFAULT_USER_DIE 366
|
||||
|
||||
void safeget (char *, int);
|
||||
|
||||
void
|
||||
main (void)
|
||||
{
|
||||
char foo[32];
|
||||
char usrname[32], person[32], dir[32], shell[32];
|
||||
unsigned int group, min_pass, max_pass, warn_pass, user_die;
|
||||
/* the group and uid of the new user */
|
||||
int bad = 0, done = 0, correct = 0, olduid;
|
||||
char cmd[255];
|
||||
struct group *grp;
|
||||
|
||||
/* flags, in order:
|
||||
* bad to see if the username is in /etc/passwd, or if strange stuff has
|
||||
* been typed if the user might be put in group 0
|
||||
* done allows the program to exit when a user has been added
|
||||
* correct loops until a username is found that isn't in /etc/passwd
|
||||
*/
|
||||
|
||||
/* The real program starts HERE! */
|
||||
|
||||
if (geteuid () != 0)
|
||||
{
|
||||
printf ("It seems you don't have access to add a new user. Try\n");
|
||||
printf ("logging in as root or su root to gain superuser access.\n");
|
||||
exit (1);
|
||||
}
|
||||
|
||||
/* Sanity checks
|
||||
*/
|
||||
|
||||
#ifdef LOGGING
|
||||
openlog ("adduser", LOG_PID | LOG_CONS | LOG_NOWAIT, LOG_AUTH);
|
||||
syslog (LOG_INFO, "invoked by user %s\n", getpwuid (getuid ())->pw_name);
|
||||
#endif
|
||||
|
||||
if (!(grp = getgrgid (DEFAULT_GROUP)))
|
||||
{
|
||||
printf ("Error: the default group %d does not exist on this system!\n",
|
||||
DEFAULT_GROUP);
|
||||
printf ("adduser must be recompiled.\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "warning: failed. no such default group\n");
|
||||
closelog ();
|
||||
#endif
|
||||
exit (1);
|
||||
};
|
||||
|
||||
while (!correct)
|
||||
{ /* loop until a "good" usrname is chosen */
|
||||
while (!done)
|
||||
{
|
||||
printf ("\nLogin to add (^C to quit): ");
|
||||
fflush (stdout);
|
||||
|
||||
safeget (usrname, sizeof (usrname));
|
||||
|
||||
if (!strlen (usrname))
|
||||
{
|
||||
printf ("Empty input.\n");
|
||||
done = 0;
|
||||
continue;
|
||||
};
|
||||
|
||||
/* what I saw here before made me think maybe I was running DOS */
|
||||
/* might this be a solution? (chris) */
|
||||
if (strlen (usrname) > MAX_USRNAME)
|
||||
{
|
||||
printf ("That name is longer than the maximum of %d characters. Choose another.\n", MAX_USRNAME);
|
||||
done = 0;
|
||||
}
|
||||
else if (getpwnam (usrname) != NULL)
|
||||
{
|
||||
printf ("That name is in use, choose another.\n");
|
||||
done = 0;
|
||||
}
|
||||
else if (strchr (usrname, ' ') != NULL)
|
||||
{
|
||||
printf ("No spaces in username!!\n");
|
||||
done = 0;
|
||||
}
|
||||
else
|
||||
done = 1;
|
||||
}; /* done, we have a valid new user name */
|
||||
|
||||
/* all set, get the rest of the stuff */
|
||||
printf ("\nEditing information for new user [%s]\n", usrname);
|
||||
|
||||
printf ("\nFull Name [%s]: ", usrname);
|
||||
fflush (stdout);
|
||||
safeget (person, sizeof (person));
|
||||
if (!strlen (person))
|
||||
{
|
||||
bzero (person, sizeof (person));
|
||||
strcpy (person, usrname);
|
||||
};
|
||||
|
||||
if (getuid () == 0)
|
||||
{
|
||||
do
|
||||
{
|
||||
bad = 0;
|
||||
printf ("GID [%d]: ", DEFAULT_GROUP);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
if (!strlen (foo))
|
||||
group = DEFAULT_GROUP;
|
||||
else if (isdigit (*foo))
|
||||
{
|
||||
group = atoi (foo);
|
||||
if (!(grp = getgrgid (group)))
|
||||
{
|
||||
printf ("unknown gid %s\n", foo);
|
||||
group = DEFAULT_GROUP;
|
||||
bad = 1;
|
||||
};
|
||||
}
|
||||
else if ((grp = getgrnam (foo)))
|
||||
group = grp->gr_gid;
|
||||
else
|
||||
{
|
||||
printf ("unknown group %s\n", foo);
|
||||
group = DEFAULT_GROUP;
|
||||
bad = 1;
|
||||
}
|
||||
if (group == 0)
|
||||
{ /* You're not allowed to make root group users! */
|
||||
printf ("Creation of root group users not allowed (must be done by hand)\n");
|
||||
group = DEFAULT_GROUP;
|
||||
bad = 1;
|
||||
};
|
||||
}
|
||||
while (bad);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf ("Group will be default of: %d\n", DEFAULT_GROUP);
|
||||
group = DEFAULT_GROUP;
|
||||
}
|
||||
|
||||
if (getuid () == 0)
|
||||
{
|
||||
printf ("\nIf home dir ends with a / then '%s' will be appended to it\n", usrname);
|
||||
printf ("Home Directory [%s/%s]: ", DEFAULT_HOME, usrname);
|
||||
fflush (stdout);
|
||||
safeget (dir, sizeof (dir));
|
||||
if (!strlen (dir))
|
||||
{ /* hit return */
|
||||
sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
|
||||
}
|
||||
else if (dir[strlen (dir) - 1] == '/')
|
||||
sprintf (dir+strlen(dir), "%s", usrname);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf ("\nHome directory will be %s/%s\n", DEFAULT_HOME, usrname);
|
||||
sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
|
||||
}
|
||||
|
||||
printf ("\nShell [%s]: ", DEFAULT_SHELL);
|
||||
fflush (stdout);
|
||||
safeget (shell, sizeof (shell));
|
||||
if (!strlen (shell))
|
||||
sprintf (shell, "%s", DEFAULT_SHELL);
|
||||
else
|
||||
{
|
||||
char *sh;
|
||||
int ok = 0;
|
||||
#ifdef HAVE_GETUSERSHELL
|
||||
setusershell ();
|
||||
while ((sh = getusershell ()) != NULL)
|
||||
if (!strcmp (shell, sh))
|
||||
ok = 1;
|
||||
endusershell ();
|
||||
#endif
|
||||
if (!ok)
|
||||
{
|
||||
if (getuid () == 0)
|
||||
printf ("Warning: root allowed non standard shell\n");
|
||||
else
|
||||
{
|
||||
printf ("Shell NOT in /etc/shells, DEFAULT used\n");
|
||||
sprintf (shell, "%s", DEFAULT_SHELL);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef EXPIRE_VALS_SET
|
||||
if (getuid () == 0)
|
||||
{
|
||||
#endif
|
||||
printf ("\nMin. Password Change Days [%d]: ", DEFAULT_MIN_PASS);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
if (strlen (foo) > 1)
|
||||
min_pass = DEFAULT_MIN_PASS;
|
||||
else
|
||||
min_pass = atoi (foo);
|
||||
|
||||
printf ("Max. Password Change Days [%d]: ", DEFAULT_MAX_PASS);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
if (strlen (foo) > 1)
|
||||
max_pass = atoi (foo);
|
||||
else
|
||||
max_pass = DEFAULT_MAX_PASS;
|
||||
|
||||
printf ("Password Warning Days [%d]: ", DEFAULT_WARN_PASS);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
warn_pass = atoi (foo);
|
||||
if (warn_pass == 0)
|
||||
|
||||
warn_pass = DEFAULT_WARN_PASS;
|
||||
|
||||
printf ("Days after Password Expiry for Account Locking [%d]: ", DEFAULT_USER_DIE);
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
user_die = atoi (foo);
|
||||
if (user_die == 0)
|
||||
user_die = DEFAULT_USER_DIE;
|
||||
|
||||
#ifdef EXPIRE_VALS_SET
|
||||
}
|
||||
else
|
||||
{
|
||||
printf ("\nSorry, account expiry values are set.\n");
|
||||
user_die = DEFAULT_USER_DIE;
|
||||
warn_pass = DEFAULT_WARN_PASS;
|
||||
max_pass = DEFAULT_MAX_PASS;
|
||||
min_pass = DEFAULT_MIN_PASS;
|
||||
}
|
||||
#endif
|
||||
|
||||
printf ("\nInformation for new user [%s] [%s]:\n", usrname, person);
|
||||
printf ("Home directory: [%s] Shell: [%s]\n", dir, shell);
|
||||
printf ("GID: [%d]\n", group);
|
||||
printf ("MinPass: [%d] MaxPass: [%d] WarnPass: [%d] UserExpire: [%d]\n",
|
||||
min_pass, max_pass, warn_pass, user_die);
|
||||
printf ("\nIs this correct? [y/N]: ");
|
||||
fflush (stdout);
|
||||
safeget (foo, sizeof (foo));
|
||||
|
||||
done = bad = correct = (foo[0] == 'y' || foo[0] == 'Y');
|
||||
|
||||
if (bad != 1)
|
||||
printf ("\nUser [%s] not added\n", usrname);
|
||||
}
|
||||
|
||||
/* Clobber the environment, I run this suid root sometimes to let
|
||||
* non root privileged accounts add users --chris */
|
||||
|
||||
*environ = NULL;
|
||||
|
||||
bzero (cmd, sizeof (cmd));
|
||||
sprintf (cmd, "%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
|
||||
USERADD_PATH, group, dir, shell, person, usrname);
|
||||
printf ("Calling useradd to add new user:\n%s\n", cmd);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("User add failed!\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "could not add new user\n");
|
||||
closelog ();
|
||||
#endif
|
||||
exit (errno);
|
||||
};
|
||||
|
||||
olduid = getuid (); /* chage, passwd, edquota etc. require ruid = root
|
||||
*/
|
||||
setuid (0);
|
||||
|
||||
bzero (cmd, sizeof (cmd));
|
||||
|
||||
/* Chage runs suid root. => we need ruid root to run it with
|
||||
* anything other than chage -l
|
||||
*/
|
||||
|
||||
sprintf (cmd, "%s -m %d -M %d -W %d -I %d %s", CHAGE_PATH,
|
||||
min_pass, max_pass, warn_pass, user_die, usrname);
|
||||
printf ("%s\n", cmd);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("There was an error setting password expire values\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "password expire values could not be set\n");
|
||||
#endif
|
||||
};
|
||||
|
||||
/* I want to add a user completely with one easy command --chris */
|
||||
|
||||
#ifdef HAVE_QUOTAS
|
||||
bzero (cmd, sizeof (cmd));
|
||||
sprintf (cmd, "%s -p %s -u %s", EDQUOTA_PATH, QUOTA_DEFAULT, usrname);
|
||||
printf ("%s\n", cmd);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("\nWarning: error setting quota\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "warning: account created but NO quotas set!\n");
|
||||
#endif /* LOGGING */
|
||||
}
|
||||
else
|
||||
printf ("\nDefault quota set.\n");
|
||||
#endif /* HAVE_QUOTAS */
|
||||
|
||||
bzero (cmd, sizeof (cmd));
|
||||
sprintf (cmd, "%s %s", PASSWD_PATH, usrname);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("\nWarning: error setting password\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "warning: password set failed!\n");
|
||||
#endif
|
||||
}
|
||||
#ifdef IMMEDIATE_CHANGE
|
||||
bzero (cmd, sizeof (cmd));
|
||||
sprintf (cmd, "%s -e %s", PASSWD_PATH, usrname);
|
||||
if (system (cmd))
|
||||
{
|
||||
printf ("\nWarning: error expiring password\n");
|
||||
#ifdef LOGGING
|
||||
syslog (LOG_ERR, "warning: password expire failed!\n");
|
||||
#endif /* LOGGING */
|
||||
}
|
||||
#endif /* IMMEDIATE_CHANGE */
|
||||
|
||||
setuid (olduid);
|
||||
|
||||
#ifdef LOGGING
|
||||
closelog ();
|
||||
#endif
|
||||
|
||||
printf ("\nDone.\n");
|
||||
}
|
||||
|
||||
void
|
||||
safeget (char *buf, int maxlen)
|
||||
{
|
||||
int c, i = 0, bad = 0;
|
||||
char *bstart = buf;
|
||||
while ((c = getc (stdin)) != EOF && (c != '\n') && (++i < maxlen))
|
||||
{
|
||||
bad = (!isalnum (c) && (c != '_') && (c != ' '));
|
||||
*(buf++) = c;
|
||||
}
|
||||
*buf = '\0';
|
||||
|
||||
if (bad)
|
||||
{
|
||||
printf ("\nString contained banned character. Please stick to alphanumerics.\n");
|
||||
*bstart = '\0';
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,90 +0,0 @@
|
||||
#!/bin/sh
|
||||
# adduser script for use with shadow passwords and useradd command.
|
||||
# by Hrvoje Dogan <hdogan@student.math.hr>, Dec 1995.
|
||||
|
||||
echo -n "Login name for new user []:"
|
||||
read LOGIN
|
||||
if [ -z $LOGIN ]
|
||||
then echo "Come on, man, you can't leave the login field empty...";exit
|
||||
fi
|
||||
echo
|
||||
echo -n "User id for $LOGIN [ defaults to next available]:"
|
||||
read ID
|
||||
GUID="-u $ID"
|
||||
if [ -z $ID ]
|
||||
then GUID=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "Initial group for $LOGIN [users]:"
|
||||
read GID
|
||||
GGID="-g $GID"
|
||||
if [ -z $GID ]
|
||||
then GGID=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "Additional groups for $LOGIN []:"
|
||||
read AGID
|
||||
GAGID="-G $AGID"
|
||||
if [ -z $AGID ]
|
||||
then GAGID=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "$LOGIN's home directory [/home/$LOGIN]:"
|
||||
read HME
|
||||
GHME="-d $HME"
|
||||
if [ -z $HME ]
|
||||
then GHME=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "$LOGIN's shell [/bin/bash]:"
|
||||
read SHL
|
||||
GSHL="-s $SHL"
|
||||
if [ -z $SHL ]
|
||||
then GSHL=""
|
||||
fi
|
||||
|
||||
echo
|
||||
echo -n "$LOGIN's account expiry date (MM/DD/YY) []:"
|
||||
read EXP
|
||||
GEXP="-e $EXP"
|
||||
if [ -z $EXP ]
|
||||
then GEXP=""
|
||||
fi
|
||||
echo
|
||||
echo OK, I'm about to make a new account. Here's what you entered so far:
|
||||
echo New login name: $LOGIN
|
||||
if [ -z $GUID ]
|
||||
then echo New UID: [Next available]
|
||||
else echo New UID: $UID
|
||||
fi
|
||||
if [ -z $GGID ]
|
||||
then echo Initial group: users
|
||||
else echo Initial group: $GID
|
||||
fi
|
||||
if [ -z $GAGID ]
|
||||
then echo Additional groups: [none]
|
||||
else echo Additional groups: $AGID
|
||||
fi
|
||||
if [ -z $GHME ]
|
||||
then echo Home directory: /home/$LOGIN
|
||||
else echo Home directory: $HME
|
||||
fi
|
||||
if [ -z $GSHL ]
|
||||
then echo Shell: /bin/bash
|
||||
else echo Shell: $SHL
|
||||
fi
|
||||
if [ -z $GEXP ]
|
||||
then echo Expiry date: [no expiration]
|
||||
else echo Expiry date: $EXP
|
||||
fi
|
||||
echo "This is it... if you want to bail out, you'd better do it now."
|
||||
read FOO
|
||||
echo Making new account...
|
||||
/usr/sbin/useradd $GHME -m $GEXP $GGID $GAGID $GSHL $GUID $LOGIN
|
||||
/usr/bin/chfn $LOGIN
|
||||
/usr/bin/passwd $LOGIN
|
||||
echo "Done..."
|
||||
@@ -1,743 +0,0 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# adduser Interactive user adding program.
|
||||
#
|
||||
# Copyright (C) 1996 Petri Mattila, Prihateam Networks
|
||||
# petri@prihateam.fi
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2, or (at your option)
|
||||
# any later version.
|
||||
#
|
||||
# Changes:
|
||||
# 220496 v0.01 Initial version
|
||||
# 230496 v0.02 More checks, embolden summary
|
||||
# 240496 Even more checks
|
||||
# 250496 Help with ?
|
||||
# 040596 v0.03 Cleanups
|
||||
# 050596 v0.04 Bug fixes, expire date checks
|
||||
# 070596 v0.05 Iso-latin-1 names
|
||||
#
|
||||
|
||||
## Defaults
|
||||
|
||||
# default groups
|
||||
def_group="users"
|
||||
def_other_groups=""
|
||||
|
||||
# default home directory
|
||||
def_home_dir=/home/users
|
||||
|
||||
# default shell
|
||||
def_shell=/bin/tcsh
|
||||
|
||||
# Default expiration date (mm/dd/yy)
|
||||
def_expire=""
|
||||
|
||||
# default dates
|
||||
def_pwd_min=0
|
||||
def_pwd_max=90
|
||||
def_pwd_warn=14
|
||||
def_pwd_iact=14
|
||||
|
||||
|
||||
# possible UIDs
|
||||
uid_low=1000
|
||||
uid_high=64000
|
||||
|
||||
# skel directory
|
||||
skel=/etc/skel
|
||||
|
||||
# default mode for home directory
|
||||
def_mode=711
|
||||
|
||||
# Regex, that the login name must meet, only ANSI characters
|
||||
login_regex='^[0-9a-zA-Z_-]*$'
|
||||
|
||||
# Regex, that the user name must meet
|
||||
# ANSI version
|
||||
##name_regex='^[0-9a-zA-Z_-\ ]*$'
|
||||
# ISO-LATIN-1 version
|
||||
name_regex='^[0-9a-zA-ZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõöùúûüýþÿ_-\ ]*$'
|
||||
|
||||
# set PATH
|
||||
export PATH="/bin:/sbin:/usr/bin:/usr/sbin"
|
||||
|
||||
# Some special characters
|
||||
case "$TERM" in
|
||||
vt*|ansi*|con*|xterm*|linux*)
|
||||
S='[1m' # start embolden
|
||||
E='[m' # end embolden
|
||||
;;
|
||||
*)
|
||||
S=''
|
||||
E=''
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
## Functions
|
||||
|
||||
check_root() {
|
||||
if test "$EUID" -ne 0
|
||||
then
|
||||
echo "You must be root to run this program."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_user() {
|
||||
local usr pwd uid gid name home sh
|
||||
|
||||
cat /etc/passwd | (
|
||||
while IFS=":" read usr pwd uid gid name home sh
|
||||
do
|
||||
if test "$1" = "${usr}"
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
)
|
||||
}
|
||||
|
||||
check_group() {
|
||||
local read grp pwd gid members
|
||||
|
||||
cat /etc/group | (
|
||||
while IFS=":" read grp pwd gid members
|
||||
do
|
||||
if test "$1" = "${grp}"
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
)
|
||||
}
|
||||
|
||||
check_other_groups() {
|
||||
local grp check IFS
|
||||
|
||||
check="$1"
|
||||
IFS=","
|
||||
|
||||
set ${check}
|
||||
for grp
|
||||
do
|
||||
if check_group "${grp}"
|
||||
then
|
||||
echo "Group ${grp} does not exist."
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
check_uid() {
|
||||
local usr pwd uid gid name home sh
|
||||
|
||||
cat /etc/passwd | (
|
||||
while IFS=":" read usr pwd uid gid name home sh
|
||||
do
|
||||
if test "$1" = "${uid}"
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
)
|
||||
}
|
||||
|
||||
read_yn() {
|
||||
local ans ynd
|
||||
|
||||
ynd="$1"
|
||||
|
||||
while :
|
||||
do
|
||||
read ans
|
||||
case "${ans}" in
|
||||
"") return ${ynd} ;;
|
||||
[nN]) return 1 ;;
|
||||
[yY]) return 0 ;;
|
||||
*) echo -n "Y or N, please ? " ;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
read_login() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Login: ${def_login:+[${def_login}] }"
|
||||
read login
|
||||
|
||||
if test "${login}" = '?'
|
||||
then
|
||||
less /etc/passwd
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if test -z "${login}" -a -n "${def_login}"
|
||||
then
|
||||
login="${def_login}"
|
||||
echo "Using ${login}"
|
||||
return
|
||||
fi
|
||||
|
||||
if test "${#login}" -gt 8
|
||||
then
|
||||
echo "Login must be at most 8 characters long"
|
||||
continue
|
||||
fi
|
||||
|
||||
if test "${#login}" -lt 2
|
||||
then
|
||||
echo "Login must be at least 2 characters long"
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! expr "${login}" : "${login_regex}" &> /dev/null
|
||||
then
|
||||
echo "Please use letters, numbers and special characters _-,."
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! check_user "${login}"
|
||||
then
|
||||
echo "Username ${login} is already in use"
|
||||
continue
|
||||
fi
|
||||
|
||||
def_login="${login}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_name () {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Real name: ${def_name:+[${def_name}] }"
|
||||
read name
|
||||
|
||||
if test "${name}" = '?'
|
||||
then
|
||||
less /etc/passwd
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if test -z "${name}" -a -n "${def_name}"
|
||||
then
|
||||
name="${def_name}"
|
||||
echo "Using ${name}"
|
||||
fi
|
||||
|
||||
if test "${#name}" -gt 32
|
||||
then
|
||||
echo "Name should be at most 32 characters long"
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! expr "${name}" : "${name_regex}" &> /dev/null
|
||||
then
|
||||
echo "Please use letters, numbers, spaces and special characters ,._-"
|
||||
continue
|
||||
fi
|
||||
|
||||
def_name="${name}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_home() {
|
||||
local x
|
||||
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Home Directory: [${def_home_dir}/${login}] "
|
||||
read home
|
||||
|
||||
if test -z "${home}"
|
||||
then
|
||||
home="${def_home_dir}/${login}"
|
||||
echo "Using ${home}"
|
||||
fi
|
||||
|
||||
if ! expr "${home}" : '^[0-9a-zA-Z,._-\/]*$' &> /dev/null
|
||||
then
|
||||
echo "Please use letters, numbers, spaces and special characters ,._-/"
|
||||
continue
|
||||
fi
|
||||
|
||||
x="$(basename ${home})"
|
||||
if test "${x}" != "${login}"
|
||||
then
|
||||
echo "Warning: you are about to use different login name and home directory."
|
||||
fi
|
||||
|
||||
x="$(dirname ${home})"
|
||||
if ! test -d "${x}"
|
||||
then
|
||||
echo "Directory ${x} does not exist."
|
||||
echo "If you still want to use it, please make it manually."
|
||||
continue
|
||||
fi
|
||||
|
||||
def_home_dir="${x}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_shell () {
|
||||
local x
|
||||
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Shell: [${def_shell}] "
|
||||
read shell
|
||||
|
||||
if test -z "${shell}"
|
||||
then
|
||||
shell="${def_shell}"
|
||||
echo "Using ${shell}"
|
||||
fi
|
||||
|
||||
for x in $(cat /etc/shells)
|
||||
do
|
||||
if test "${x}" = "${shell}"
|
||||
then
|
||||
def_shell="${shell}"
|
||||
return
|
||||
fi
|
||||
done
|
||||
|
||||
echo "Possible shells are:"
|
||||
cat /etc/shells
|
||||
done
|
||||
}
|
||||
|
||||
read_group () {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Group: [${def_group}] "
|
||||
read group
|
||||
|
||||
if test -z "${group}"
|
||||
then
|
||||
group="${def_group}"
|
||||
echo "Using ${group}"
|
||||
fi
|
||||
|
||||
if test "${group}" = '?'
|
||||
then
|
||||
less /etc/group
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if check_group "${group}"
|
||||
then
|
||||
echo "Group ${group} does not exist."
|
||||
continue
|
||||
fi
|
||||
|
||||
def_group="${group}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_other_groups () {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "Other groups: [${def_og:-none}] "
|
||||
read other_groups
|
||||
|
||||
if test "${other_groups}" = '?'
|
||||
then
|
||||
less /etc/group
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if test -z "${other_groups}"
|
||||
then
|
||||
if test -n "${def_og}"
|
||||
then
|
||||
other_groups="${def_og}"
|
||||
echo "Using ${other_groups}"
|
||||
else
|
||||
echo "No other groups"
|
||||
return
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if ! check_other_groups "${other_groups}"
|
||||
then
|
||||
continue
|
||||
fi
|
||||
|
||||
def_og="${other_groups}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_uid () {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -n "uid: [first free] "
|
||||
read uid
|
||||
|
||||
if test -z "${uid}"
|
||||
then
|
||||
echo "Using first free UID."
|
||||
return
|
||||
fi
|
||||
|
||||
if test "${uid}" = '?'
|
||||
then
|
||||
less /etc/passwd
|
||||
echo
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! expr "${uid}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${uid}" -lt "${uid_low}"
|
||||
then
|
||||
echo "UID must be greater than ${uid_low}"
|
||||
continue
|
||||
fi
|
||||
if test "${uid}" -gt "${uid_high}"
|
||||
then
|
||||
echo "UID must be smaller than ${uid_high}"
|
||||
continue
|
||||
fi
|
||||
if ! check_uid "${uid}"
|
||||
then
|
||||
echo "UID ${uid} is already in use"
|
||||
continue
|
||||
fi
|
||||
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_max_valid_days() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Maximum days between password changes: [${def_pwd_max}] "
|
||||
read max_days
|
||||
|
||||
if test -z "${max_days}"
|
||||
then
|
||||
max_days="${def_pwd_max}"
|
||||
echo "Using ${max_days}"
|
||||
return
|
||||
fi
|
||||
|
||||
if ! expr "${max_days}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${max_days}" -lt 7
|
||||
then
|
||||
echo "Warning: you are using a value shorter than a week."
|
||||
fi
|
||||
|
||||
def_pwd_max="${max_days}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_min_valid_days() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Minimum days between password changes: [${def_pwd_min}] "
|
||||
read min_days
|
||||
|
||||
if test -z "${min_days}"
|
||||
then
|
||||
min_days="${def_pwd_min}"
|
||||
echo "Using ${min_days}"
|
||||
return
|
||||
fi
|
||||
|
||||
if ! expr "${min_days}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${min_days}" -gt 7
|
||||
then
|
||||
echo "Warning: you are using a value longer than a week."
|
||||
fi
|
||||
|
||||
def_pwd_min="${min_days}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_warning_days() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Number of warning days before password expires: [${def_pwd_warn}] "
|
||||
read warn_days
|
||||
|
||||
if test -z "${warn_days}"
|
||||
then
|
||||
warn_days="${def_pwd_warn}"
|
||||
echo "Using ${warn_days}"
|
||||
fi
|
||||
|
||||
if ! expr "${warn_days}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${warn_days}" -gt 14
|
||||
then
|
||||
echo "Warning: you are using a value longer than two week."
|
||||
fi
|
||||
|
||||
def_pwd_warn="${warn_days}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
read_inactive_days() {
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Number of usable days after expiration: [${def_pwd_iact}] "
|
||||
read iact_days
|
||||
|
||||
if test -z "${iact_days}"
|
||||
then
|
||||
iact_days="${def_pwd_iact}"
|
||||
echo "Using ${iact_days}"
|
||||
return
|
||||
fi
|
||||
if ! expr "${iact_days}" : '^[0-9]+$' &> /dev/null
|
||||
then
|
||||
echo "Please use numbers only."
|
||||
continue
|
||||
fi
|
||||
if test "${iact_days}" -gt 14
|
||||
then
|
||||
echo "Warning: you are using a value that is more than two weeks."
|
||||
fi
|
||||
|
||||
def_pwd_iact="${iact_days}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_expire_date() {
|
||||
local ans
|
||||
|
||||
echo
|
||||
while :
|
||||
do
|
||||
echo -en "Expire date of this account (mm/dd/yy): [${def_expire:-never}] "
|
||||
read ans
|
||||
|
||||
if test -z "${ans}"
|
||||
then
|
||||
if test -z "${def_expire}"
|
||||
then
|
||||
ans="never"
|
||||
else
|
||||
ans="${def_expire}"
|
||||
echo "Using ${def_expire}"
|
||||
fi
|
||||
fi
|
||||
|
||||
if test "${ans}" = "never"
|
||||
then
|
||||
echo "Account will never expire."
|
||||
def_expire=""
|
||||
expire=""
|
||||
return
|
||||
fi
|
||||
|
||||
if ! expr "${ans}" : '^[0-9][0-9]/[0-9][0-9]/[0-9][0-9]$' &> /dev/null
|
||||
then
|
||||
echo "Please use format mm/dd/yy"
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! expire_date="$(date -d ${ans} '+%A, %B %d %Y')"
|
||||
then
|
||||
continue
|
||||
fi
|
||||
|
||||
def_expire="${expire}"
|
||||
return
|
||||
done
|
||||
}
|
||||
|
||||
read_passwd_yn() {
|
||||
echo -en "\nDo you want to set password [Y/n] ? "
|
||||
if read_yn 0
|
||||
then
|
||||
set_pwd="YES"
|
||||
else
|
||||
set_pwd=""
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
print_values() {
|
||||
|
||||
clear
|
||||
cat << EOM
|
||||
|
||||
Login: ${S}${login}${E}
|
||||
Group: ${S}${group}${E}
|
||||
Other groups: ${S}${other_groups:-[none]}${E}
|
||||
|
||||
Real Name: ${S}${name}${E}
|
||||
|
||||
uid: ${S}${uid:-[first free]}${E}
|
||||
home: ${S}${home}${E}
|
||||
shell: ${S}${shell}${E}
|
||||
|
||||
Account expiration date: ${S}${expire_date:-never}${E}
|
||||
Minimum days between password changes: ${S}${min_days}${E}
|
||||
Maximum days between password changes: ${S}${max_days}${E}
|
||||
Number of usable days after expiration: ${S}${iact_days}${E}
|
||||
Number of warning days before expiration: ${S}${warn_days}${E}
|
||||
|
||||
${S}${set_pwd:+Set password for this account.}${E}
|
||||
|
||||
EOM
|
||||
}
|
||||
|
||||
set_user() {
|
||||
if ! useradd \
|
||||
-c "${name}" \
|
||||
-d "${home}" \
|
||||
-g "${group}" \
|
||||
-s "${shell}" \
|
||||
${expire:+-e ${expire}} \
|
||||
${uid:+-u ${uid}} \
|
||||
${other_groups:+-G ${other_groups}} \
|
||||
${login}
|
||||
then
|
||||
echo "Error ($?) in useradd...exiting..."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
set_aging() {
|
||||
if ! passwd \
|
||||
-x ${max_days} \
|
||||
-n ${min_days} \
|
||||
-w ${warn_days} \
|
||||
-i ${iact_days} \
|
||||
${login}
|
||||
then
|
||||
echo "Error ($?) in setting password aging...exiting..."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
set_password() {
|
||||
if test -n "${set_pwd}"
|
||||
then
|
||||
echo
|
||||
passwd ${login}
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
set_system() {
|
||||
if test -d "${home}"
|
||||
then
|
||||
echo "Directory ${home} already exists."
|
||||
echo "Skeleton files not copied."
|
||||
return
|
||||
fi
|
||||
|
||||
echo -n "Copying skeleton files..."
|
||||
(
|
||||
mkdir ${home}
|
||||
cd ${skel} && cp -af . ${home}
|
||||
chmod ${def_mode} ${home}
|
||||
chown -R ${login}:${group} ${home}
|
||||
)
|
||||
echo "done."
|
||||
|
||||
## Add your own stuff here:
|
||||
echo -n "Setting up other files..."
|
||||
(
|
||||
mailbox="/var/spool/mail/${login}"
|
||||
touch ${mailbox}
|
||||
chown "${login}:mail" ${mailbox}
|
||||
chmod 600 ${mailbox}
|
||||
)
|
||||
echo "done."
|
||||
}
|
||||
|
||||
|
||||
read_values() {
|
||||
clear
|
||||
echo -e "\nPlease answer the following questions about the new user to be added."
|
||||
|
||||
while :
|
||||
do
|
||||
read_login
|
||||
read_name
|
||||
read_group
|
||||
read_other_groups
|
||||
read_home
|
||||
read_shell
|
||||
read_uid
|
||||
read_expire_date
|
||||
read_max_valid_days
|
||||
read_min_valid_days
|
||||
read_warning_days
|
||||
read_inactive_days
|
||||
read_passwd_yn
|
||||
|
||||
print_values
|
||||
|
||||
echo -n "Is this correct [N/y] ? "
|
||||
read_yn 1 && return
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
main() {
|
||||
check_root
|
||||
read_values
|
||||
set_user
|
||||
set_aging
|
||||
set_system
|
||||
set_password
|
||||
}
|
||||
|
||||
|
||||
## Run it 8-)
|
||||
main
|
||||
|
||||
# End.
|
||||
@@ -1,58 +0,0 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# SPDX-FileCopyrightText: 1996 Brian R. Gaeke
|
||||
# SPDX-License-Identifier: BSD-4-Clause
|
||||
#
|
||||
# Additionally:
|
||||
#
|
||||
# This software is provided without support and without any obligation
|
||||
# on the part of Brian R. Gaeke to assist in its use, correction,
|
||||
# modification or enhancement.
|
||||
#
|
||||
#######################################################################
|
||||
#
|
||||
# this is atudel, version 2, by Brian R. Gaeke <brg@dgate.org>
|
||||
#
|
||||
|
||||
require "getopts.pl";
|
||||
&Getopts('v');
|
||||
$username = shift(@ARGV);
|
||||
&usage unless $username;
|
||||
|
||||
sub usage
|
||||
{
|
||||
print STDERR "atudel - remove all at jobs owned by a user\n";
|
||||
print STDERR "usage: $0 [-v] username\n";
|
||||
exit(1);
|
||||
}
|
||||
|
||||
# odd. unless getpwnam($uname) doesn't seem to work for $uname eq "root" on
|
||||
# my linux system. but this does.
|
||||
die "user $username does not exist; stopping"
|
||||
unless defined(getpwnam($username));
|
||||
|
||||
print "searching for at jobs owned by user $username ..." if $opt_v;
|
||||
|
||||
chdir "/var/spool/atjobs" ||
|
||||
die "can't chdir to /var/spool/atjobs: $!\nstopping";
|
||||
opendir(DIR,".") || die "can't opendir(/var/spool/atjobs): $!\nstopping";
|
||||
@files = grep(!/^\./,grep(-f,readdir(DIR)));
|
||||
closedir DIR;
|
||||
|
||||
foreach $x (@files)
|
||||
{
|
||||
$owner = (getpwuid((stat($x))[4]))[0];
|
||||
push(@nuke_bait,$x) if $owner eq $username;
|
||||
}
|
||||
|
||||
if (@nuke_bait)
|
||||
{
|
||||
print "removed jobIDs: @{nuke_bait}.\n" if $opt_v;
|
||||
unlink @nuke_bait;
|
||||
}
|
||||
elsif ($opt_v)
|
||||
{
|
||||
print "\n";
|
||||
}
|
||||
|
||||
exit 0;
|
||||
@@ -1,465 +0,0 @@
|
||||
#!/bin/sh
|
||||
# This is a shell archive (produced by GNU sharutils 4.2.1).
|
||||
# To extract the files from this archive, save it to some FILE, remove
|
||||
# everything before the `!/bin/sh' line above, then type `sh FILE'.
|
||||
#
|
||||
# Made on 2000-05-25 14:41 CDT by <gk4@gnu.austin.ibm.com>.
|
||||
# Source directory was `/home/gk4/src/groupmem'.
|
||||
#
|
||||
# Existing files will *not* be overwritten unless `-c' is specified.
|
||||
#
|
||||
# This shar contains:
|
||||
# length mode name
|
||||
# ------ ---------- ------------------------------------------
|
||||
# 1960 -rw-r--r-- Makefile
|
||||
# 6348 -rw-r--r-- groupmems.c
|
||||
# 3372 -rw------- groupmems.8
|
||||
#
|
||||
save_IFS="${IFS}"
|
||||
IFS="${IFS}:"
|
||||
gettext_dir=FAILED
|
||||
locale_dir=FAILED
|
||||
first_param="$1"
|
||||
for dir in $PATH
|
||||
do
|
||||
if test "$gettext_dir" = FAILED && test -f $dir/gettext \
|
||||
&& ($dir/gettext --version >/dev/null 2>&1)
|
||||
then
|
||||
set `$dir/gettext --version 2>&1`
|
||||
if test "$3" = GNU
|
||||
then
|
||||
gettext_dir=$dir
|
||||
fi
|
||||
fi
|
||||
if test "$locale_dir" = FAILED && test -f $dir/shar \
|
||||
&& ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
|
||||
then
|
||||
locale_dir=`$dir/shar --print-text-domain-dir`
|
||||
fi
|
||||
done
|
||||
IFS="$save_IFS"
|
||||
if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
|
||||
then
|
||||
echo=echo
|
||||
else
|
||||
TEXTDOMAINDIR=$locale_dir
|
||||
export TEXTDOMAINDIR
|
||||
TEXTDOMAIN=sharutils
|
||||
export TEXTDOMAIN
|
||||
echo="$gettext_dir/gettext -s"
|
||||
fi
|
||||
if touch -am -t 200112312359.59 $$.touch >/dev/null 2>&1 && test ! -f 200112312359.59 -a -f $$.touch; then
|
||||
shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
|
||||
elif touch -am 123123592001.59 $$.touch >/dev/null 2>&1 && test ! -f 123123592001.59 -a ! -f 123123592001.5 -a -f $$.touch; then
|
||||
shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
|
||||
elif touch -am 1231235901 $$.touch >/dev/null 2>&1 && test ! -f 1231235901 -a -f $$.touch; then
|
||||
shar_touch='touch -am $3$4$5$6$2 "$8"'
|
||||
else
|
||||
shar_touch=:
|
||||
echo
|
||||
$echo 'WARNING: not restoring timestamps. Consider getting and'
|
||||
$echo "installing GNU \`touch', distributed in GNU File Utilities..."
|
||||
echo
|
||||
fi
|
||||
rm -f 200112312359.59 123123592001.59 123123592001.5 1231235901 $$.touch
|
||||
#
|
||||
if mkdir _sh10937; then
|
||||
$echo 'x -' 'creating lock directory'
|
||||
else
|
||||
$echo 'failed to create lock directory'
|
||||
exit 1
|
||||
fi
|
||||
# ============= Makefile ==============
|
||||
if test -f 'Makefile' && test "$first_param" != -c; then
|
||||
$echo 'x -' SKIPPING 'Makefile' '(file already exists)'
|
||||
else
|
||||
$echo 'x -' extracting 'Makefile' '(text)'
|
||||
sed 's/^X//' << 'SHAR_EOF' > 'Makefile' &&
|
||||
/*
|
||||
# SPDX-FileCopyrightText: 2000, International Business Machines, Inc.
|
||||
# SPDX-FileCopyrightText: 2000, George Kraft IV, gk4@us.ibm.com
|
||||
# SPDX-License-Identifier: BSD-3-Clause
|
||||
#
|
||||
X
|
||||
all: groupmems
|
||||
X
|
||||
groupmems: groupmems.c
|
||||
X cc -g -o groupmems groupmems.c -L. -lshadow
|
||||
X
|
||||
install: groupmems
|
||||
X -/usr/sbin/groupadd groups
|
||||
X install -o root -g groups -m 4770 groupmems /usr/bin
|
||||
X
|
||||
install.man: groupmems.8
|
||||
X install -o root -g root -m 644 groupmems.8 /usr/man/man8
|
||||
X
|
||||
SHAR_EOF
|
||||
(set 20 00 05 25 14 40 28 'Makefile'; eval "$shar_touch") &&
|
||||
chmod 0644 'Makefile' ||
|
||||
$echo 'restore of' 'Makefile' 'failed'
|
||||
if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
|
||||
&& ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
|
||||
md5sum -c << SHAR_EOF >/dev/null 2>&1 \
|
||||
|| $echo 'Makefile:' 'MD5 check failed'
|
||||
b46cf7ef8d59149093c011ced3f3103c Makefile
|
||||
SHAR_EOF
|
||||
else
|
||||
shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'Makefile'`"
|
||||
test 1960 -eq "$shar_count" ||
|
||||
$echo 'Makefile:' 'original size' '1960,' 'current size' "$shar_count!"
|
||||
fi
|
||||
fi
|
||||
# ============= groupmems.c ==============
|
||||
if test -f 'groupmems.c' && test "$first_param" != -c; then
|
||||
$echo 'x -' SKIPPING 'groupmems.c' '(file already exists)'
|
||||
else
|
||||
$echo 'x -' extracting 'groupmems.c' '(text)'
|
||||
sed 's/^X//' << 'SHAR_EOF' > 'groupmems.c' &&
|
||||
/*
|
||||
X * SPDX-FileCopyrightText: 2000, International Business Machines, Inc.
|
||||
X * SPDX-FileCopyrightText: 2000, George Kraft IV, gk4@us.ibm.com
|
||||
X * SPDX-License-Identifier: BSD-3-Clause
|
||||
X */
|
||||
/*
|
||||
**
|
||||
** Utility "groupmem" adds and deletes members from a user's group.
|
||||
**
|
||||
** Setup (as "root"):
|
||||
**
|
||||
** groupadd -r groups
|
||||
** chmod 2770 groupmems
|
||||
** chown root.groups groupmems
|
||||
** groupmems -g groups -a gk4
|
||||
**
|
||||
** Usage (as "gk4"):
|
||||
**
|
||||
** groupmems -a olive
|
||||
** groupmems -a jordan
|
||||
** groupmems -a meghan
|
||||
** groupmems -a morgan
|
||||
** groupmems -a jake
|
||||
** groupmems -l
|
||||
** groupmems -d jake
|
||||
** groupmems -l
|
||||
*/
|
||||
X
|
||||
#include <stdio.h>
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
X
|
||||
/* Exit Status Values */
|
||||
X
|
||||
#define EXIT_SUCCESS 0 /* success */
|
||||
#define EXIT_USAGE 1 /* invalid command syntax */
|
||||
#define EXIT_GROUP_FILE 2 /* group file access problems */
|
||||
#define EXIT_NOT_ROOT 3 /* not superuser */
|
||||
#define EXIT_NOT_EROOT 4 /* not effective superuser */
|
||||
#define EXIT_NOT_PRIMARY 5 /* not primary owner of group */
|
||||
#define EXIT_NOT_MEMBER 6 /* member of group does not exist */
|
||||
#define EXIT_MEMBER_EXISTS 7 /* member of group already exists */
|
||||
X
|
||||
#define TRUE 1
|
||||
#define FALSE 0
|
||||
X
|
||||
/* Globals */
|
||||
X
|
||||
extern int optind;
|
||||
extern char *optarg;
|
||||
static char *adduser = NULL;
|
||||
static char *deluser = NULL;
|
||||
static char *thisgroup = NULL;
|
||||
static int purge = FALSE;
|
||||
static int list = FALSE;
|
||||
static int exclusive = 0;
|
||||
X
|
||||
static int isroot(void) {
|
||||
X return getuid() ? FALSE : TRUE;
|
||||
}
|
||||
X
|
||||
static int isgroup(void) {
|
||||
X gid_t g = getgid();
|
||||
X struct group *grp = getgrgid(g);
|
||||
X
|
||||
X return TRUE;
|
||||
}
|
||||
X
|
||||
static char *whoami(void) {
|
||||
X struct group *grp = getgrgid(getgid());
|
||||
X struct passwd *usr = getpwuid(getuid());
|
||||
X
|
||||
X if (0 == strcmp(usr->pw_name, grp->gr_name)) {
|
||||
X return (char *)strdup(usr->pw_name);
|
||||
X } else {
|
||||
X return NULL;
|
||||
X }
|
||||
}
|
||||
X
|
||||
static void
|
||||
addtogroup(char *user, char **members) {
|
||||
X int i;
|
||||
X char **pmembers;
|
||||
X
|
||||
X for (i = 0; NULL != members[i]; i++ ) {
|
||||
X if (0 == strcmp(user, members[i])) {
|
||||
X fprintf(stderr, "Member already exists\n");
|
||||
X exit(EXIT_MEMBER_EXISTS);
|
||||
X }
|
||||
X }
|
||||
X
|
||||
X if (0 == i) {
|
||||
X pmembers = (char **)calloc(2, sizeof(char *));
|
||||
X } else {
|
||||
X pmembers = (char **)realloc(members, sizeof(char *)*(i+1));
|
||||
X }
|
||||
X
|
||||
X *members = *pmembers;
|
||||
X members[i] = user;
|
||||
X members[i+1] = NULL;
|
||||
}
|
||||
X
|
||||
static void
|
||||
rmfromgroup(char *user, char **members) {
|
||||
X int i;
|
||||
X int found = FALSE;
|
||||
X
|
||||
X i = 0;
|
||||
X while (!found && NULL != members[i]) {
|
||||
X if (0 == strcmp(user, members[i])) {
|
||||
X found = TRUE;
|
||||
X } else {
|
||||
X i++;
|
||||
X }
|
||||
X }
|
||||
X
|
||||
X while (found && NULL != members[i]) {
|
||||
X members[i] = members[++i];
|
||||
X }
|
||||
X
|
||||
X if (!found) {
|
||||
X fprintf(stderr, "Member to remove could not be found\n");
|
||||
X exit(EXIT_NOT_MEMBER);
|
||||
X }
|
||||
}
|
||||
X
|
||||
static void
|
||||
nomembers(char **members) {
|
||||
X int i;
|
||||
X
|
||||
X for (i = 0; NULL != members[i]; i++ ) {
|
||||
X members[i] = NULL;
|
||||
X }
|
||||
}
|
||||
X
|
||||
static void
|
||||
members(char **members) {
|
||||
X int i;
|
||||
X
|
||||
X for (i = 0; NULL != members[i]; i++ ) {
|
||||
X printf("%s ", members[i]);
|
||||
X
|
||||
X if (NULL == members[i+1]) {
|
||||
X printf("\n");
|
||||
X } else {
|
||||
X printf(" ");
|
||||
X }
|
||||
X }
|
||||
}
|
||||
X
|
||||
static void usage(void) {
|
||||
X fprintf(stderr, "usage: groupmems -a username | -d username | -D | -l [-g groupname]\n");
|
||||
X exit(EXIT_USAGE);
|
||||
}
|
||||
X
|
||||
main(int argc, char **argv) {
|
||||
X int arg, i;
|
||||
X char *name;
|
||||
X struct group *grp;
|
||||
X
|
||||
X while ((arg = getopt(argc, argv, "a:d:g:Dl")) != EOF) {
|
||||
X switch (arg) {
|
||||
X case 'a':
|
||||
X adduser = strdup(optarg);
|
||||
X ++exclusive;
|
||||
X break;
|
||||
X case 'd':
|
||||
X deluser = strdup(optarg);
|
||||
X ++exclusive;
|
||||
X break;
|
||||
X case 'g':
|
||||
X thisgroup = strdup(optarg);
|
||||
X break;
|
||||
X case 'D':
|
||||
X purge = TRUE;
|
||||
X ++exclusive;
|
||||
X break;
|
||||
X case 'l':
|
||||
X list = TRUE;
|
||||
X ++exclusive;
|
||||
X break;
|
||||
X default:
|
||||
X usage();
|
||||
X }
|
||||
X }
|
||||
X
|
||||
X if (exclusive > 1 || optind < argc) {
|
||||
X usage();
|
||||
X }
|
||||
X
|
||||
X if (!isroot() && NULL != thisgroup) {
|
||||
X fprintf(stderr, "Only root can add members to different groups\n");
|
||||
X exit(EXIT_NOT_ROOT);
|
||||
X } else if (isroot() && NULL != thisgroup) {
|
||||
X name = thisgroup;
|
||||
X } else if (!isgroup()) {
|
||||
X fprintf(stderr, "Group access is required\n");
|
||||
X exit(EXIT_NOT_EROOT);
|
||||
X } else if (NULL == (name = whoami())) {
|
||||
X fprintf(stderr, "Not primary owner of current group\n");
|
||||
X exit(EXIT_NOT_PRIMARY);
|
||||
X }
|
||||
X
|
||||
X if (!gr_lock()) {
|
||||
X fprintf(stderr, "Unable to lock group file\n");
|
||||
X exit(EXIT_GROUP_FILE);
|
||||
X }
|
||||
X
|
||||
X if (!gr_open(O_RDWR)) {
|
||||
X fprintf(stderr, "Unable to open group file\n");
|
||||
X exit(EXIT_GROUP_FILE);
|
||||
X }
|
||||
X
|
||||
X grp = (struct group *)gr_locate(name);
|
||||
X
|
||||
X if (NULL != adduser) {
|
||||
X addtogroup(adduser, grp->gr_mem);
|
||||
X gr_update(grp);
|
||||
X } else if (NULL != deluser) {
|
||||
X rmfromgroup(deluser, grp->gr_mem);
|
||||
X gr_update(grp);
|
||||
X } else if (purge) {
|
||||
X nomembers(grp->gr_mem);
|
||||
X gr_update(grp);
|
||||
X } else if (list) {
|
||||
X members(grp->gr_mem);
|
||||
X }
|
||||
X
|
||||
X if (!gr_close()) {
|
||||
X fprintf(stderr, "Cannot close group file\n");
|
||||
X exit(EXIT_GROUP_FILE);
|
||||
X }
|
||||
X
|
||||
X gr_unlock();
|
||||
X
|
||||
X exit(EXIT_SUCCESS);
|
||||
}
|
||||
X
|
||||
/* EOF */
|
||||
SHAR_EOF
|
||||
(set 20 00 05 25 14 36 38 'groupmems.c'; eval "$shar_touch") &&
|
||||
chmod 0644 'groupmems.c' ||
|
||||
$echo 'restore of' 'groupmems.c' 'failed'
|
||||
if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
|
||||
&& ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
|
||||
md5sum -c << SHAR_EOF >/dev/null 2>&1 \
|
||||
|| $echo 'groupmems.c:' 'MD5 check failed'
|
||||
f0dd68f8d762d89d24d3ce1f4141f981 groupmems.c
|
||||
SHAR_EOF
|
||||
else
|
||||
shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'groupmems.c'`"
|
||||
test 6348 -eq "$shar_count" ||
|
||||
$echo 'groupmems.c:' 'original size' '6348,' 'current size' "$shar_count!"
|
||||
fi
|
||||
fi
|
||||
# ============= groupmems.8 ==============
|
||||
if test -f 'groupmems.8' && test "$first_param" != -c; then
|
||||
$echo 'x -' SKIPPING 'groupmems.8' '(file already exists)'
|
||||
else
|
||||
$echo 'x -' extracting 'groupmems.8' '(text)'
|
||||
sed 's/^X//' << 'SHAR_EOF' > 'groupmems.8' &&
|
||||
X.\"
|
||||
X.\" SPDX-FileCopyrightText: 2000, International Business Machines, Inc.
|
||||
X.\" SPDX-FileCopyrightText: 2000, George Kraft IV, gk4@us.ibm.com
|
||||
X.\" SPDX-License-Identifier: BSD-3-Clause
|
||||
X.\"
|
||||
X.\" $Id$
|
||||
X.\"
|
||||
X.TH GROUPMEMS 8
|
||||
X.SH NAME
|
||||
groupmems \- Administer members of a user's primary group
|
||||
X.SH SYNOPSIS
|
||||
X.B groupmems
|
||||
\fB-a\fI user_name \fR |
|
||||
\fB-d\fI user_name \fR |
|
||||
\fB-l\fR |
|
||||
\fB-D\fR |
|
||||
[\fB-g\fI group_name \fR]
|
||||
X.SH DESCRIPTION
|
||||
The \fBgroupmems\fR utility allows a user to administer their own
|
||||
group membership list without the requirement of superuser privileges.
|
||||
The \fBgroupmems\fR utility is for systems that configure its users to
|
||||
be in their own name sake primary group (i.e., guest / guest).
|
||||
X.P
|
||||
Only the superuser, as administrator, can use \fBgroupmems\fR to alter
|
||||
the memberships of other groups.
|
||||
X.IP "\fB-a \fIuser_name\fR"
|
||||
Add a new user to the group membership list.
|
||||
X.IP "\fB-d \fIuser_name\fR"
|
||||
Delete a user from the group membership list.
|
||||
X.IP "\fB-l\fR"
|
||||
List the group membership list.
|
||||
X.IP "\fB-D\fR"
|
||||
Delete all users from the group membership list.
|
||||
X.IP "\fB-g \fIgroup_name\fR"
|
||||
The superuser can specify which group membership list to modify.
|
||||
X.SH SETUP
|
||||
The \fBgroupmems\fR executable should be in mode \fB2770\fR as user \fBroot\fR
|
||||
and in group \fBgroups\fR. The system administrator can add users to
|
||||
group groups to allow or disallow them using the \fBgroupmems\fR utility
|
||||
to manager their own group membership list.
|
||||
X.P
|
||||
X $ groupadd -r groups
|
||||
X.br
|
||||
X $ chmod 2770 groupmems
|
||||
X.br
|
||||
X $ chown root.groups groupmems
|
||||
X.br
|
||||
X $ groupmems -g groups -a gk4
|
||||
X.SH FILES
|
||||
/etc/group
|
||||
X.br
|
||||
/etc/gshadow
|
||||
X.SH SEE ALSO
|
||||
X.BR chfn (1),
|
||||
X.BR chsh (1),
|
||||
X.BR useradd (8),
|
||||
X.BR userdel (8),
|
||||
X.BR usermod (8),
|
||||
X.BR passwd (1),
|
||||
X.BR groupadd (8),
|
||||
X.BR groupdel (8)
|
||||
X.SH AUTHOR
|
||||
George Kraft IV (gk4@us.ibm.com)
|
||||
X.\" EOF
|
||||
SHAR_EOF
|
||||
(set 20 00 05 25 14 38 23 'groupmems.8'; eval "$shar_touch") &&
|
||||
chmod 0600 'groupmems.8' ||
|
||||
$echo 'restore of' 'groupmems.8' 'failed'
|
||||
if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
|
||||
&& ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
|
||||
md5sum -c << SHAR_EOF >/dev/null 2>&1 \
|
||||
|| $echo 'groupmems.8:' 'MD5 check failed'
|
||||
181e6cd3a3c9d3df320197fa2cde2b4a groupmems.8
|
||||
SHAR_EOF
|
||||
else
|
||||
shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'groupmems.8'`"
|
||||
test 3372 -eq "$shar_count" ||
|
||||
$echo 'groupmems.8:' 'original size' '3372,' 'current size' "$shar_count!"
|
||||
fi
|
||||
fi
|
||||
rm -fr _sh10937
|
||||
exit 0
|
||||
@@ -1,147 +0,0 @@
|
||||
Hello Marek,
|
||||
|
||||
I have created a diffile against the 980403 release that adds
|
||||
functionality to newusers for automatic handling of users with only
|
||||
anonymous ftp login (using the guestgroup feature in ftpaccess, which
|
||||
means that the users home directory looks like '/home/user/./'). It also
|
||||
adds a commandline argument to specify an initial directory structure
|
||||
for such users, with a tarball normally containing the bin,lib,etc
|
||||
directories used in the chrooted environment.
|
||||
|
||||
I am using it to automatically create chunks of users with only ftp
|
||||
access for a webserver.
|
||||
|
||||
I have tried to follow your coding standards and I believe it is bug
|
||||
free but.. well, who knows. :) It's not much code however.
|
||||
|
||||
I hope you find it useful. Do what you like with it, feel free to ask if
|
||||
anything is unclear.
|
||||
|
||||
Best rgds,
|
||||
Calle Karlsson
|
||||
ckn@kash.se
|
||||
|
||||
diff -uNr shadow-980403.orig/src/newusers.c shadow-980403/src/newusers.c
|
||||
--- shadow-980403.orig/src/newusers.c Fri Jan 30 00:22:43 1998
|
||||
+++ shadow-980403/src/newusers.c Fri Apr 17 16:55:33 1998
|
||||
@@ -76,11 +76,35 @@
|
||||
static void
|
||||
usage(void)
|
||||
{
|
||||
- fprintf(stderr, "Usage: %s [ input ]\n", Prog);
|
||||
+ fprintf (stderr, "Usage: %s [-p prototype tarfile] [ input ]\n", Prog);
|
||||
+ fprintf (stderr, "The prototype tarfile is only used for users\n");
|
||||
+ fprintf (stderr, "marked as anonymous ftp users. It must be a full pathname.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/*
|
||||
+ * createuserdir - create a directory and chmod it
|
||||
+ */
|
||||
+
|
||||
+static int
|
||||
+createuserdir (char * dir, int uid, int gid, int line)
|
||||
+{
|
||||
+ if (mkdir (dir, 0777 & ~getdef_num("UMASK", 077))) {
|
||||
+ fprintf (stderr, "%s: line %d: mkdir %s failed\n",
|
||||
+ Prog, line, dir);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (chown (dir, uid, gid)) {
|
||||
+ fprintf (stderr, "%s: line %d: chown %s failed\n",
|
||||
+ Prog, line, dir);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* add_group - create a new group or add a user to an existing group
|
||||
*/
|
||||
|
||||
@@ -328,6 +352,8 @@
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char buf[BUFSIZ];
|
||||
+ char anonproto[BUFSIZ];
|
||||
+ int flag;
|
||||
char *fields[8];
|
||||
int nfields;
|
||||
char *cp;
|
||||
@@ -340,12 +366,23 @@
|
||||
|
||||
Prog = Basename(argv[0]);
|
||||
|
||||
- if (argc > 1 && argv[1][0] == '-')
|
||||
- usage ();
|
||||
+ * anonproto = '\0';
|
||||
+
|
||||
+ while ((flag = getopt (argc, argv, "p:h")) != EOF) {
|
||||
+ switch (flag) {
|
||||
+ case 'p':
|
||||
+ STRFCPY(anonproto, optarg);
|
||||
+ break;
|
||||
+ case 'h':
|
||||
+ default:
|
||||
+ usage ();
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- if (argc == 2) {
|
||||
- if (! freopen (argv[1], "r", stdin)) {
|
||||
- snprintf(buf, sizeof buf, "%s: %s", Prog, argv[1]);
|
||||
+ if (optind < argc) {
|
||||
+ if (! freopen (argv[optind], "r", stdin)) {
|
||||
+ snprintf(buf, sizeof buf, "%s: %s", Prog, argv[optind]);
|
||||
perror (buf);
|
||||
exit (1);
|
||||
}
|
||||
@@ -499,15 +536,36 @@
|
||||
if (fields[6][0])
|
||||
newpw.pw_shell = fields[6];
|
||||
|
||||
- if (newpw.pw_dir[0] && access(newpw.pw_dir, F_OK)) {
|
||||
- if (mkdir (newpw.pw_dir,
|
||||
- 0777 & ~getdef_num("UMASK", 077)))
|
||||
- fprintf (stderr, "%s: line %d: mkdir failed\n",
|
||||
- Prog, line);
|
||||
- else if (chown (newpw.pw_dir,
|
||||
- newpw.pw_uid, newpw.pw_gid))
|
||||
- fprintf (stderr, "%s: line %d: chown failed\n",
|
||||
- Prog, line);
|
||||
+ if (newpw.pw_dir[0]) {
|
||||
+ char * userdir = strdup (newpw.pw_dir);
|
||||
+ char * anonpart;
|
||||
+ int rc;
|
||||
+
|
||||
+ if ((anonpart = strstr (userdir, "/./"))) {
|
||||
+ * anonpart = '\0';
|
||||
+ anonpart += 2;
|
||||
+ }
|
||||
+
|
||||
+ if (access(userdir, F_OK))
|
||||
+ rc = createuserdir (userdir, newpw.pw_uid, newpw.pw_gid, line);
|
||||
+ else
|
||||
+ rc = 0;
|
||||
+
|
||||
+ if (rc == 0 && anonpart) {
|
||||
+ if (* anonproto) {
|
||||
+ char cmdbuf [BUFSIZ];
|
||||
+ snprintf(cmdbuf, sizeof cmdbuf,
|
||||
+ "cd %s; tar xf %s",
|
||||
+ userdir, anonproto);
|
||||
+ system (cmdbuf);
|
||||
+ }
|
||||
+ if (strlen (anonpart) > 1) {
|
||||
+ strcat (userdir, anonpart);
|
||||
+ if (access (userdir, F_OK))
|
||||
+ createuserdir (userdir, newpw.pw_uid, newpw.pw_gid, line);
|
||||
+ }
|
||||
+ }
|
||||
+ free (userdir);
|
||||
}
|
||||
|
||||
/*
|
||||
Binary file not shown.
@@ -1,5 +0,0 @@
|
||||
# This is a dummy Makefile.am to get automake work flawlessly,
|
||||
# and also cooperate to make a distribution for `make dist'
|
||||
|
||||
EXTRA_DIST = HOWTO README.limits \
|
||||
README.platforms WISHLIST console.c.spec.txt cracklib26.diff
|
||||
@@ -1,65 +0,0 @@
|
||||
|
||||
ABOUT shadow-login limits:
|
||||
|
||||
This code is merged into shadow login program from the original LShell 2.01
|
||||
written by Joel Katz. The port and some additional features have been added
|
||||
by Cristian Gafton (gafton@sorosis.ro).
|
||||
|
||||
|
||||
Changes:
|
||||
- 96/04/16
|
||||
- {spaces,tabs} allowed within limits string
|
||||
- Warn via syslog multiple default limits
|
||||
- added few paragraphs to the login man page
|
||||
- 96/04/14
|
||||
- code merged into lmain.c --cristiang
|
||||
|
||||
TODO: - support groups in the limits file
|
||||
(only usernames are supported at this moment :-( )
|
||||
|
||||
Setting user limits for shadow login program
|
||||
|
||||
First, make a root-only-readable file (/etc/limits by default or LIMITS_FILE
|
||||
defined config.h) that describes the resource limits you wish to impose. By
|
||||
default no quotas are imposed on 'root'. In fact, there is no way to impose
|
||||
limits via this procedure to root-equiv accounts (accounts with UID 0).
|
||||
|
||||
Each line describes a limit for a user in the form:
|
||||
|
||||
user LIMITS_STRING
|
||||
|
||||
The LIMITS_STRING is a string of a concatenated list of resource limits.
|
||||
Each limit consists of a letter identifier followed by a numerical limit.
|
||||
The valid identifiers are:
|
||||
|
||||
A: max address space (KB)
|
||||
C: max core file size (KB)
|
||||
D: max data size (KB)
|
||||
F: maximum filesize (KB)
|
||||
M: max locked-in-memory address space (KB)
|
||||
N: max number of open files
|
||||
R: max resident set size (KB)
|
||||
S: max stack size (KB)
|
||||
T: max CPU time (MIN)
|
||||
U: max number of processes
|
||||
L: max number of logins for this user
|
||||
|
||||
For example, L2D2048N5 is a valid LIMITS_STRING. For reading convenience,
|
||||
the following entries are equivalent:
|
||||
|
||||
username L2D2048N5
|
||||
username L2 D2048 N5
|
||||
|
||||
Be aware that after <username> the rest of the line is considered a limit
|
||||
string, thus comments are not allowed. A invalid limits string will be
|
||||
rejected (not considered) by the login program.
|
||||
|
||||
The default entry is denoted by username '*'. If you have multiple 'default'
|
||||
entries in your LIMITS_FILE, then the last one will be used as the default
|
||||
entry.
|
||||
|
||||
To completely disable limits for a user, a single dash (-) will do.
|
||||
|
||||
Also, please note that all limit settings are set PER LOGIN. They are
|
||||
not global, nor are they permanent. Perhaps global limits will come, but
|
||||
for now this will have to do ;)
|
||||
@@ -1,33 +0,0 @@
|
||||
# $Id$
|
||||
#
|
||||
# This is the current (still incomplete) list of platforms this
|
||||
# package has been verified to work on. Additions (preferably
|
||||
# in the format as described below) are welcome. Thanks!
|
||||
#
|
||||
# V: last version reported to work
|
||||
# H: host type
|
||||
# L: Linux libc version
|
||||
# D: Linux distribution, or other OS name and version
|
||||
# C: changes (if any)
|
||||
# R: reported by
|
||||
|
||||
V: 980529
|
||||
H: sparc-unknown-linux-gnu
|
||||
L: glibc-2.0.7
|
||||
D: Ultrapenguin-1.0.9
|
||||
C: had to explicitly disable desrpc.
|
||||
R: Bjorn Christianson <bjorn@cascade.psychology.mcmaster.ca>
|
||||
|
||||
V: 980724
|
||||
H: i486-pc-linux-gnulibc1
|
||||
L: libc-5.4.33
|
||||
D: Debian-1.3.1.r6
|
||||
C: none (use dpkg-buildpackage)
|
||||
R: Marek Michalkiewicz <marekm@linux.org.pl>
|
||||
|
||||
V: current
|
||||
H: i686-pc-linux-gnu
|
||||
L: glibc-2.0.7.19981211
|
||||
D: Debian-2.1
|
||||
C: none (use dpkg-buildpackage)
|
||||
R: Marek Michalkiewicz <marekm@linux.org.pl>
|
||||
@@ -1,4 +0,0 @@
|
||||
# S/Key support
|
||||
shadow-utils can be built with S/Key support using the S/Key package from:
|
||||
* http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/ or
|
||||
* https://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2
|
||||
@@ -1,38 +0,0 @@
|
||||
$Id$
|
||||
|
||||
This is my wishlist for the shadow suite, in no particular order. Feel
|
||||
free to do anything from this list and mail me the diffs :-).
|
||||
|
||||
Patches in diff -u format, against the latest version (sometimes in the
|
||||
"beta" directory) are preferred and make my job easier. Please, no
|
||||
MIME, base64, quoted-printable, or HTML. For very big patches, or if
|
||||
your mailer can corrupt them, please use gzip and uuencode. Thanks!
|
||||
|
||||
New ideas to add to this list are welcome, too. --marekm
|
||||
|
||||
- fix all the bugs, of course
|
||||
- implement "su only" accounts (no logins, only su from other account)
|
||||
- rewrite getdef.c to be more general? (no hardcoded names)
|
||||
- patch for rlogind/telnetd to create utmp entry and fill in ut_addr
|
||||
- option to specify encrypted password in passwd (for yppasswdd, so it
|
||||
doesn't need to know about shadow/non-shadow); should probably use a pipe
|
||||
(less insecure than command line arguments)
|
||||
- add support for changing NIS passwords
|
||||
- add option to check passwords by piping them to external programs
|
||||
- add functionality of the contrib/rpasswd.c wrapper to passwd
|
||||
- option to generate pronounceable passwords (like on SCO), external program?
|
||||
- poppassd (remote password change for eudora etc.)
|
||||
- add support for passwd/shadow db files (glibc)
|
||||
- vipw: check password files for errors after editing
|
||||
- add "maximum time users allowed to stay logged in" limit option to logoutd
|
||||
- handle quotes in /etc/environment like the shell does (but sshd doesn't...)
|
||||
- better OPIE support (report number of logins left, etc.)
|
||||
- new option for /etc/suauth: don't load user's environment (force "su -")
|
||||
suggested by Ulisses Alonso Camaro
|
||||
- find out why recent releases won't compile on Solaris
|
||||
- newusers should be able to copy /etc/skel to the new home directory
|
||||
(like useradd)
|
||||
- add directories where other packages can add hooks for package-specific
|
||||
per-user configuration, to be executed with run-parts. Some hooks should
|
||||
be executed at package install time for existing users, likewise for
|
||||
package removal and possibly modification. (Debian Bug#36019)
|
||||
@@ -1,36 +0,0 @@
|
||||
$Id$
|
||||
|
||||
Specification for console.c source file --
|
||||
|
||||
input values --
|
||||
tty -- character pointer to device name with leading "/dev/"
|
||||
removed.
|
||||
|
||||
return values --
|
||||
0 -- false
|
||||
1 -- true
|
||||
|
||||
int console (char * tty)
|
||||
if "CONSOLE" string value is not present in login.defs
|
||||
return true
|
||||
|
||||
if the first character of "CONSOLE" string value is not "/"
|
||||
treat the string as a ":" delimited list of device
|
||||
names and search for the value of tty in that
|
||||
tokenized list.
|
||||
|
||||
if a match is found
|
||||
return true
|
||||
|
||||
return false
|
||||
|
||||
if the file named by "CONSOLE" cannot be opened
|
||||
return true
|
||||
|
||||
scan the file looking for a match between the input line
|
||||
and the value of tty
|
||||
|
||||
if a match is found
|
||||
return true
|
||||
|
||||
return false
|
||||
@@ -1,73 +0,0 @@
|
||||
# Build & install
|
||||
|
||||
The following page explains how to build and install the shadow project.
|
||||
Additional information on how to do this in a container environment is provided
|
||||
at the end of the page.
|
||||
|
||||
## Local
|
||||
|
||||
### Dependency installation
|
||||
|
||||
This projects depends on other software packages that need to be installed
|
||||
before building it. We recommend using the dependency installation commands
|
||||
provided by the distributions to install them. Some examples below.
|
||||
|
||||
Debian:
|
||||
```
|
||||
apt-get build-dep shadow
|
||||
```
|
||||
|
||||
Fedora:
|
||||
```
|
||||
dnf builddep shadow-utils
|
||||
```
|
||||
|
||||
An alternative would be to take a look at the CI workflow [file](../../.github/workflows/runner.yml)
|
||||
and get the package names from there. This has the advantage that it
|
||||
also includes new dependencies needed for the development version
|
||||
which might have not been present in the last release.
|
||||
|
||||
### Configure
|
||||
|
||||
The first step is to configure it. You can use the
|
||||
`autogen.sh` script provided by the project. Example:
|
||||
|
||||
```
|
||||
./autogen.sh --without-selinux --enable-man --with-yescrypt
|
||||
```
|
||||
|
||||
### Build
|
||||
|
||||
The next step is to build the project:
|
||||
|
||||
```
|
||||
make -j4
|
||||
```
|
||||
|
||||
### Install
|
||||
|
||||
The last step is to install it. We recommend avoiding this step and using a
|
||||
disposable system like a VM or a container instead.
|
||||
|
||||
```
|
||||
make install
|
||||
```
|
||||
|
||||
## Containers
|
||||
|
||||
Alternatively, you can use any of the preconfigured container images builders
|
||||
to build and install shadow.
|
||||
|
||||
You can either generate a single image by running the following command from
|
||||
the root folder of the project (i.e. Alpine):
|
||||
|
||||
```
|
||||
docker build -f share/containers/alpine.dockerfile . --output build-out/alpine
|
||||
```
|
||||
|
||||
Or generate all of the images with the `container-build.sh` script, as if you
|
||||
were running some of the CI checks locally:
|
||||
|
||||
```
|
||||
share/container-build.sh
|
||||
```
|
||||
@@ -1,25 +0,0 @@
|
||||
# Continuous Integration (CI)
|
||||
|
||||
Shadow runs a CI workflow every time a pull-request (PR) is updated. This
|
||||
workflow contains several checks to assure the quality of the project, and
|
||||
only pull-requests with green results are merged.
|
||||
|
||||
## Build & install
|
||||
|
||||
The project is built & installed on Ubuntu, Alpine, Debian and Fedora. The last
|
||||
three distributions are built & installed on containers, and the workflow can
|
||||
be triggered locally by following the instructions specified in the
|
||||
[Build & install](build_install.md#containers) page.
|
||||
|
||||
## System tests
|
||||
|
||||
The project is tested on Ubuntu. For that purpose it is built & installed in
|
||||
this distribution in a VM. You can run this step locally by following the
|
||||
instructions provided in the [Tests](tests.md#system-tests) page.
|
||||
|
||||
## Static code analysis
|
||||
|
||||
C and shell static code analysis is also executed. For that purpose
|
||||
[CodeQL](https://codeql.github.com/) and
|
||||
[Differential ShellCheck](https://github.com/marketplace/actions/differential-shellcheck)
|
||||
are used.
|
||||
@@ -1,12 +0,0 @@
|
||||
# Coding style
|
||||
|
||||
* For a general guidance refer to the
|
||||
[Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html)
|
||||
|
||||
* Patches that change the existing coding style are not welcome, as they make
|
||||
downstream porting harder for the distributions
|
||||
|
||||
## Indentation
|
||||
|
||||
Tabs are preferred over spaces for indentation. Loading the `.editorconfig`
|
||||
file in your preferred IDE may help you configure it.
|
||||
@@ -1,77 +0,0 @@
|
||||
# Introduction
|
||||
|
||||
## Git and Github
|
||||
|
||||
We recommend you to get familiar with the
|
||||
[git](https://guides.github.com/introduction/git-handbook) and
|
||||
[Github](https://guides.github.com) workflows before posting any changes.
|
||||
|
||||
### Set up in a nut shell
|
||||
|
||||
The following steps describe the process in a nut shell to provide you a basic
|
||||
template:
|
||||
|
||||
* Create an account on [GitHub](https://github.com)
|
||||
* Fork the [shadow repository](https://github.com/shadow-maint/shadow)
|
||||
* Clone the shadow repository
|
||||
|
||||
```
|
||||
git clone https://github.com/shadow-maint/shadow.git
|
||||
```
|
||||
|
||||
* Add your fork as an extra remote
|
||||
|
||||
```
|
||||
git remote add $ghusername git@github.com:$ghusername/shadow.git
|
||||
```
|
||||
|
||||
* Setup your name contact e-mail that you want to use for the development
|
||||
|
||||
```
|
||||
git config user.name "John Smith"
|
||||
git config user.email "john.smith@home.com"
|
||||
```
|
||||
|
||||
**Note**: this will setup the user information only for this repository. You
|
||||
can also add `--global` switch to the `git config` command to setup these
|
||||
options globally and thus making them available in every git repository.
|
||||
|
||||
* Create a working branch
|
||||
|
||||
```
|
||||
git checkout -b my-changes
|
||||
```
|
||||
|
||||
* Commit changes
|
||||
|
||||
```
|
||||
vim change-what-you-need
|
||||
git commit -s
|
||||
```
|
||||
|
||||
Check
|
||||
[the kernel patches guide](https://www.kernel.org/doc/html/v4.14/process/submitting-patches.html#describe-your-changes)
|
||||
to get an idea on how to write a good commit message.
|
||||
|
||||
* Push your changes to your GitHub repository
|
||||
|
||||
```
|
||||
git push $ghusername my-changes --force
|
||||
```
|
||||
|
||||
* Open a Pull Request against shadow project by clicking on the link provided
|
||||
in the output of the previous step
|
||||
|
||||
* Make sure that all Continuous Integration checks are green and wait review
|
||||
|
||||
## Internal guidelines
|
||||
|
||||
Additionally, you should also check the following internal guidelines to
|
||||
understand the project's development model:
|
||||
|
||||
* [Build & install](build_install.md)
|
||||
* [Coding style](coding_style.md)
|
||||
* [Tests](tests.md)
|
||||
* [Continuous Integration](CI.md)
|
||||
* [Releases](releases.md)
|
||||
* [License](license.md)
|
||||
@@ -1,10 +0,0 @@
|
||||
# License
|
||||
|
||||
All new source code committed to the shadow project is assumed to be made
|
||||
available under the [BSD-3-Clause](../../COPYING) license unless the submitter
|
||||
specifies another license at that time. The shadow maintainers reserve the
|
||||
right to refuse a submission if the license is deemed incompatible with the
|
||||
goals of the project.
|
||||
|
||||
**Note**: old code may be made available under another license, check the
|
||||
license tag for each file to get additional information.
|
||||
@@ -1,7 +0,0 @@
|
||||
# Releases
|
||||
|
||||
The shadow project doesn't follow any specific timeline to release new software
|
||||
versions. Usually, they are released when a major milestone is finished.
|
||||
|
||||
Released source code, alongside the release notes, are provided in the
|
||||
[release Github page](https://github.com/shadow-maint/shadow/releases).
|
||||
@@ -1,18 +0,0 @@
|
||||
# Tests
|
||||
|
||||
Currently, shadow only provides system tests.
|
||||
|
||||
## System tests
|
||||
|
||||
These type of tests are written in shell. Unfortunately, the testing framework
|
||||
is tightly coupled to the Ubuntu distribution and it can only be run in this
|
||||
distribution. Besides, if anything fails during the execution the system can
|
||||
be left in an unstable state. Taking that into account you shouldn't run this
|
||||
workflow in your host machine, we recommend to use a disposable system like a
|
||||
VM or a container instead.
|
||||
|
||||
You can execute system tests by running:
|
||||
|
||||
```
|
||||
cd tests && ./run_all`.
|
||||
```
|
||||
@@ -1,340 +0,0 @@
|
||||
diff -ur orig/cracklib26_small/cracklib/fascist.c cracklib26_small/cracklib/fascist.c
|
||||
--- orig/cracklib26_small/cracklib/fascist.c Mon Dec 15 02:56:55 1997
|
||||
+++ cracklib26_small/cracklib/fascist.c Sat Apr 4 22:14:45 1998
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <ctype.h>
|
||||
#include <sys/types.h>
|
||||
#include <pwd.h>
|
||||
+#include <string.h>
|
||||
|
||||
#define ISSKIP(x) (isspace(x) || ispunct(x))
|
||||
|
||||
@@ -460,28 +461,27 @@
|
||||
}
|
||||
|
||||
char *
|
||||
-FascistGecos(password, uid)
|
||||
+FascistGecosPw(password, pwd)
|
||||
char *password;
|
||||
- int uid;
|
||||
+ struct passwd *pwd;
|
||||
{
|
||||
int i;
|
||||
int j;
|
||||
int wc;
|
||||
char *ptr;
|
||||
- struct passwd *pwp;
|
||||
char gbuffer[STRINGSIZE];
|
||||
char tbuffer[STRINGSIZE];
|
||||
char *uwords[STRINGSIZE];
|
||||
char longbuffer[STRINGSIZE * 2];
|
||||
|
||||
- if (!(pwp = getpwuid(uid)))
|
||||
+ if (!pwd)
|
||||
{
|
||||
return ("you are not registered in the password file");
|
||||
}
|
||||
|
||||
/* lets get really paranoid and assume a dangerously long gecos entry */
|
||||
|
||||
- strncpy(tbuffer, pwp->pw_name, STRINGSIZE);
|
||||
+ strncpy(tbuffer, pwd->pw_name, STRINGSIZE);
|
||||
tbuffer[STRINGSIZE-1] = '\0';
|
||||
if (GTry(tbuffer, password))
|
||||
{
|
||||
@@ -490,12 +490,13 @@
|
||||
|
||||
/* it never used to be that you got passwd strings > 1024 chars, but now... */
|
||||
|
||||
- strncpy(tbuffer, pwp->pw_gecos, STRINGSIZE);
|
||||
+ strncpy(tbuffer, pwd->pw_gecos, STRINGSIZE);
|
||||
tbuffer[STRINGSIZE-1] = '\0';
|
||||
strcpy(gbuffer, Lowercase(tbuffer));
|
||||
|
||||
wc = 0;
|
||||
ptr = gbuffer;
|
||||
+ uwords[0] = (char *) 0;
|
||||
|
||||
while (*ptr)
|
||||
{
|
||||
@@ -530,6 +531,8 @@
|
||||
*(ptr++) = '\0';
|
||||
}
|
||||
}
|
||||
+ if (!uwords[0])
|
||||
+ return ((char *) 0); /* empty gecos */
|
||||
#ifdef DEBUG
|
||||
for (i = 0; uwords[i]; i++)
|
||||
{
|
||||
@@ -586,9 +589,10 @@
|
||||
}
|
||||
|
||||
char *
|
||||
-FascistLook(pwp, instring)
|
||||
+FascistLookPw(pwp, instring, pwd)
|
||||
PWDICT *pwp;
|
||||
char *instring;
|
||||
+ struct passwd *pwd;
|
||||
{
|
||||
int i;
|
||||
char *ptr;
|
||||
@@ -667,7 +671,7 @@
|
||||
return ("it looks like a National Insurance number.");
|
||||
}
|
||||
|
||||
- if (ptr = FascistGecos(password, getuid()))
|
||||
+ if (ptr = FascistGecosPw(password, pwd ? pwd : getpwuid(getuid())))
|
||||
{
|
||||
return (ptr);
|
||||
}
|
||||
@@ -715,9 +719,10 @@
|
||||
}
|
||||
|
||||
char *
|
||||
-FascistCheck(password, path)
|
||||
+FascistCheckPw(password, path, pwd)
|
||||
char *password;
|
||||
char *path;
|
||||
+ struct passwd *pwd;
|
||||
{
|
||||
static char lastpath[STRINGSIZE];
|
||||
static PWDICT *pwp;
|
||||
@@ -750,5 +755,29 @@
|
||||
strncpy(lastpath, path, STRINGSIZE);
|
||||
}
|
||||
|
||||
- return (FascistLook(pwp, pwtrunced));
|
||||
+ return (FascistLookPw(pwp, pwtrunced, pwd));
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+FascistGecos(password, uid)
|
||||
+ char *password;
|
||||
+ int uid;
|
||||
+{
|
||||
+ return (FascistGecosPw(password, getpwuid(uid)));
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+FascistLook(pwp, instring)
|
||||
+ PWDICT *pwp;
|
||||
+ char *instring;
|
||||
+{
|
||||
+ return (FascistLookPw(pwp, instring, (char *) 0));
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+FascistCheck(password, path)
|
||||
+ char *password;
|
||||
+ char *path;
|
||||
+{
|
||||
+ return (FascistCheckPw(password, path, (char *) 0));
|
||||
}
|
||||
diff -ur orig/cracklib26_small/cracklib/packer.h cracklib26_small/cracklib/packer.h
|
||||
--- orig/cracklib26_small/cracklib/packer.h Mon Dec 15 00:09:30 1997
|
||||
+++ cracklib26_small/cracklib/packer.h Sat Jan 10 22:13:46 1998
|
||||
@@ -34,6 +34,7 @@
|
||||
FILE *dfp;
|
||||
FILE *wfp;
|
||||
|
||||
+ int canfree;
|
||||
int32 flags;
|
||||
#define PFOR_WRITE 0x0001
|
||||
#define PFOR_FLUSH 0x0002
|
||||
diff -ur orig/cracklib26_small/cracklib/packlib.c cracklib26_small/cracklib/packlib.c
|
||||
--- orig/cracklib26_small/cracklib/packlib.c Fri Jul 9 22:22:58 1993
|
||||
+++ cracklib26_small/cracklib/packlib.c Sat Jan 10 22:28:49 1998
|
||||
@@ -16,7 +16,7 @@
|
||||
char *mode;
|
||||
{
|
||||
int32 i;
|
||||
- static PWDICT pdesc;
|
||||
+ PWDICT *pdesc;
|
||||
char iname[STRINGSIZE];
|
||||
char dname[STRINGSIZE];
|
||||
char wname[STRINGSIZE];
|
||||
@@ -25,92 +25,94 @@
|
||||
FILE *ifp;
|
||||
FILE *wfp;
|
||||
|
||||
- if (pdesc.header.pih_magic == PIH_MAGIC)
|
||||
- {
|
||||
- fprintf(stderr, "%s: another dictionary already open\n", prefix);
|
||||
+ if ((pdesc = (PWDICT *) malloc(sizeof(PWDICT))) == 0)
|
||||
return ((PWDICT *) 0);
|
||||
- }
|
||||
|
||||
- memset(&pdesc, '\0', sizeof(pdesc));
|
||||
+ memset(pdesc, '\0', sizeof(*pdesc));
|
||||
|
||||
sprintf(iname, "%s.pwi", prefix);
|
||||
sprintf(dname, "%s.pwd", prefix);
|
||||
sprintf(wname, "%s.hwm", prefix);
|
||||
|
||||
- if (!(pdesc.dfp = fopen(dname, mode)))
|
||||
+ if (!(pdesc->dfp = fopen(dname, mode)))
|
||||
{
|
||||
perror(dname);
|
||||
+ free(pdesc);
|
||||
return ((PWDICT *) 0);
|
||||
}
|
||||
|
||||
- if (!(pdesc.ifp = fopen(iname, mode)))
|
||||
+ if (!(pdesc->ifp = fopen(iname, mode)))
|
||||
{
|
||||
- fclose(pdesc.dfp);
|
||||
+ fclose(pdesc->dfp);
|
||||
perror(iname);
|
||||
+ free(pdesc);
|
||||
return ((PWDICT *) 0);
|
||||
}
|
||||
|
||||
- if (pdesc.wfp = fopen(wname, mode))
|
||||
+ if (pdesc->wfp = fopen(wname, mode))
|
||||
{
|
||||
- pdesc.flags |= PFOR_USEHWMS;
|
||||
+ pdesc->flags |= PFOR_USEHWMS;
|
||||
}
|
||||
|
||||
- ifp = pdesc.ifp;
|
||||
- dfp = pdesc.dfp;
|
||||
- wfp = pdesc.wfp;
|
||||
+ ifp = pdesc->ifp;
|
||||
+ dfp = pdesc->dfp;
|
||||
+ wfp = pdesc->wfp;
|
||||
|
||||
if (mode[0] == 'w')
|
||||
{
|
||||
- pdesc.flags |= PFOR_WRITE;
|
||||
- pdesc.header.pih_magic = PIH_MAGIC;
|
||||
- pdesc.header.pih_blocklen = NUMWORDS;
|
||||
- pdesc.header.pih_numwords = 0;
|
||||
+ pdesc->flags |= PFOR_WRITE;
|
||||
+ pdesc->header.pih_magic = PIH_MAGIC;
|
||||
+ pdesc->header.pih_blocklen = NUMWORDS;
|
||||
+ pdesc->header.pih_numwords = 0;
|
||||
|
||||
- fwrite((char *) &pdesc.header, sizeof(pdesc.header), 1, ifp);
|
||||
+ fwrite((char *) &pdesc->header, sizeof(pdesc->header), 1, ifp);
|
||||
} else
|
||||
{
|
||||
- pdesc.flags &= ~PFOR_WRITE;
|
||||
+ pdesc->flags &= ~PFOR_WRITE;
|
||||
|
||||
- if (!fread((char *) &pdesc.header, sizeof(pdesc.header), 1, ifp))
|
||||
+ if (!fread((char *) &pdesc->header, sizeof(pdesc->header), 1, ifp))
|
||||
{
|
||||
fprintf(stderr, "%s: error reading header\n", prefix);
|
||||
|
||||
- pdesc.header.pih_magic = 0;
|
||||
+ pdesc->header.pih_magic = 0;
|
||||
fclose(ifp);
|
||||
fclose(dfp);
|
||||
+ free(pdesc);
|
||||
return ((PWDICT *) 0);
|
||||
}
|
||||
|
||||
- if (pdesc.header.pih_magic != PIH_MAGIC)
|
||||
+ if (pdesc->header.pih_magic != PIH_MAGIC)
|
||||
{
|
||||
fprintf(stderr, "%s: magic mismatch\n", prefix);
|
||||
|
||||
- pdesc.header.pih_magic = 0;
|
||||
+ pdesc->header.pih_magic = 0;
|
||||
fclose(ifp);
|
||||
fclose(dfp);
|
||||
+ free(pdesc);
|
||||
return ((PWDICT *) 0);
|
||||
}
|
||||
|
||||
- if (pdesc.header.pih_blocklen != NUMWORDS)
|
||||
+ if (pdesc->header.pih_blocklen != NUMWORDS)
|
||||
{
|
||||
fprintf(stderr, "%s: size mismatch\n", prefix);
|
||||
|
||||
- pdesc.header.pih_magic = 0;
|
||||
+ pdesc->header.pih_magic = 0;
|
||||
fclose(ifp);
|
||||
fclose(dfp);
|
||||
+ free(pdesc);
|
||||
return ((PWDICT *) 0);
|
||||
}
|
||||
|
||||
- if (pdesc.flags & PFOR_USEHWMS)
|
||||
+ if (pdesc->flags & PFOR_USEHWMS)
|
||||
{
|
||||
- if (fread(pdesc.hwms, 1, sizeof(pdesc.hwms), wfp) != sizeof(pdesc.hwms))
|
||||
+ if (fread(pdesc->hwms, 1, sizeof(pdesc->hwms), wfp) != sizeof(pdesc->hwms))
|
||||
{
|
||||
- pdesc.flags &= ~PFOR_USEHWMS;
|
||||
+ pdesc->flags &= ~PFOR_USEHWMS;
|
||||
}
|
||||
}
|
||||
}
|
||||
-
|
||||
- return (&pdesc);
|
||||
+ pdesc->canfree = 1;
|
||||
+ return (pdesc);
|
||||
}
|
||||
|
||||
int
|
||||
@@ -159,8 +161,13 @@
|
||||
|
||||
fclose(pwp->ifp);
|
||||
fclose(pwp->dfp);
|
||||
+ if (pwp->wfp)
|
||||
+ fclose(pwp->wfp);
|
||||
|
||||
- pwp->header.pih_magic = 0;
|
||||
+ if (pwp->canfree)
|
||||
+ free(pwp);
|
||||
+ else
|
||||
+ pwp->header.pih_magic = 0;
|
||||
|
||||
return (0);
|
||||
}
|
||||
@@ -307,6 +314,11 @@
|
||||
register char *this;
|
||||
int idx;
|
||||
|
||||
+/*
|
||||
+ * comment in npasswd-2.0beta4 says this:
|
||||
+ * This does not work under all circumstances, so don't bother
|
||||
+ */
|
||||
+#if 0
|
||||
if (pwp->flags & PFOR_USEHWMS)
|
||||
{
|
||||
idx = string[0] & 0xff;
|
||||
@@ -317,6 +329,10 @@
|
||||
lwm = 0;
|
||||
hwm = PW_WORDS(pwp) - 1;
|
||||
}
|
||||
+#else
|
||||
+ lwm = 0;
|
||||
+ hwm = PW_WORDS(pwp);
|
||||
+#endif
|
||||
|
||||
#ifdef DEBUG
|
||||
printf("---- %lu, %lu ----\n", lwm, hwm);
|
||||
diff -ur orig/cracklib26_small/util/mkdict cracklib26_small/util/mkdict
|
||||
--- orig/cracklib26_small/util/mkdict Fri Jul 9 22:23:03 1993
|
||||
+++ cracklib26_small/util/mkdict Sat Apr 4 22:31:45 1998
|
||||
@@ -14,9 +14,16 @@
|
||||
SORT="sort"
|
||||
###SORT="sort -T /tmp"
|
||||
|
||||
-cat $* |
|
||||
+### Use zcat to read compressed (as well as uncompressed) dictionaries.
|
||||
+### Compressed dictionaries can save quite a lot of disk space.
|
||||
+
|
||||
+CAT="gzip -cdf"
|
||||
+###CAT="zcat"
|
||||
+###CAT="cat"
|
||||
+
|
||||
+$CAT $* |
|
||||
tr '[A-Z]' '[a-z]' |
|
||||
- tr -cd '[\012a-z0-9]' |
|
||||
+ tr -cd '\012[a-z][0-9]' |
|
||||
$SORT |
|
||||
uniq |
|
||||
grep -v '^#' |
|
||||
@@ -1,23 +0,0 @@
|
||||
# This is a dummy Makefile.am to get automake work flawlessly,
|
||||
# and also cooperate to make a distribution for `make dist'
|
||||
|
||||
sysconf_DATA = login.defs
|
||||
|
||||
defaultdir = $(sysconfdir)/default
|
||||
default_DATA =
|
||||
|
||||
nonpam_files = \
|
||||
limits \
|
||||
login.access
|
||||
|
||||
if !USE_PAM
|
||||
nonpamdir = $(sysconfdir)
|
||||
nonpam_DATA = $(nonpam_files)
|
||||
endif
|
||||
|
||||
EXTRA_DIST = \
|
||||
$(nonpam_files) \
|
||||
$(sysconf_DATA) \
|
||||
$(default_DATA)
|
||||
|
||||
SUBDIRS = pam.d shadow-maint
|
||||
-30
@@ -1,30 +0,0 @@
|
||||
# /etc/limits contains user resource limits.
|
||||
# See limits(5).
|
||||
#
|
||||
# Format:
|
||||
# <username> <limits-string>
|
||||
#
|
||||
# default entry is '*' for username
|
||||
#
|
||||
# Valid flags are:
|
||||
# A: max address space (KB)
|
||||
# C: max core file size (KB)
|
||||
# D: max data size (KB)
|
||||
# F: maximum filesize (KB)
|
||||
# M: max locked-in-memory address space (KB) [only for root on Linux 2.0.x]
|
||||
# N: max number of open files
|
||||
# R: max resident set size (KB) [no effect on Linux 2.0.x]
|
||||
# S: max stack size (KB)
|
||||
# T: max CPU time (MIN)
|
||||
# U: max number of processes
|
||||
# L: max number of logins for this user
|
||||
# I: max nice value (0..39 translates to 20..-19)
|
||||
# O: max real time priority (0..MAX_RT_PRIO)
|
||||
#
|
||||
# Examples:
|
||||
# the default entry
|
||||
#* L2 D6144 R2048 S2048 U32 N32 F16384 T5 C0 I20 O0
|
||||
# another way of suspending a user login
|
||||
#guest L0
|
||||
# this account has no limits
|
||||
#sysadm -
|
||||
@@ -1,54 +0,0 @@
|
||||
# $Id$
|
||||
#
|
||||
# Login access control table.
|
||||
#
|
||||
# When someone logs in, the table is scanned for the first entry that
|
||||
# matches the (user, host) combination, or, in case of non-networked
|
||||
# logins, the first entry that matches the (user, tty) combination. The
|
||||
# permissions field of that table entry determines whether the login will
|
||||
# be accepted or refused.
|
||||
#
|
||||
# Format of the login access control table is three fields separated by a
|
||||
# ":" character:
|
||||
#
|
||||
# permission : users : origins
|
||||
#
|
||||
# The first field should be a "+" (access granted) or "-" (access denied)
|
||||
# character.
|
||||
#
|
||||
# The second field should be a list of one or more login names, group
|
||||
# names, or ALL (always matches). A pattern of the form user@host is
|
||||
# matched when the login name matches the "user" part, and when the
|
||||
# "host" part matches the local machine name.
|
||||
#
|
||||
# The third field should be a list of one or more tty names (for
|
||||
# non-networked logins), host names, domain names (begin with "."), host
|
||||
# addresses, internet network numbers (end with "."), ALL (always
|
||||
# matches) or LOCAL (matches any string that does not contain a "."
|
||||
# character).
|
||||
#
|
||||
# If you run NIS you can use @netgroupname in host or user patterns; this
|
||||
# even works for @usergroup@@hostgroup patterns. Weird.
|
||||
#
|
||||
# The EXCEPT operator makes it possible to write very compact rules.
|
||||
#
|
||||
# The group file is searched only when a name does not match that of the
|
||||
# logged-in user. Only groups are matched in which users are explicitly
|
||||
# listed: the program does not look at a user's primary group id value.
|
||||
#
|
||||
##############################################################################
|
||||
#
|
||||
# Disallow console logins to all but a few accounts.
|
||||
#
|
||||
#-:ALL EXCEPT wheel shutdown sync:console
|
||||
#
|
||||
# Disallow non-local logins to privileged accounts (group wheel).
|
||||
#
|
||||
#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
|
||||
#
|
||||
# Some accounts are not allowed to login from anywhere:
|
||||
#
|
||||
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
|
||||
#
|
||||
# All other accounts are allowed to login from anywhere.
|
||||
#
|
||||
-478
@@ -1,478 +0,0 @@
|
||||
#
|
||||
# /etc/login.defs - Configuration control definitions for the shadow package.
|
||||
#
|
||||
# $Id$
|
||||
#
|
||||
|
||||
#
|
||||
# Delay in seconds before being allowed another attempt after a login failure
|
||||
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
|
||||
# pam_unix(8) enforces a 2s delay)
|
||||
#
|
||||
FAIL_DELAY 3
|
||||
|
||||
#
|
||||
# Enable logging and display of /var/log/faillog login(1) failure info.
|
||||
#
|
||||
FAILLOG_ENAB yes
|
||||
|
||||
#
|
||||
# Enable display of unknown usernames when login(1) failures are recorded.
|
||||
#
|
||||
LOG_UNKFAIL_ENAB no
|
||||
|
||||
#
|
||||
# Enable logging of successful logins
|
||||
#
|
||||
LOG_OK_LOGINS no
|
||||
|
||||
#
|
||||
# Enable logging and display of /var/log/lastlog login(1) time info.
|
||||
#
|
||||
LASTLOG_ENAB yes
|
||||
|
||||
#
|
||||
# Limit the highest user ID number for which the lastlog entries should
|
||||
# be updated.
|
||||
#
|
||||
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
|
||||
# lastlog entries.
|
||||
#
|
||||
#LASTLOG_UID_MAX
|
||||
|
||||
#
|
||||
# Enable checking and display of mailbox status upon login.
|
||||
#
|
||||
# Disable if the shell startup files already check for mail
|
||||
# ("mailx -e" or equivalent).
|
||||
#
|
||||
MAIL_CHECK_ENAB yes
|
||||
|
||||
#
|
||||
# Enable additional checks upon password changes.
|
||||
#
|
||||
OBSCURE_CHECKS_ENAB yes
|
||||
|
||||
#
|
||||
# Enable checking of time restrictions specified in /etc/porttime.
|
||||
#
|
||||
PORTTIME_CHECKS_ENAB yes
|
||||
|
||||
#
|
||||
# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
|
||||
#
|
||||
QUOTAS_ENAB yes
|
||||
|
||||
#
|
||||
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
|
||||
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
|
||||
#
|
||||
SYSLOG_SU_ENAB yes
|
||||
SYSLOG_SG_ENAB yes
|
||||
|
||||
#
|
||||
# If defined, either full pathname of a file containing device names or
|
||||
# a ":" delimited list of device names. Root logins will be allowed only
|
||||
# from these devices.
|
||||
#
|
||||
CONSOLE /etc/securetty
|
||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
|
||||
#
|
||||
# If defined, all su(1) activity is logged to this file.
|
||||
#
|
||||
#SULOG_FILE /var/log/sulog
|
||||
|
||||
#
|
||||
# If defined, ":" delimited list of "message of the day" files to
|
||||
# be displayed upon login.
|
||||
#
|
||||
MOTD_FILE /etc/motd
|
||||
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
|
||||
|
||||
#
|
||||
# If defined, this file will be output before each login(1) prompt.
|
||||
#
|
||||
#ISSUE_FILE /etc/issue
|
||||
|
||||
#
|
||||
# If defined, file which maps tty line to TERM environment parameter.
|
||||
# Each line of the file is in a format similar to "vt100 tty01".
|
||||
#
|
||||
#TTYTYPE_FILE /etc/ttytype
|
||||
|
||||
#
|
||||
# If defined, login(1) failures will be logged here in a utmp format.
|
||||
# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
|
||||
#
|
||||
FTMP_FILE /var/log/btmp
|
||||
|
||||
#
|
||||
# If defined, name of file whose presence will inhibit non-root
|
||||
# logins. The content of this file should be a message indicating
|
||||
# why logins are inhibited.
|
||||
#
|
||||
NOLOGINS_FILE /etc/nologin
|
||||
|
||||
#
|
||||
# If defined, the command name to display when running "su -". For
|
||||
# example, if this is defined as "su" then ps(1) will display the
|
||||
# command as "-su". If not defined, then ps(1) will display the
|
||||
# name of the shell actually being run, e.g. something like "-sh".
|
||||
#
|
||||
SU_NAME su
|
||||
|
||||
#
|
||||
# *REQUIRED*
|
||||
# Directory where mailboxes reside, _or_ name of file, relative to the
|
||||
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
|
||||
#
|
||||
MAIL_DIR /var/spool/mail
|
||||
#MAIL_FILE .mail
|
||||
|
||||
#
|
||||
# If defined, file which inhibits all the usual chatter during the login
|
||||
# sequence. If a full pathname, then hushed mode will be enabled if the
|
||||
# user's name or shell are found in the file. If not a full pathname, then
|
||||
# hushed mode will be enabled if the file exists in the user's home directory.
|
||||
#
|
||||
HUSHLOGIN_FILE .hushlogin
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
|
||||
#
|
||||
# If defined, either a TZ environment parameter spec or the
|
||||
# fully-rooted pathname of a file containing such a spec.
|
||||
#
|
||||
#ENV_TZ TZ=CST6CDT
|
||||
#ENV_TZ /etc/tzname
|
||||
|
||||
#
|
||||
# If defined, an HZ environment parameter spec.
|
||||
#
|
||||
# for Linux/x86
|
||||
ENV_HZ HZ=100
|
||||
# For Linux/Alpha...
|
||||
#ENV_HZ HZ=1024
|
||||
|
||||
#
|
||||
# *REQUIRED* The default PATH settings, for superuser and normal users.
|
||||
#
|
||||
# (they are minimal, add the rest in the shell startup files)
|
||||
ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
ENV_PATH PATH=/bin:/usr/bin
|
||||
|
||||
#
|
||||
# Terminal permissions
|
||||
#
|
||||
# TTYGROUP Login tty will be assigned this group ownership.
|
||||
# TTYPERM Login tty will be set to this permission.
|
||||
#
|
||||
# If you have a write(1) program which is "setgid" to a special group
|
||||
# which owns the terminals, define TTYGROUP as the number of such group
|
||||
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
|
||||
# set TTYPERM to either 622 or 600.
|
||||
#
|
||||
TTYGROUP tty
|
||||
TTYPERM 0600
|
||||
|
||||
#
|
||||
# Login configuration initializations:
|
||||
#
|
||||
# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
||||
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
||||
# ULIMIT Default "ulimit" value.
|
||||
#
|
||||
# The ERASECHAR and KILLCHAR are used only on System V machines.
|
||||
# The ULIMIT is used only if the system supports it.
|
||||
# (now it works with setrlimit too; ulimit is in 512-byte units)
|
||||
#
|
||||
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
|
||||
#
|
||||
ERASECHAR 0177
|
||||
KILLCHAR 025
|
||||
#ULIMIT 2097152
|
||||
|
||||
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories if HOME_MODE is not set.
|
||||
# 022 is the default value, but 027, or even 077, could be considered
|
||||
# for increased privacy. There is no One True Answer here: each sysadmin
|
||||
# must make up their mind.
|
||||
UMASK 022
|
||||
|
||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories.
|
||||
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
||||
#HOME_MODE 0700
|
||||
|
||||
#
|
||||
# Password aging controls:
|
||||
#
|
||||
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
||||
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
||||
# PASS_MIN_LEN Minimum acceptable password length.
|
||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||
#
|
||||
PASS_MAX_DAYS 99999
|
||||
PASS_MIN_DAYS 0
|
||||
PASS_MIN_LEN 5
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
#
|
||||
# If "yes", the user must be listed as a member of the first gid 0 group
|
||||
# in /etc/group (called "root" on most Linux systems) to be able to "su"
|
||||
# to uid 0 accounts. If the group doesn't exist or is empty, no one
|
||||
# will be able to "su" to uid 0.
|
||||
#
|
||||
SU_WHEEL_ONLY no
|
||||
|
||||
#
|
||||
# If compiled with cracklib support, sets the path to the dictionaries
|
||||
#
|
||||
CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
|
||||
|
||||
#
|
||||
# Min/max values for automatic uid selection in useradd(8)
|
||||
#
|
||||
UID_MIN 1000
|
||||
UID_MAX 60000
|
||||
# System accounts
|
||||
SYS_UID_MIN 101
|
||||
SYS_UID_MAX 999
|
||||
# Extra per user uids
|
||||
SUB_UID_MIN 100000
|
||||
SUB_UID_MAX 600100000
|
||||
SUB_UID_COUNT 65536
|
||||
|
||||
#
|
||||
# Min/max values for automatic gid selection in groupadd(8)
|
||||
#
|
||||
GID_MIN 1000
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
SYS_GID_MIN 101
|
||||
SYS_GID_MAX 999
|
||||
# Extra per user group ids
|
||||
SUB_GID_MIN 100000
|
||||
SUB_GID_MAX 600100000
|
||||
SUB_GID_COUNT 65536
|
||||
|
||||
#
|
||||
# Max number of login(1) retries if password is bad
|
||||
#
|
||||
LOGIN_RETRIES 5
|
||||
|
||||
#
|
||||
# Max time in seconds for login(1)
|
||||
#
|
||||
LOGIN_TIMEOUT 60
|
||||
|
||||
#
|
||||
# Maximum number of attempts to change password if rejected (too easy)
|
||||
#
|
||||
PASS_CHANGE_TRIES 5
|
||||
|
||||
#
|
||||
# Warn about weak passwords (but still allow them) if you are root.
|
||||
#
|
||||
PASS_ALWAYS_WARN yes
|
||||
|
||||
#
|
||||
# Number of significant characters in the password for crypt().
|
||||
# Default is 8, don't change unless your crypt() is better.
|
||||
# Ignored if MD5_CRYPT_ENAB set to "yes".
|
||||
#
|
||||
#PASS_MAX_LEN 8
|
||||
|
||||
#
|
||||
# Require password before chfn(1)/chsh(1) can make any changes.
|
||||
#
|
||||
CHFN_AUTH yes
|
||||
|
||||
#
|
||||
# Which fields may be changed by regular users using chfn(1) - use
|
||||
# any combination of letters "frwh" (full name, room number, work
|
||||
# phone, home phone). If not defined, no changes are allowed.
|
||||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
#
|
||||
CHFN_RESTRICT rwh
|
||||
|
||||
#
|
||||
# Password prompt (%s will be replaced by user name).
|
||||
#
|
||||
# XXX - it doesn't work correctly yet, for now leave it commented out
|
||||
# to use the default which is just "Password: ".
|
||||
#LOGIN_STRING "%s's Password: "
|
||||
|
||||
#
|
||||
# Only works if compiled with MD5_CRYPT defined:
|
||||
# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||
# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||
# It supports passwords of unlimited length and longer salt strings.
|
||||
# Set to "no" if you need to copy encrypted passwords to other systems
|
||||
# which don't understand the new algorithm. Default is "no".
|
||||
#
|
||||
# Note: If you use PAM, it is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
#
|
||||
# This variable is deprecated. You should use ENCRYPT_METHOD instead.
|
||||
#
|
||||
#MD5_CRYPT_ENAB no
|
||||
|
||||
#
|
||||
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
|
||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
|
||||
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
|
||||
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
|
||||
# Overrides the MD5_CRYPT_ENAB option
|
||||
#
|
||||
# Note: If you use PAM, it is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
#
|
||||
#ENCRYPT_METHOD DES
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||
#
|
||||
# Define the number of SHA rounds.
|
||||
# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
# However, more CPU resources will be needed to authenticate users if
|
||||
# this value is increased.
|
||||
#
|
||||
# If not specified, the libc will choose the default number of rounds (5000),
|
||||
# which is orders of magnitude too low for modern hardware.
|
||||
# The values must be within the 1000-999999999 range.
|
||||
# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
# If MIN > MAX, the highest value will be used.
|
||||
#
|
||||
#SHA_CRYPT_MIN_ROUNDS 5000
|
||||
#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to BCRYPT.
|
||||
#
|
||||
# Define the number of BCRYPT rounds.
|
||||
# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
# However, more CPU resources will be needed to authenticate users if
|
||||
# this value is increased.
|
||||
#
|
||||
# If not specified, 13 rounds will be attempted.
|
||||
# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
# If MIN > MAX, the highest value will be used.
|
||||
#
|
||||
#BCRYPT_MIN_ROUNDS 13
|
||||
#BCRYPT_MAX_ROUNDS 13
|
||||
|
||||
#
|
||||
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
|
||||
#
|
||||
# Define the YESCRYPT cost factor.
|
||||
# With a higher cost factor, it is more difficult to brute-force the password.
|
||||
# However, more CPU time and more memory will be needed to authenticate users
|
||||
# if this value is increased.
|
||||
#
|
||||
# If not specified, a cost factor of 5 will be used.
|
||||
# The value must be within the 1-11 range.
|
||||
#
|
||||
#YESCRYPT_COST_FACTOR 5
|
||||
|
||||
#
|
||||
# List of groups to add to the user's supplementary group set
|
||||
# when logging in from the console (as determined by the CONSOLE
|
||||
# setting). Default is none.
|
||||
#
|
||||
# Use with caution - it is possible for users to gain permanent
|
||||
# access to these groups, even when not logged in from the console.
|
||||
# How to do it is left as an exercise for the reader...
|
||||
#
|
||||
#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
|
||||
#
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
# Default is no.
|
||||
#
|
||||
DEFAULT_HOME yes
|
||||
|
||||
#
|
||||
# The pwck(8) utility emits a warning for any system account with a home
|
||||
# directory that does not exist. Some system accounts intentionally do
|
||||
# not have a home directory. Such accounts may have this string as
|
||||
# their home directory in /etc/passwd to avoid a spurious warning.
|
||||
#
|
||||
NONEXISTENT /nonexistent
|
||||
|
||||
#
|
||||
# If this file exists and is readable, login environment will be
|
||||
# read from it. Every line should be in the form name=value.
|
||||
#
|
||||
ENVIRON_FILE /etc/environment
|
||||
|
||||
#
|
||||
# If defined, this command is run when removing a user.
|
||||
# It should remove any at/cron/print jobs etc. owned by
|
||||
# the user to be removed (passed as the first argument).
|
||||
#
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
# Enable setting of the umask group bits to be the same as owner bits
|
||||
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
|
||||
# the same as gid, and username is the same as the primary group name.
|
||||
#
|
||||
# This also enables userdel(8) to remove user groups if no members exist.
|
||||
#
|
||||
USERGROUPS_ENAB yes
|
||||
|
||||
#
|
||||
# If set to a non-zero number, the shadow utilities will make sure that
|
||||
# groups never have more than this number of users on one line.
|
||||
# This permits to support split groups (groups split into multiple lines,
|
||||
# with the same group ID, to avoid limitation of the line length in the
|
||||
# group file).
|
||||
#
|
||||
# 0 is the default value and disables this feature.
|
||||
#
|
||||
#MAX_MEMBERS_PER_GROUP 0
|
||||
|
||||
#
|
||||
# If useradd(8) should create home directories for users by default (non
|
||||
# system users only).
|
||||
# This option is overridden with the -M or -m flags on the useradd(8)
|
||||
# command-line.
|
||||
#
|
||||
#CREATE_HOME yes
|
||||
|
||||
#
|
||||
# Force use shadow, even if shadow passwd & shadow group files are
|
||||
# missing.
|
||||
#
|
||||
#FORCE_SHADOW yes
|
||||
|
||||
#
|
||||
# Allow newuidmap and newgidmap when running under an alternative
|
||||
# primary group.
|
||||
#
|
||||
#GRANT_AUX_GROUP_SUBIDS yes
|
||||
|
||||
#
|
||||
# Prevents an empty password field to be interpreted as "no authentication
|
||||
# required".
|
||||
# Set to "yes" to prevent for all accounts
|
||||
# Set to "superuser" to prevent for UID 0 / root (default)
|
||||
# Set to "no" to not prevent for any account (dangerous, historical default)
|
||||
PREVENT_NO_AUTH superuser
|
||||
|
||||
#
|
||||
# Select the HMAC cryptography algorithm.
|
||||
# Used in pam_timestamp module to calculate the keyed-hash message
|
||||
# authentication code.
|
||||
#
|
||||
# Note: It is recommended to check hmac(3) to see the possible algorithms
|
||||
# that are available in your system.
|
||||
#
|
||||
#HMAC_CRYPTO_ALGO SHA512
|
||||
@@ -1,35 +0,0 @@
|
||||
# This is a dummy Makefile.am to get automake work flawlessly,
|
||||
# and also cooperate to make a distribution for `make dist'
|
||||
|
||||
pamd_files = \
|
||||
chpasswd \
|
||||
chfn \
|
||||
chsh \
|
||||
groupmems \
|
||||
login \
|
||||
newusers \
|
||||
passwd
|
||||
|
||||
pamd_acct_tools_files = \
|
||||
chage \
|
||||
chgpasswd \
|
||||
groupadd \
|
||||
groupdel \
|
||||
groupmod \
|
||||
useradd \
|
||||
userdel \
|
||||
usermod
|
||||
|
||||
if USE_PAM
|
||||
pamddir = $(sysconfdir)/pam.d
|
||||
pamd_DATA = $(pamd_files)
|
||||
if ACCT_TOOLS_SETUID
|
||||
pamd_DATA += $(pamd_acct_tools_files)
|
||||
endif
|
||||
endif
|
||||
|
||||
if WITH_SU
|
||||
pamd_files += su
|
||||
endif
|
||||
|
||||
EXTRA_DIST = $(pamd_files) $(pamd_acct_tools_files)
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,11 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_securetty.so
|
||||
auth include system-auth
|
||||
account required pam_nologin.so
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
session include system-auth
|
||||
session required pam_loginuid.so
|
||||
session optional pam_console.so
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
@@ -1,13 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
# Uncomment the following line to implicitly trust users in the "wheel" group.
|
||||
#auth sufficient pam_wheel.so trust use_uid
|
||||
# Uncomment the following line to require a user to be in the "wheel" group.
|
||||
auth required pam_wheel.so use_uid
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
session include system-auth
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
session optional pam_xauth.so
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,4 +0,0 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
account required pam_permit.so
|
||||
password include system-auth
|
||||
@@ -1,5 +0,0 @@
|
||||
shadowmaint_files = \
|
||||
groupdel-pre.d/01-kill_group_procs.sh \
|
||||
userdel-pre.d/01-kill_user_procs.sh
|
||||
|
||||
EXTRA_DIST = $(shadowmaint_files)
|
||||
@@ -1,26 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
GROUPID=`awk -F: '$1 == "'"${SUBJECT}"'" { print $3 }' /etc/group`
|
||||
|
||||
if [ "${GROUPID}" = "" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
for status in /proc/*/status; do
|
||||
# either this isn't a process or its already dead since expanding the list
|
||||
[ -f "$status" ] || continue
|
||||
|
||||
tbuf=${status%/status}
|
||||
pid=${tbuf#/proc/}
|
||||
case "$pid" in
|
||||
"$$") continue;;
|
||||
[0-9]*) :;;
|
||||
*) continue
|
||||
esac
|
||||
|
||||
grep -q '^Groups:.*\b'"${GROUPID}"'\b.*' "/proc/$pid/status" || continue
|
||||
|
||||
kill -9 "$pid" || echo "cannot kill $pid" 1>&2
|
||||
done
|
||||
|
||||
@@ -1,31 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
# Check user exists, and if so, send sigkill to processes that the user owns
|
||||
|
||||
ps -eo user >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
RUNNING=`ps -eo user | grep -Fx "$SUBJECT" | wc -l`
|
||||
# if the user does not exist, RUNNING will be 0
|
||||
if [ "${RUNNING}x" = "0x" ]; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
# If there is no ps -eo, traverse the process directly.
|
||||
|
||||
ls -1 /proc | while IFS= read -r PROC; do
|
||||
echo "$PROC" | grep -E '^[0-9]+$' >/dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
continue
|
||||
fi
|
||||
if [ -d "/proc/${PROC}" ]; then
|
||||
USR=`stat -c "%U" /proc/${PROC}`
|
||||
if [ "${USR}" = "${SUBJECT}" ]; then
|
||||
echo "Killing ${SUBJECT} owned ${PROC}"
|
||||
kill -9 "${PROC}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
Vendored
-5
@@ -1,5 +0,0 @@
|
||||
-kr
|
||||
-i8
|
||||
-bad
|
||||
-pcs
|
||||
-l80
|
||||
-193
@@ -1,193 +0,0 @@
|
||||
|
||||
AUTOMAKE_OPTIONS = 1.0 foreign
|
||||
|
||||
DEFS =
|
||||
|
||||
noinst_LTLIBRARIES = libshadow.la
|
||||
|
||||
if USE_PAM
|
||||
LIBCRYPT_PAM = $(LIBCRYPT)
|
||||
else
|
||||
LIBCRYPT_PAM =
|
||||
endif
|
||||
|
||||
AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
|
||||
|
||||
libshadow_la_CPPFLAGS = $(ECONF_CPPFLAGS)
|
||||
if HAVE_VENDORDIR
|
||||
libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
|
||||
endif
|
||||
|
||||
libshadow_la_CPPFLAGS += -I$(top_srcdir)
|
||||
libshadow_la_CFLAGS = $(LIBBSD_CFLAGS) $(LIBCRYPT_PAM) $(LIBSYSTEMD)
|
||||
libshadow_la_LIBADD = $(LIBADD_DLOPEN)
|
||||
|
||||
libshadow_la_SOURCES = \
|
||||
addgrps.c \
|
||||
age.c \
|
||||
agetpass.c \
|
||||
alloc.c \
|
||||
alloc.h \
|
||||
audit_help.c \
|
||||
basename.c \
|
||||
bit.c \
|
||||
bit.h \
|
||||
chkname.c \
|
||||
chkname.h \
|
||||
chowndir.c \
|
||||
chowntty.c \
|
||||
cleanup.c \
|
||||
cleanup_group.c \
|
||||
cleanup_user.c \
|
||||
commonio.c \
|
||||
commonio.h \
|
||||
console.c \
|
||||
copydir.c \
|
||||
csrand.c \
|
||||
date_to_str.c \
|
||||
defines.h \
|
||||
encrypt.c \
|
||||
entry.c \
|
||||
env.c \
|
||||
exitcodes.h \
|
||||
faillog.h \
|
||||
failure.c \
|
||||
failure.h \
|
||||
fields.c \
|
||||
find_new_gid.c \
|
||||
find_new_uid.c \
|
||||
find_new_sub_gids.c \
|
||||
find_new_sub_uids.c \
|
||||
fputsx.c \
|
||||
get_gid.c \
|
||||
get_pid.c \
|
||||
get_uid.c \
|
||||
getdate.h \
|
||||
getdate.y \
|
||||
getdef.c \
|
||||
getdef.h \
|
||||
getlong.c \
|
||||
getgr_nam_gid.c \
|
||||
getrange.c \
|
||||
gettime.c \
|
||||
getulong.c \
|
||||
groupio.c \
|
||||
groupmem.c \
|
||||
groupio.h \
|
||||
gshadow.c \
|
||||
hushed.c \
|
||||
idmapping.h \
|
||||
idmapping.c \
|
||||
isexpired.c \
|
||||
limits.c \
|
||||
list.c \
|
||||
lockpw.c \
|
||||
loginprompt.c \
|
||||
mail.c \
|
||||
mempcpy.c \
|
||||
mempcpy.h \
|
||||
motd.c \
|
||||
myname.c \
|
||||
nss.c \
|
||||
nscd.c \
|
||||
nscd.h \
|
||||
obscure.c \
|
||||
pam_defs.h \
|
||||
pam_pass.c \
|
||||
pam_pass_non_interactive.c \
|
||||
port.c \
|
||||
port.h \
|
||||
prefix_flag.c \
|
||||
prototypes.h \
|
||||
pwauth.c \
|
||||
pwauth.h \
|
||||
pwio.c \
|
||||
pwio.h \
|
||||
pwd_init.c \
|
||||
pwd2spwd.c \
|
||||
pwdcheck.c \
|
||||
pwmem.c \
|
||||
remove_tree.c \
|
||||
rlogin.c \
|
||||
root_flag.c \
|
||||
run_part.h \
|
||||
run_part.c \
|
||||
salt.c \
|
||||
selinux.c \
|
||||
semanage.c \
|
||||
setugid.c \
|
||||
setupenv.c \
|
||||
sgetgrent.c \
|
||||
sgetpwent.c \
|
||||
sgetspent.c \
|
||||
sgroupio.c \
|
||||
sgroupio.h\
|
||||
shadow.c \
|
||||
shadowio.c \
|
||||
shadowio.h \
|
||||
shadowlog.c \
|
||||
shadowlog.h \
|
||||
shadowlog_internal.h \
|
||||
shadowmem.c \
|
||||
shell.c \
|
||||
spawn.c \
|
||||
sssd.c \
|
||||
sssd.h \
|
||||
stpecpy.c \
|
||||
stpecpy.h \
|
||||
stpeprintf.c \
|
||||
stpeprintf.h \
|
||||
strtoday.c \
|
||||
sub.c \
|
||||
subordinateio.h \
|
||||
subordinateio.c \
|
||||
sulog.c \
|
||||
ttytype.c \
|
||||
tz.c \
|
||||
ulimit.c \
|
||||
user_busy.c \
|
||||
valid.c \
|
||||
write_full.c \
|
||||
xgetpwnam.c \
|
||||
xprefix_getpwnam.c \
|
||||
xgetpwuid.c \
|
||||
xgetgrnam.c \
|
||||
xgetgrgid.c \
|
||||
xgetspnam.c \
|
||||
yesno.c
|
||||
|
||||
if WITH_TCB
|
||||
libshadow_la_SOURCES += tcbfuncs.c tcbfuncs.h
|
||||
endif
|
||||
|
||||
if WITH_BTRFS
|
||||
libshadow_la_SOURCES += btrfs.c
|
||||
endif
|
||||
|
||||
if ENABLE_LASTLOG
|
||||
libshadow_la_SOURCES += log.c
|
||||
endif
|
||||
|
||||
if ENABLE_LOGIND
|
||||
libshadow_la_SOURCES += logind.c
|
||||
else
|
||||
libshadow_la_SOURCES += utmp.c
|
||||
endif
|
||||
|
||||
if !WITH_LIBBSD
|
||||
libshadow_la_SOURCES += \
|
||||
freezero.h \
|
||||
freezero.c \
|
||||
readpassphrase.h \
|
||||
readpassphrase.c
|
||||
endif
|
||||
|
||||
# These files are unneeded for some reason, listed in
|
||||
# order of appearance:
|
||||
#
|
||||
# sources for dbm support (not yet used)
|
||||
|
||||
EXTRA_DIST = \
|
||||
.indent.pro \
|
||||
gshadow_.h \
|
||||
xgetXXbyYY.c
|
||||
-114
@@ -1,114 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1989 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 1998, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2001 - 2006, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2007 - 2009, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#if defined (HAVE_SETGROUPS) && ! defined (USE_PAM)
|
||||
|
||||
#include "prototypes.h"
|
||||
#include "defines.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <grp.h>
|
||||
#include <errno.h>
|
||||
|
||||
#include "alloc.h"
|
||||
#include "shadowlog.h"
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#define SEP ",:"
|
||||
/*
|
||||
* Add groups with names from LIST (separated by commas or colons)
|
||||
* to the supplementary group set. Silently ignore groups which are
|
||||
* already there. Warning: uses strtok().
|
||||
*/
|
||||
int add_groups (const char *list)
|
||||
{
|
||||
GETGROUPS_T *grouplist;
|
||||
size_t i;
|
||||
int ngroups;
|
||||
bool added;
|
||||
char *token;
|
||||
char buf[1024];
|
||||
int ret;
|
||||
FILE *shadow_logfd = log_get_logfd();
|
||||
|
||||
if (strlen (list) >= sizeof (buf)) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
strcpy (buf, list);
|
||||
|
||||
i = 16;
|
||||
for (;;) {
|
||||
grouplist = MALLOC(i, GETGROUPS_T);
|
||||
if (NULL == grouplist) {
|
||||
return -1;
|
||||
}
|
||||
ngroups = getgroups (i, grouplist);
|
||||
if ( ( (-1 == ngroups)
|
||||
&& (EINVAL != errno))
|
||||
|| (i > (size_t)ngroups)) {
|
||||
/* Unexpected failure of getgroups or successful
|
||||
* reception of the groups */
|
||||
break;
|
||||
}
|
||||
/* not enough room, so try allocating a larger buffer */
|
||||
free (grouplist);
|
||||
i *= 2;
|
||||
}
|
||||
if (ngroups < 0) {
|
||||
free (grouplist);
|
||||
return -1;
|
||||
}
|
||||
|
||||
added = false;
|
||||
for (token = strtok (buf, SEP); NULL != token; token = strtok (NULL, SEP)) {
|
||||
struct group *grp;
|
||||
|
||||
grp = getgrnam (token); /* local, no need for xgetgrnam */
|
||||
if (NULL == grp) {
|
||||
fprintf (shadow_logfd, _("Warning: unknown group %s\n"),
|
||||
token);
|
||||
continue;
|
||||
}
|
||||
|
||||
for (i = 0; i < (size_t)ngroups && grouplist[i] != grp->gr_gid; i++);
|
||||
|
||||
if (i < (size_t)ngroups) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (ngroups >= sysconf (_SC_NGROUPS_MAX)) {
|
||||
fputs (_("Warning: too many groups\n"), shadow_logfd);
|
||||
break;
|
||||
}
|
||||
grouplist = REALLOCF(grouplist, (size_t) ngroups + 1, GETGROUPS_T);
|
||||
if (grouplist == NULL) {
|
||||
return -1;
|
||||
}
|
||||
grouplist[ngroups] = grp->gr_gid;
|
||||
ngroups++;
|
||||
added = true;
|
||||
}
|
||||
|
||||
if (added) {
|
||||
ret = setgroups (ngroups, grouplist);
|
||||
free (grouplist);
|
||||
return ret;
|
||||
}
|
||||
|
||||
free (grouplist);
|
||||
return 0;
|
||||
}
|
||||
#else /* HAVE_SETGROUPS && !USE_PAM */
|
||||
extern int ISO_C_forbids_an_empty_translation_unit;
|
||||
#endif /* HAVE_SETGROUPS && !USE_PAM */
|
||||
|
||||
@@ -1,178 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1989 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 1998, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2001 - 2006, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2008 - 2009, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
#include "prototypes.h"
|
||||
#include "defines.h"
|
||||
#include "exitcodes.h"
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#ifndef PASSWD_PROGRAM
|
||||
#define PASSWD_PROGRAM "/bin/passwd"
|
||||
#endif
|
||||
/*
|
||||
* expire - force password change if password expired
|
||||
*
|
||||
* expire() calls /bin/passwd to change the user's password
|
||||
* if it has expired.
|
||||
*/
|
||||
int expire (const struct passwd *pw, /*@null@*/const struct spwd *sp)
|
||||
{
|
||||
int status;
|
||||
pid_t child;
|
||||
pid_t pid;
|
||||
|
||||
if (NULL == sp) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* See if the user's password has expired, and if so
|
||||
* force them to change their password.
|
||||
*/
|
||||
|
||||
status = isexpired (pw, sp);
|
||||
switch (status) {
|
||||
case 0:
|
||||
return 0;
|
||||
case 1:
|
||||
(void) fputs (_("Your password has expired."), stdout);
|
||||
break;
|
||||
case 2:
|
||||
(void) fputs (_("Your password is inactive."), stdout);
|
||||
break;
|
||||
case 3:
|
||||
(void) fputs (_("Your login has expired."), stdout);
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* Setting the maximum valid period to less than the minimum
|
||||
* valid period means that the minimum period will never
|
||||
* occur while the password is valid, so the user can never
|
||||
* change that password.
|
||||
*/
|
||||
|
||||
if ((status > 1) || (sp->sp_max < sp->sp_min)) {
|
||||
(void) puts (_(" Contact the system administrator."));
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
(void) puts (_(" Choose a new password."));
|
||||
(void) fflush (stdout);
|
||||
|
||||
/*
|
||||
* Close all the files so that unauthorized access won't
|
||||
* occur. This needs to be done anyway because those files
|
||||
* might become stale after "passwd" is executed.
|
||||
*/
|
||||
|
||||
endspent ();
|
||||
endpwent ();
|
||||
#ifdef SHADOWGRP
|
||||
endsgent ();
|
||||
#endif
|
||||
endgrent ();
|
||||
|
||||
/*
|
||||
* Execute the /bin/passwd command. The exit status will be
|
||||
* examined to see what the result is. If there are any
|
||||
* errors the routine will exit. This forces the user to
|
||||
* change their password before being able to use the account.
|
||||
*/
|
||||
|
||||
pid = fork ();
|
||||
if (0 == pid) {
|
||||
int err;
|
||||
|
||||
/*
|
||||
* Set the UID to be that of the user. This causes
|
||||
* passwd to work just like it would had they executed
|
||||
* it from the command line while logged in.
|
||||
*/
|
||||
#if defined(HAVE_INITGROUPS) && ! defined(USE_PAM)
|
||||
if (setup_uid_gid (pw, false) != 0)
|
||||
#else
|
||||
if (setup_uid_gid (pw) != 0)
|
||||
#endif
|
||||
{
|
||||
_exit (126);
|
||||
}
|
||||
|
||||
(void) execl (PASSWD_PROGRAM, PASSWD_PROGRAM, pw->pw_name, (char *) NULL);
|
||||
err = errno;
|
||||
perror ("Can't execute " PASSWD_PROGRAM);
|
||||
_exit ((ENOENT == err) ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
|
||||
} else if ((pid_t) -1 == pid) {
|
||||
perror ("fork");
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
|
||||
while (((child = wait (&status)) != pid) && (child != (pid_t)-1));
|
||||
|
||||
if ((child == pid) && (0 == status)) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
exit (EXIT_FAILURE);
|
||||
/*@notreached@*/}
|
||||
|
||||
/*
|
||||
* agecheck - see if warning is needed for password expiration
|
||||
*
|
||||
* agecheck sees how many days until the user's password is going
|
||||
* to expire and warns the user of the pending password expiration.
|
||||
*/
|
||||
|
||||
void agecheck (/*@null@*/const struct spwd *sp)
|
||||
{
|
||||
long now = time(NULL) / SCALE;
|
||||
long remain;
|
||||
|
||||
if (NULL == sp) {
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* The last, max, and warn fields must be supported or the
|
||||
* warning period cannot be calculated.
|
||||
*/
|
||||
|
||||
if ( (-1 == sp->sp_lstchg)
|
||||
|| (-1 == sp->sp_max)
|
||||
|| (-1 == sp->sp_warn)) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (0 == sp->sp_lstchg) {
|
||||
(void) puts (_("You must change your password."));
|
||||
return;
|
||||
}
|
||||
|
||||
remain = sp->sp_lstchg + sp->sp_max - now;
|
||||
if (remain <= sp->sp_warn) {
|
||||
remain /= DAY / SCALE;
|
||||
if (remain > 1) {
|
||||
(void) printf (_("Your password will expire in %ld days.\n"),
|
||||
remain);
|
||||
} else if (1 == remain) {
|
||||
(void) puts (_("Your password will expire tomorrow."));
|
||||
} else if (remain == 0) {
|
||||
(void) puts (_("Your password will expire today."));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
-134
@@ -1,134 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2022, Alejandro Colomar <alx@kernel.org>
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <limits.h>
|
||||
#include <readpassphrase.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include "alloc.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
#if WITH_LIBBSD == 0
|
||||
#include "freezero.h"
|
||||
#endif /* WITH_LIBBSD */
|
||||
|
||||
|
||||
#if !defined(PASS_MAX)
|
||||
#define PASS_MAX BUFSIZ - 1
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
* SYNOPSIS
|
||||
* [[gnu::malloc(erase_pass)]]
|
||||
* char *agetpass(const char *prompt);
|
||||
*
|
||||
* void erase_pass(char *pass);
|
||||
*
|
||||
* ARGUMENTS
|
||||
* agetpass()
|
||||
* prompt String to be printed before reading a password.
|
||||
*
|
||||
* erase_pass()
|
||||
* pass password previously returned by agetpass().
|
||||
*
|
||||
* DESCRIPTION
|
||||
* agetpass()
|
||||
* This function is very similar to getpass(3). It has several
|
||||
* advantages compared to getpass(3):
|
||||
*
|
||||
* - Instead of using a static buffer, agetpass() allocates memory
|
||||
* through malloc(3). This makes the function thread-safe, and
|
||||
* also reduces the visibility of the buffer.
|
||||
*
|
||||
* - agetpass() doesn't reallocate internally. Some
|
||||
* implementations of getpass(3), such as glibc, do that, as a
|
||||
* consequence of calling getline(3). That's a bug in glibc,
|
||||
* which allows leaking prefixes of passwords in freed memory.
|
||||
*
|
||||
* - agetpass() doesn't overrun the output buffer. If the input
|
||||
* password is too long, it simply fails. Some implementations
|
||||
* of getpass(3), share the same bug that gets(3) has.
|
||||
*
|
||||
* As soon as possible, the password obtained from agetpass() be
|
||||
* erased by calling erase_pass(), to avoid possibly leaking the
|
||||
* password.
|
||||
*
|
||||
* erase_pass()
|
||||
* This function first clears the password, by calling
|
||||
* explicit_bzero(3) (or an equivalent call), and then frees the
|
||||
* allocated memory by calling free(3).
|
||||
*
|
||||
* NULL is a valid input pointer, and in such a case, this call is
|
||||
* a no-op.
|
||||
*
|
||||
* RETURN VALUE
|
||||
* agetpass() returns a newly allocated buffer containing the
|
||||
* password on success. On error, errno is set to indicate the
|
||||
* error, and NULL is returned.
|
||||
*
|
||||
* ERRORS
|
||||
* agetpass()
|
||||
* This function may fail for any errors that malloc(3) or
|
||||
* readpassphrase(3) may fail, and in addition it may fail for the
|
||||
* following errors:
|
||||
*
|
||||
* ENOBUFS
|
||||
* The input password was longer than PASS_MAX.
|
||||
*
|
||||
* CAVEATS
|
||||
* If a password is passed twice to erase_pass(), the behavior is
|
||||
* undefined.
|
||||
*/
|
||||
|
||||
|
||||
char *
|
||||
agetpass(const char *prompt)
|
||||
{
|
||||
char *pass;
|
||||
size_t len;
|
||||
|
||||
/*
|
||||
* Since we want to support passwords upto PASS_MAX, we need
|
||||
* PASS_MAX bytes for the password itself, and one more byte for
|
||||
* the terminating '\0'. We also want to detect truncation, and
|
||||
* readpassphrase(3) doesn't detect it, so we need some trick.
|
||||
* Let's add one more byte, and if the password uses it, it
|
||||
* means the introduced password was longer than PASS_MAX.
|
||||
*/
|
||||
pass = MALLOC(PASS_MAX + 2, char);
|
||||
if (pass == NULL)
|
||||
return NULL;
|
||||
|
||||
if (readpassphrase(prompt, pass, PASS_MAX + 2, RPP_REQUIRE_TTY) == NULL)
|
||||
goto fail;
|
||||
|
||||
len = strlen(pass);
|
||||
if (len == PASS_MAX + 1) {
|
||||
errno = ENOBUFS;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
return pass;
|
||||
|
||||
fail:
|
||||
freezero(pass, PASS_MAX + 2);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
erase_pass(char *pass)
|
||||
{
|
||||
freezero(pass, PASS_MAX + 2);
|
||||
}
|
||||
-73
@@ -1,73 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1990 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 1998, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2003 - 2006, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2008 , Nicolas François
|
||||
* SPDX-FileCopyrightText: 2023 , Alejandro Colomar <alx@kernel.org>
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/* Replacements for malloc and strdup with error checking. Too trivial
|
||||
to be worth copyrighting :-). I did that because a lot of code used
|
||||
malloc and strdup without checking for NULL pointer, and I like some
|
||||
message better than a core dump... --marekm
|
||||
|
||||
Yeh, but. Remember that bailing out might leave the system in some
|
||||
bizarre state. You really want to put in error checking, then add
|
||||
some back-out failure recovery code. -- jfh */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include "alloc.h"
|
||||
|
||||
#include <errno.h>
|
||||
#include <stddef.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "defines.h"
|
||||
#include "prototypes.h"
|
||||
#include "shadowlog.h"
|
||||
|
||||
|
||||
extern inline void *xmalloc(size_t size);
|
||||
extern inline void *xmallocarray(size_t nmemb, size_t size);
|
||||
extern inline void *mallocarray(size_t nmemb, size_t size);
|
||||
extern inline void *reallocarrayf(void *p, size_t nmemb, size_t size);
|
||||
extern inline char *xstrdup(const char *str);
|
||||
|
||||
|
||||
void *
|
||||
xcalloc(size_t nmemb, size_t size)
|
||||
{
|
||||
void *p;
|
||||
|
||||
p = calloc(nmemb, size);
|
||||
if (p == NULL)
|
||||
goto x;
|
||||
|
||||
return p;
|
||||
|
||||
x:
|
||||
fprintf(log_get_logfd(), _("%s: %s\n"),
|
||||
log_get_progname(), strerror(errno));
|
||||
exit(13);
|
||||
}
|
||||
|
||||
|
||||
void *
|
||||
xreallocarray(void *p, size_t nmemb, size_t size)
|
||||
{
|
||||
p = reallocarrayf(p, nmemb, size);
|
||||
if (p == NULL)
|
||||
goto x;
|
||||
|
||||
return p;
|
||||
|
||||
x:
|
||||
fprintf(log_get_logfd(), _("%s: %s\n"),
|
||||
log_get_progname(), strerror(errno));
|
||||
exit(13);
|
||||
}
|
||||
-115
@@ -1,115 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2023, Alejandro Colomar <alx@kernel.org>
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
|
||||
#ifndef SHADOW_INCLUDE_LIB_MALLOC_H_
|
||||
#define SHADOW_INCLUDE_LIB_MALLOC_H_
|
||||
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <assert.h>
|
||||
#include <errno.h>
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "defines.h"
|
||||
|
||||
|
||||
#define CALLOC(n, type) ((type *) calloc(n, sizeof(type)))
|
||||
#define XCALLOC(n, type) ((type *) xcalloc(n, sizeof(type)))
|
||||
#define MALLOC(n, type) ((type *) mallocarray(n, sizeof(type)))
|
||||
#define XMALLOC(n, type) ((type *) xmallocarray(n, sizeof(type)))
|
||||
|
||||
#define REALLOC(ptr, n, type) \
|
||||
({ \
|
||||
__auto_type p_ = (ptr); \
|
||||
\
|
||||
static_assert(__builtin_types_compatible_p(typeof(p_), type *), ""); \
|
||||
\
|
||||
(type *) reallocarray(p_, n, sizeof(type)); \
|
||||
})
|
||||
|
||||
#define REALLOCF(ptr, n, type) \
|
||||
({ \
|
||||
__auto_type p_ = (ptr); \
|
||||
\
|
||||
static_assert(__builtin_types_compatible_p(typeof(p_), type *), ""); \
|
||||
\
|
||||
(type *) reallocarrayf(p_, n, sizeof(type)); \
|
||||
})
|
||||
|
||||
#define XREALLOC(ptr, n, type) \
|
||||
({ \
|
||||
__auto_type p_ = (ptr); \
|
||||
\
|
||||
static_assert(__builtin_types_compatible_p(typeof(p_), type *), ""); \
|
||||
\
|
||||
(type *) xreallocarray(p_, n, sizeof(type)); \
|
||||
})
|
||||
|
||||
|
||||
ATTR_MALLOC(free)
|
||||
inline void *xmalloc(size_t size);
|
||||
ATTR_MALLOC(free)
|
||||
inline void *xmallocarray(size_t nmemb, size_t size);
|
||||
ATTR_MALLOC(free)
|
||||
inline void *mallocarray(size_t nmemb, size_t size);
|
||||
ATTR_MALLOC(free)
|
||||
inline void *reallocarrayf(void *p, size_t nmemb, size_t size);
|
||||
ATTR_MALLOC(free)
|
||||
inline char *xstrdup(const char *str);
|
||||
|
||||
ATTR_MALLOC(free)
|
||||
void *xcalloc(size_t nmemb, size_t size);
|
||||
ATTR_MALLOC(free)
|
||||
void *xreallocarray(void *p, size_t nmemb, size_t size);
|
||||
|
||||
|
||||
inline void *
|
||||
xmalloc(size_t size)
|
||||
{
|
||||
return xmallocarray(1, size);
|
||||
}
|
||||
|
||||
|
||||
inline void *
|
||||
xmallocarray(size_t nmemb, size_t size)
|
||||
{
|
||||
return xreallocarray(NULL, nmemb, size);
|
||||
}
|
||||
|
||||
|
||||
inline void *
|
||||
mallocarray(size_t nmemb, size_t size)
|
||||
{
|
||||
return reallocarray(NULL, nmemb, size);
|
||||
}
|
||||
|
||||
|
||||
inline void *
|
||||
reallocarrayf(void *p, size_t nmemb, size_t size)
|
||||
{
|
||||
void *q;
|
||||
|
||||
q = reallocarray(p, nmemb, size);
|
||||
|
||||
/* realloc(p, 0) is equivalent to free(p); avoid double free. */
|
||||
if (q == NULL && nmemb != 0 && size != 0)
|
||||
free(p);
|
||||
return q;
|
||||
}
|
||||
|
||||
|
||||
inline char *
|
||||
xstrdup(const char *str)
|
||||
{
|
||||
return strcpy(XMALLOC(strlen(str) + 1, char), str);
|
||||
}
|
||||
|
||||
|
||||
#endif // include guard
|
||||
@@ -1,87 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2005 , Red Hat, Inc.
|
||||
* SPDX-FileCopyrightText: 2005 , Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2008 , Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/*
|
||||
* Audit helper functions used throughout shadow
|
||||
*
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ifdef WITH_AUDIT
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <syslog.h>
|
||||
#include <stdarg.h>
|
||||
#include <libaudit.h>
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include "prototypes.h"
|
||||
#include "shadowlog.h"
|
||||
int audit_fd;
|
||||
|
||||
void audit_help_open (void)
|
||||
{
|
||||
audit_fd = audit_open ();
|
||||
if (audit_fd < 0) {
|
||||
/* You get these only when the kernel doesn't have
|
||||
* audit compiled in. */
|
||||
if ( (errno == EINVAL)
|
||||
|| (errno == EPROTONOSUPPORT)
|
||||
|| (errno == EAFNOSUPPORT)) {
|
||||
return;
|
||||
}
|
||||
(void) fputs (_("Cannot open audit interface - aborting.\n"),
|
||||
log_get_logfd());
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* This function will log a message to the audit system using a predefined
|
||||
* message format. Parameter usage is as follows:
|
||||
*
|
||||
* type - type of message: AUDIT_USER_CHAUTHTOK for changing any account
|
||||
* attributes.
|
||||
* pgname - program's name
|
||||
* op - operation. "adding user", "changing finger info", "deleting group"
|
||||
* name - user's account or group name. If not available use NULL.
|
||||
* id - uid or gid that the operation is being performed on. This is used
|
||||
* only when user is NULL.
|
||||
*/
|
||||
void audit_logger (int type, unused const char *pgname, const char *op,
|
||||
const char *name, unsigned int id,
|
||||
shadow_audit_result result)
|
||||
{
|
||||
if (audit_fd < 0) {
|
||||
return;
|
||||
} else {
|
||||
audit_log_acct_message (audit_fd, type, NULL, op, name, id,
|
||||
NULL, NULL, NULL, result);
|
||||
}
|
||||
}
|
||||
|
||||
void audit_logger_message (const char *message, shadow_audit_result result)
|
||||
{
|
||||
if (audit_fd < 0) {
|
||||
return;
|
||||
} else {
|
||||
audit_log_user_message (audit_fd,
|
||||
AUDIT_USYS_CONFIG,
|
||||
message,
|
||||
NULL, /* hostname */
|
||||
NULL, /* addr */
|
||||
NULL, /* tty */
|
||||
result);
|
||||
}
|
||||
}
|
||||
|
||||
#else /* WITH_AUDIT */
|
||||
extern int ISO_C_forbids_an_empty_translation_unit;
|
||||
#endif /* WITH_AUDIT */
|
||||
|
||||
@@ -1,31 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1990 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 1997, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2003 - 2005, Tomasz Kłoczko
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/*
|
||||
* basename.c - not worth copyrighting :-). Some versions of Linux libc
|
||||
* already have basename(), other versions don't. To avoid confusion,
|
||||
* we will not use the function from libc and use a different name here.
|
||||
* --marekm
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include "defines.h"
|
||||
#include "prototypes.h"
|
||||
/*@observer@*/const char *Basename (const char *str)
|
||||
{
|
||||
if (str == NULL) {
|
||||
abort ();
|
||||
}
|
||||
|
||||
char *cp = strrchr (str, '/');
|
||||
|
||||
return (NULL != cp) ? cp + 1 : str;
|
||||
}
|
||||
@@ -1,19 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2022 - 2023, Alejandro Colomar <alx@kernel.org>
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include "bit.h"
|
||||
|
||||
#include <limits.h>
|
||||
|
||||
|
||||
extern inline unsigned long bit_ceilul(unsigned long x);
|
||||
extern inline unsigned long bit_ceil_wrapul(unsigned long x);
|
||||
extern inline int leading_zerosul(unsigned long x);
|
||||
@@ -1,53 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2022 - 2023, Alejandro Colomar <alx@kernel.org>
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
|
||||
#ifndef SHADOW_INCLUDE_LIB_BIT_H_
|
||||
#define SHADOW_INCLUDE_LIB_BIT_H_
|
||||
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <limits.h>
|
||||
|
||||
|
||||
#ifndef ULONG_WIDTH
|
||||
#define ULONG_WIDTH (sizeof(unsigned long) * CHAR_BIT)
|
||||
#endif
|
||||
|
||||
|
||||
inline unsigned long bit_ceilul(unsigned long x);
|
||||
inline unsigned long bit_ceil_wrapul(unsigned long x);
|
||||
inline int leading_zerosul(unsigned long x);
|
||||
|
||||
|
||||
/* stdc_bit_ceilul(3) */
|
||||
inline unsigned long
|
||||
bit_ceilul(unsigned long x)
|
||||
{
|
||||
return 1 + (ULONG_MAX >> leading_zerosul(x));
|
||||
}
|
||||
|
||||
|
||||
/* stdc_bit_ceilul(3), but wrap instead of having Undefined Behavior */
|
||||
inline unsigned long
|
||||
bit_ceil_wrapul(unsigned long x)
|
||||
{
|
||||
if (x == 0)
|
||||
return 0;
|
||||
|
||||
return bit_ceilul(x);
|
||||
}
|
||||
|
||||
/* stdc_leading_zerosul(3) */
|
||||
inline int
|
||||
leading_zerosul(unsigned long x)
|
||||
{
|
||||
return (x == 0) ? ULONG_WIDTH : __builtin_clzl(x);
|
||||
}
|
||||
|
||||
|
||||
#endif // include guard
|
||||
-110
@@ -1,110 +0,0 @@
|
||||
#include <linux/btrfs_tree.h>
|
||||
#include <linux/magic.h>
|
||||
#include <sys/statfs.h>
|
||||
#include <stdbool.h>
|
||||
|
||||
#include "prototypes.h"
|
||||
|
||||
static bool path_exists(const char *p)
|
||||
{
|
||||
struct stat sb;
|
||||
|
||||
return stat(p, &sb) == 0;
|
||||
}
|
||||
|
||||
static const char *btrfs_cmd(void)
|
||||
{
|
||||
const char *const btrfs_paths[] = {"/sbin/btrfs",
|
||||
"/bin/btrfs", "/usr/sbin/btrfs", "/usr/bin/btrfs", NULL};
|
||||
const char *p;
|
||||
int i;
|
||||
|
||||
for (i = 0, p = btrfs_paths[i]; p; i++, p = btrfs_paths[i])
|
||||
if (path_exists(p))
|
||||
return p;
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static int run_btrfs_subvolume_cmd(const char *subcmd, const char *arg1, const char *arg2)
|
||||
{
|
||||
int status = 0;
|
||||
const char *cmd = btrfs_cmd();
|
||||
const char *argv[] = {
|
||||
"btrfs",
|
||||
"subvolume",
|
||||
subcmd,
|
||||
arg1,
|
||||
arg2,
|
||||
NULL
|
||||
};
|
||||
|
||||
if (!cmd || access(cmd, X_OK)) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (run_command(cmd, argv, NULL, &status))
|
||||
return -1;
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
int btrfs_create_subvolume(const char *path)
|
||||
{
|
||||
return run_btrfs_subvolume_cmd("create", path, NULL);
|
||||
}
|
||||
|
||||
|
||||
int btrfs_remove_subvolume(const char *path)
|
||||
{
|
||||
return run_btrfs_subvolume_cmd("delete", "-C", path);
|
||||
}
|
||||
|
||||
|
||||
/* Adapted from btrfsprogs */
|
||||
/*
|
||||
* This intentionally duplicates btrfs_util_is_subvolume_fd() instead of opening
|
||||
* a file descriptor and calling it, because fstat() and fstatfs() don't accept
|
||||
* file descriptors opened with O_PATH on old kernels (before v3.6 and before
|
||||
* v3.12, respectively), but stat() and statfs() can be called on a path that
|
||||
* the user doesn't have read or write permissions to.
|
||||
*
|
||||
* returns:
|
||||
* 1 - btrfs subvolume
|
||||
* 0 - not btrfs subvolume
|
||||
* -1 - error
|
||||
*/
|
||||
int btrfs_is_subvolume(const char *path)
|
||||
{
|
||||
struct stat st;
|
||||
int ret;
|
||||
|
||||
ret = is_btrfs(path);
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
|
||||
ret = stat(path, &st);
|
||||
if (ret == -1)
|
||||
return -1;
|
||||
|
||||
if (st.st_ino != BTRFS_FIRST_FREE_OBJECTID || !S_ISDIR(st.st_mode)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
/* Adapted from btrfsprogs */
|
||||
int is_btrfs(const char *path)
|
||||
{
|
||||
struct statfs sfs;
|
||||
int ret;
|
||||
|
||||
ret = statfs(path, &sfs);
|
||||
if (ret == -1)
|
||||
return -1;
|
||||
|
||||
return sfs.f_type == BTRFS_SUPER_MAGIC;
|
||||
}
|
||||
|
||||
-102
@@ -1,102 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1990 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2001 - 2005, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2005 - 2008, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/*
|
||||
* is_valid_user_name(), is_valid_group_name() - check the new user/group
|
||||
* name for validity;
|
||||
* return values:
|
||||
* true - OK
|
||||
* false - bad name
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include <ctype.h>
|
||||
#include "defines.h"
|
||||
#include "chkname.h"
|
||||
|
||||
int allow_bad_names = false;
|
||||
|
||||
static bool is_valid_name (const char *name)
|
||||
{
|
||||
if (allow_bad_names) {
|
||||
return true;
|
||||
}
|
||||
|
||||
/*
|
||||
* User/group names must match gnu e-regex:
|
||||
* [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
|
||||
*
|
||||
* as a non-POSIX, extension, allow "$" as the last char for
|
||||
* sake of Samba 3.x "add machine script"
|
||||
*
|
||||
* Also do not allow fully numeric names or just "." or "..".
|
||||
*/
|
||||
int numeric;
|
||||
|
||||
if ('\0' == *name ||
|
||||
('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
|
||||
'\0' == name[1])) ||
|
||||
!((*name >= 'a' && *name <= 'z') ||
|
||||
(*name >= 'A' && *name <= 'Z') ||
|
||||
(*name >= '0' && *name <= '9') ||
|
||||
*name == '_' ||
|
||||
*name == '.')) {
|
||||
return false;
|
||||
}
|
||||
|
||||
numeric = isdigit(*name);
|
||||
|
||||
while ('\0' != *++name) {
|
||||
if (!((*name >= 'a' && *name <= 'z') ||
|
||||
(*name >= 'A' && *name <= 'Z') ||
|
||||
(*name >= '0' && *name <= '9') ||
|
||||
*name == '_' ||
|
||||
*name == '.' ||
|
||||
*name == '-' ||
|
||||
(*name == '$' && name[1] == '\0')
|
||||
)) {
|
||||
return false;
|
||||
}
|
||||
numeric &= isdigit(*name);
|
||||
}
|
||||
|
||||
return !numeric;
|
||||
}
|
||||
|
||||
bool is_valid_user_name (const char *name)
|
||||
{
|
||||
size_t maxlen;
|
||||
|
||||
/*
|
||||
* User names length are limited by the kernel
|
||||
*/
|
||||
maxlen = sysconf(_SC_LOGIN_NAME_MAX);
|
||||
if (strlen(name) >= maxlen)
|
||||
return false;
|
||||
|
||||
return is_valid_name (name);
|
||||
}
|
||||
|
||||
bool is_valid_group_name (const char *name)
|
||||
{
|
||||
/*
|
||||
* Arbitrary limit for group names.
|
||||
* HP-UX 10 limits to 16 characters
|
||||
*/
|
||||
if ( (GROUP_NAME_MAX_LENGTH > 0)
|
||||
&& (strlen (name) > GROUP_NAME_MAX_LENGTH)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return is_valid_name (name);
|
||||
}
|
||||
|
||||
@@ -1,27 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1990 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1997 - 2000, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2005 , Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2008 , Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/* $Id$ */
|
||||
#ifndef _CHKNAME_H_
|
||||
#define _CHKNAME_H_
|
||||
|
||||
/*
|
||||
* is_valid_user_name(), is_valid_group_name() - check the new user/group
|
||||
* name for validity;
|
||||
* return values:
|
||||
* true - OK
|
||||
* false - bad name
|
||||
*/
|
||||
|
||||
#include "defines.h"
|
||||
|
||||
extern bool is_valid_user_name (const char *name);
|
||||
extern bool is_valid_group_name (const char *name);
|
||||
|
||||
#endif
|
||||
-146
@@ -1,146 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1992 - 1993, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2003 - 2005, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2010 - , Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include "prototypes.h"
|
||||
#include "defines.h"
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
static int chown_tree_at (int at_fd,
|
||||
const char *path,
|
||||
uid_t old_uid,
|
||||
uid_t new_uid,
|
||||
gid_t old_gid,
|
||||
gid_t new_gid)
|
||||
{
|
||||
DIR *dir;
|
||||
const struct dirent *ent;
|
||||
struct stat dir_sb;
|
||||
int dir_fd, rc = 0;
|
||||
|
||||
dir_fd = openat (at_fd, path, O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
|
||||
if (dir_fd < 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
dir = fdopendir (dir_fd);
|
||||
if (!dir) {
|
||||
(void) close (dir_fd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Open the directory and read each entry. Every entry is tested
|
||||
* to see if it is a directory, and if so this routine is called
|
||||
* recursively. If not, it is checked to see if an ownership
|
||||
* shall be changed.
|
||||
*/
|
||||
while ((ent = readdir (dir))) {
|
||||
uid_t tmpuid = (uid_t) -1;
|
||||
gid_t tmpgid = (gid_t) -1;
|
||||
struct stat ent_sb;
|
||||
|
||||
/*
|
||||
* Skip the "." and ".." entries
|
||||
*/
|
||||
if ( (strcmp (ent->d_name, ".") == 0)
|
||||
|| (strcmp (ent->d_name, "..") == 0)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
rc = fstatat (dirfd(dir), ent->d_name, &ent_sb, AT_SYMLINK_NOFOLLOW);
|
||||
if (rc < 0) {
|
||||
break;
|
||||
}
|
||||
|
||||
if (S_ISDIR (ent_sb.st_mode)) {
|
||||
/*
|
||||
* Do the entire subdirectory.
|
||||
*/
|
||||
rc = chown_tree_at (dirfd(dir), ent->d_name, old_uid, new_uid, old_gid, new_gid);
|
||||
if (0 != rc) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* By default, the IDs are not changed (-1).
|
||||
*
|
||||
* If the file is not owned by the user, the owner is not
|
||||
* changed.
|
||||
*
|
||||
* If the file is not group-owned by the group, the
|
||||
* group-owner is not changed.
|
||||
*/
|
||||
if (((uid_t) -1 == old_uid) || (ent_sb.st_uid == old_uid)) {
|
||||
tmpuid = new_uid;
|
||||
}
|
||||
if (((gid_t) -1 == old_gid) || (ent_sb.st_gid == old_gid)) {
|
||||
tmpgid = new_gid;
|
||||
}
|
||||
if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
|
||||
rc = fchownat (dirfd(dir), ent->d_name, tmpuid, tmpgid, AT_SYMLINK_NOFOLLOW);
|
||||
if (0 != rc) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Now do the root of the tree
|
||||
*/
|
||||
if ((0 == rc) && (fstat (dirfd(dir), &dir_sb) == 0)) {
|
||||
uid_t tmpuid = (uid_t) -1;
|
||||
gid_t tmpgid = (gid_t) -1;
|
||||
if (((uid_t) -1 == old_uid) || (dir_sb.st_uid == old_uid)) {
|
||||
tmpuid = new_uid;
|
||||
}
|
||||
if (((gid_t) -1 == old_gid) || (dir_sb.st_gid == old_gid)) {
|
||||
tmpgid = new_gid;
|
||||
}
|
||||
if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
|
||||
rc = fchown (dirfd(dir), tmpuid, tmpgid);
|
||||
}
|
||||
} else {
|
||||
rc = -1;
|
||||
}
|
||||
|
||||
(void) closedir (dir);
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
/*
|
||||
* chown_tree - change ownership of files in a directory tree
|
||||
*
|
||||
* chown_dir() walks a directory tree and changes the ownership
|
||||
* of all files owned by the provided user ID.
|
||||
*
|
||||
* Only files owned (resp. group-owned) by old_uid (resp. by old_gid)
|
||||
* will have their ownership (resp. group-ownership) modified, unless
|
||||
* old_uid (resp. old_gid) is set to -1.
|
||||
*
|
||||
* new_uid and new_gid can be set to -1 to indicate that no owner or
|
||||
* group-owner shall be changed.
|
||||
*/
|
||||
int chown_tree (const char *root,
|
||||
uid_t old_uid,
|
||||
uid_t new_uid,
|
||||
gid_t old_gid,
|
||||
gid_t new_gid)
|
||||
{
|
||||
return chown_tree_at (AT_FDCWD, root, old_uid, new_uid, old_gid, new_gid);
|
||||
}
|
||||
@@ -1,79 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1989 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 2001, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2003 - 2005, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2007 - 2009, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <grp.h>
|
||||
#include "prototypes.h"
|
||||
#include "defines.h"
|
||||
#include <pwd.h>
|
||||
#include "getdef.h"
|
||||
#include "shadowlog.h"
|
||||
|
||||
/*
|
||||
* chown_tty() sets the login tty to be owned by the new user ID
|
||||
* with TTYPERM modes
|
||||
*/
|
||||
|
||||
void chown_tty (const struct passwd *info)
|
||||
{
|
||||
struct group *grent;
|
||||
gid_t gid;
|
||||
|
||||
/*
|
||||
* See if login.defs has some value configured for the port group
|
||||
* ID. Otherwise, use the user's primary group ID.
|
||||
*/
|
||||
|
||||
grent = getgr_nam_gid (getdef_str ("TTYGROUP"));
|
||||
if (NULL != grent) {
|
||||
gid = grent->gr_gid;
|
||||
gr_free (grent);
|
||||
} else {
|
||||
gid = info->pw_gid;
|
||||
}
|
||||
|
||||
/*
|
||||
* Change the permissions on the TTY to be owned by the user with
|
||||
* the group as determined above.
|
||||
*/
|
||||
|
||||
if ( (fchown (STDIN_FILENO, info->pw_uid, gid) != 0)
|
||||
|| (fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600)) != 0)) {
|
||||
int err = errno;
|
||||
FILE *shadow_logfd = log_get_logfd();
|
||||
|
||||
fprintf (shadow_logfd,
|
||||
_("Unable to change owner or mode of tty stdin: %s"),
|
||||
strerror (err));
|
||||
SYSLOG ((LOG_WARN,
|
||||
"unable to change owner or mode of tty stdin for user `%s': %s\n",
|
||||
info->pw_name, strerror (err)));
|
||||
if (EROFS != err) {
|
||||
closelog ();
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
#ifdef __linux__
|
||||
/*
|
||||
* Please don't add code to chown /dev/vcs* to the user logging in -
|
||||
* it's a potential security hole. I wouldn't like the previous user
|
||||
* to hold the file descriptor open and watch my screen. We don't
|
||||
* have the *BSD revoke() system call yet, and vhangup() only works
|
||||
* for tty devices (which vcs* is not). --marekm
|
||||
*/
|
||||
#endif
|
||||
}
|
||||
|
||||
-121
@@ -1,121 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2008 - 2011, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <assert.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "prototypes.h"
|
||||
|
||||
/*
|
||||
* The cleanup_functions stack.
|
||||
*/
|
||||
#define CLEANUP_FUNCTIONS 10
|
||||
|
||||
typedef /*@null@*/void * parg_t;
|
||||
|
||||
static cleanup_function cleanup_functions[CLEANUP_FUNCTIONS];
|
||||
static parg_t cleanup_function_args[CLEANUP_FUNCTIONS];
|
||||
static pid_t cleanup_pid = 0;
|
||||
|
||||
/*
|
||||
* - Cleanup functions shall not fail.
|
||||
* - You should register do_cleanups with atexit.
|
||||
* - You should add cleanup functions to the stack with add_cleanup when
|
||||
* an operation is expected to be executed later, and remove it from the
|
||||
* stack with del_cleanup when it has been executed.
|
||||
*
|
||||
**/
|
||||
|
||||
/*
|
||||
* do_cleanups - perform the actions stored in the cleanup_functions stack.
|
||||
*
|
||||
* Cleanup action are not executed on exit of the processes started by the
|
||||
* parent (first caller of add_cleanup).
|
||||
*
|
||||
* It is intended to be used as:
|
||||
* atexit (do_cleanups);
|
||||
*/
|
||||
void do_cleanups (void)
|
||||
{
|
||||
unsigned int i;
|
||||
|
||||
/* Make sure there were no overflow */
|
||||
assert (NULL == cleanup_functions[CLEANUP_FUNCTIONS-1]);
|
||||
|
||||
if (getpid () != cleanup_pid) {
|
||||
return;
|
||||
}
|
||||
|
||||
i = CLEANUP_FUNCTIONS;
|
||||
do {
|
||||
i--;
|
||||
if (cleanup_functions[i] != NULL) {
|
||||
cleanup_functions[i] (cleanup_function_args[i]);
|
||||
}
|
||||
} while (i>0);
|
||||
}
|
||||
|
||||
/*
|
||||
* add_cleanup - Add a cleanup_function to the cleanup_functions stack.
|
||||
*/
|
||||
void add_cleanup (/*@notnull@*/cleanup_function pcf, /*@null@*/void *arg)
|
||||
{
|
||||
unsigned int i;
|
||||
assert (NULL != pcf);
|
||||
|
||||
assert (NULL == cleanup_functions[CLEANUP_FUNCTIONS-2]);
|
||||
|
||||
if (0 == cleanup_pid) {
|
||||
cleanup_pid = getpid ();
|
||||
}
|
||||
|
||||
/* Add the cleanup_function at the end of the stack */
|
||||
for (i=0; NULL != cleanup_functions[i]; i++);
|
||||
cleanup_functions[i] = pcf;
|
||||
cleanup_function_args[i] = arg;
|
||||
}
|
||||
|
||||
/*
|
||||
* del_cleanup - Remove a cleanup_function from the cleanup_functions stack.
|
||||
*/
|
||||
void del_cleanup (/*@notnull@*/cleanup_function pcf)
|
||||
{
|
||||
unsigned int i;
|
||||
assert (NULL != pcf);
|
||||
|
||||
/* Find the pcf cleanup function */
|
||||
for (i=0; i<CLEANUP_FUNCTIONS; i++) {
|
||||
if (cleanup_functions[i] == pcf) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Make sure the cleanup function was found */
|
||||
assert (i<CLEANUP_FUNCTIONS);
|
||||
|
||||
/* Move the rest of the cleanup functions */
|
||||
for (; i<CLEANUP_FUNCTIONS; i++) {
|
||||
/* Make sure the cleanup function was specified only once */
|
||||
assert ( (i == (CLEANUP_FUNCTIONS -1))
|
||||
|| (cleanup_functions[i+1] != pcf));
|
||||
|
||||
if (i == (CLEANUP_FUNCTIONS -1)) {
|
||||
cleanup_functions[i] = NULL;
|
||||
cleanup_function_args[i] = NULL;
|
||||
} else {
|
||||
cleanup_functions[i] = cleanup_functions[i+1];
|
||||
cleanup_function_args[i] = cleanup_function_args[i+1];
|
||||
}
|
||||
|
||||
/* A NULL indicates the end of the stack */
|
||||
if (NULL == cleanup_functions[i]) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,215 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2008 , Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <assert.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "defines.h"
|
||||
#include "groupio.h"
|
||||
#include "sgroupio.h"
|
||||
#include "prototypes.h"
|
||||
#include "shadowlog.h"
|
||||
|
||||
/*
|
||||
* cleanup_report_add_group - Report failure to add a group to the system
|
||||
*
|
||||
* It should be registered when it is decided to add a group to the system.
|
||||
*/
|
||||
void cleanup_report_add_group (void *group_name)
|
||||
{
|
||||
const char *name = group_name;
|
||||
|
||||
SYSLOG ((LOG_ERR, "failed to add group %s", name));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
|
||||
"",
|
||||
name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* cleanup_report_del_group - Report failure to remove a group from the system
|
||||
*
|
||||
* It should be registered when it is decided to remove a group from the system.
|
||||
*/
|
||||
void cleanup_report_del_group (void *group_name)
|
||||
{
|
||||
const char *name = group_name;
|
||||
|
||||
SYSLOG ((LOG_ERR, "failed to remove group %s", name));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_DEL_GROUP, log_get_progname(),
|
||||
"",
|
||||
name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
|
||||
void cleanup_report_mod_group (void *cleanup_info)
|
||||
{
|
||||
const struct cleanup_info_mod *info;
|
||||
info = (const struct cleanup_info_mod *)cleanup_info;
|
||||
|
||||
SYSLOG ((LOG_ERR,
|
||||
"failed to change %s (%s)",
|
||||
gr_dbname (),
|
||||
info->action));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_USER_ACCT, log_get_progname(),
|
||||
info->audit_msg,
|
||||
info->name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef SHADOWGRP
|
||||
void cleanup_report_mod_gshadow (void *cleanup_info)
|
||||
{
|
||||
const struct cleanup_info_mod *info;
|
||||
info = (const struct cleanup_info_mod *)cleanup_info;
|
||||
|
||||
SYSLOG ((LOG_ERR,
|
||||
"failed to change %s (%s)",
|
||||
sgr_dbname (),
|
||||
info->action));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_USER_ACCT, log_get_progname(),
|
||||
info->audit_msg,
|
||||
info->name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* cleanup_report_add_group_group - Report failure to add a group to group
|
||||
*
|
||||
* It should be registered when it is decided to add a group to the
|
||||
* group database.
|
||||
*/
|
||||
void cleanup_report_add_group_group (void *group_name)
|
||||
{
|
||||
const char *name = group_name;
|
||||
|
||||
SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, gr_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
|
||||
"adding group to /etc/group",
|
||||
name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef SHADOWGRP
|
||||
/*
|
||||
* cleanup_report_add_group_gshadow - Report failure to add a group to gshadow
|
||||
*
|
||||
* It should be registered when it is decided to add a group to the
|
||||
* gshadow database.
|
||||
*/
|
||||
void cleanup_report_add_group_gshadow (void *group_name)
|
||||
{
|
||||
const char *name = group_name;
|
||||
|
||||
SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, sgr_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
|
||||
"adding group to /etc/gshadow",
|
||||
name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* cleanup_report_del_group_group - Report failure to remove a group from the
|
||||
* regular group database
|
||||
*
|
||||
* It should be registered when it is decided to remove a group from the
|
||||
* regular group database.
|
||||
*/
|
||||
void cleanup_report_del_group_group (void *group_name)
|
||||
{
|
||||
const char *name = group_name;
|
||||
|
||||
SYSLOG ((LOG_ERR,
|
||||
"failed to remove group %s from %s",
|
||||
name, gr_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
|
||||
"removing group from /etc/group",
|
||||
name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef SHADOWGRP
|
||||
/*
|
||||
* cleanup_report_del_group_gshadow - Report failure to remove a group from
|
||||
* gshadow
|
||||
*
|
||||
* It should be registered when it is decided to remove a group from the
|
||||
* gshadow database.
|
||||
*/
|
||||
void cleanup_report_del_group_gshadow (void *group_name)
|
||||
{
|
||||
const char *name = group_name;
|
||||
|
||||
SYSLOG ((LOG_ERR,
|
||||
"failed to remove group %s from %s",
|
||||
name, sgr_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
|
||||
"removing group from /etc/gshadow",
|
||||
name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* cleanup_unlock_group - Unlock the group file
|
||||
*
|
||||
* It should be registered after the group file is successfully locked.
|
||||
*/
|
||||
void cleanup_unlock_group (unused void *arg)
|
||||
{
|
||||
if (gr_unlock () == 0) {
|
||||
fprintf (log_get_logfd(),
|
||||
_("%s: failed to unlock %s\n"),
|
||||
log_get_progname(), gr_dbname ());
|
||||
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger_message ("unlocking group file",
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef SHADOWGRP
|
||||
/*
|
||||
* cleanup_unlock_gshadow - Unlock the gshadow file
|
||||
*
|
||||
* It should be registered after the gshadow file is successfully locked.
|
||||
*/
|
||||
void cleanup_unlock_gshadow (unused void *arg)
|
||||
{
|
||||
if (sgr_unlock () == 0) {
|
||||
fprintf (log_get_logfd(),
|
||||
_("%s: failed to unlock %s\n"),
|
||||
log_get_progname(), sgr_dbname ());
|
||||
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger_message ("unlocking gshadow file",
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -1,130 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2008 , Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <assert.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "defines.h"
|
||||
#include "pwio.h"
|
||||
#include "shadowio.h"
|
||||
#include "prototypes.h"
|
||||
#include "shadowlog.h"
|
||||
|
||||
/*
|
||||
* cleanup_report_add_user - Report failure to add a user to the system
|
||||
*
|
||||
* It should be registered when it is decided to add a user to the system.
|
||||
*/
|
||||
void cleanup_report_add_user (void *user_name)
|
||||
{
|
||||
const char *name = user_name;
|
||||
|
||||
SYSLOG ((LOG_ERR, "failed to add user %s", name));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_ADD_USER, log_get_progname(),
|
||||
"",
|
||||
name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
|
||||
void cleanup_report_mod_passwd (void *cleanup_info)
|
||||
{
|
||||
const struct cleanup_info_mod *info;
|
||||
info = (const struct cleanup_info_mod *)cleanup_info;
|
||||
|
||||
SYSLOG ((LOG_ERR,
|
||||
"failed to change %s (%s)",
|
||||
pw_dbname (),
|
||||
info->action));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_USER_ACCT, log_get_progname(),
|
||||
info->audit_msg,
|
||||
info->name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* cleanup_report_add_user_passwd - Report failure to add a user to
|
||||
* /etc/passwd
|
||||
*
|
||||
* It should be registered when it is decided to add a user to the
|
||||
* /etc/passwd database.
|
||||
*/
|
||||
void cleanup_report_add_user_passwd (void *user_name)
|
||||
{
|
||||
const char *name = user_name;
|
||||
|
||||
SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, pw_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_ADD_USER, log_get_progname(),
|
||||
"adding user to /etc/passwd",
|
||||
name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* cleanup_report_add_user_shadow - Report failure to add a user to
|
||||
* /etc/shadow
|
||||
*
|
||||
* It should be registered when it is decided to add a user to the
|
||||
* /etc/shadow database.
|
||||
*/
|
||||
void cleanup_report_add_user_shadow (void *user_name)
|
||||
{
|
||||
const char *name = user_name;
|
||||
|
||||
SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, spw_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger (AUDIT_ADD_USER, log_get_progname(),
|
||||
"adding user to /etc/shadow",
|
||||
name, AUDIT_NO_ID,
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* cleanup_unlock_passwd - Unlock the /etc/passwd database
|
||||
*
|
||||
* It should be registered after the passwd database is successfully locked.
|
||||
*/
|
||||
void cleanup_unlock_passwd (unused void *arg)
|
||||
{
|
||||
if (pw_unlock () == 0) {
|
||||
fprintf (log_get_logfd(),
|
||||
_("%s: failed to unlock %s\n"),
|
||||
log_get_progname(), pw_dbname ());
|
||||
SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger_message ("unlocking passwd file",
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* cleanup_unlock_shadow - Unlock the /etc/shadow database
|
||||
*
|
||||
* It should be registered after the shadow database is successfully locked.
|
||||
*/
|
||||
void cleanup_unlock_shadow (unused void *arg)
|
||||
{
|
||||
if (spw_unlock () == 0) {
|
||||
fprintf (log_get_logfd(),
|
||||
_("%s: failed to unlock %s\n"),
|
||||
log_get_progname(), spw_dbname ());
|
||||
SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
|
||||
#ifdef WITH_AUDIT
|
||||
audit_logger_message ("unlocking shadow file",
|
||||
SHADOW_AUDIT_FAILURE);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
-1263
File diff suppressed because it is too large
Load Diff
-145
@@ -1,145 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1990 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2001 - 2005, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2007 - 2010, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/* $Id$ */
|
||||
#ifndef COMMONIO_H
|
||||
#define COMMONIO_H
|
||||
|
||||
#include "defines.h" /* bool */
|
||||
|
||||
/*
|
||||
* Linked list entry.
|
||||
*/
|
||||
struct commonio_entry {
|
||||
/*@null@*/char *line;
|
||||
/*@null@*/void *eptr; /* struct passwd, struct spwd, ... */
|
||||
/*@dependent@*/ /*@null@*/struct commonio_entry *prev;
|
||||
/*@owned@*/ /*@null@*/struct commonio_entry *next;
|
||||
bool changed:1;
|
||||
};
|
||||
|
||||
/*
|
||||
* Operations depending on database type: passwd, group, shadow etc.
|
||||
*/
|
||||
struct commonio_ops {
|
||||
/*
|
||||
* Make a copy of the object (for example, struct passwd)
|
||||
* and all strings pointed by it, in malloced memory.
|
||||
*/
|
||||
/*@null@*/ /*@only@*/void *(*dup) (const void *);
|
||||
|
||||
/*
|
||||
* free() the object including any strings pointed by it.
|
||||
*/
|
||||
void (*free) (/*@out@*/ /*@only@*/void *);
|
||||
|
||||
/*
|
||||
* Return the name of the object (for example, pw_name
|
||||
* for struct passwd).
|
||||
*/
|
||||
const char *(*getname) (const void *);
|
||||
|
||||
/*
|
||||
* Parse a string, return object (in static area -
|
||||
* should be copied using the dup operation above).
|
||||
*/
|
||||
void *(*parse) (const char *);
|
||||
|
||||
/*
|
||||
* Write the object to the file (this calls putpwent()
|
||||
* for struct passwd, for example).
|
||||
*/
|
||||
int (*put) (const void *, FILE *);
|
||||
|
||||
/*
|
||||
* fgets and fputs (can be replaced by versions that
|
||||
* understand line continuation conventions).
|
||||
*/
|
||||
/*@null@*/char *(*fgets) (/*@returned@*/ /*@out@*/char *s, int n, FILE *stream);
|
||||
int (*fputs) (const char *, FILE *);
|
||||
|
||||
/*
|
||||
* open_hook and close_hook.
|
||||
* If non NULL, these functions will be called after the database
|
||||
* is open or before it is closed.
|
||||
* They return 0 on failure and 1 on success.
|
||||
*/
|
||||
/*@null@*/int (*open_hook) (void);
|
||||
/*@null@*/int (*close_hook) (void);
|
||||
};
|
||||
|
||||
/*
|
||||
* Database structure.
|
||||
*/
|
||||
struct commonio_db {
|
||||
/*
|
||||
* Name of the data file.
|
||||
*/
|
||||
char filename[1024];
|
||||
|
||||
/*
|
||||
* Operations from above.
|
||||
*/
|
||||
/*@observer@*/const struct commonio_ops *ops;
|
||||
|
||||
/*
|
||||
* Currently open file stream.
|
||||
*/
|
||||
/*@dependent@*/ /*@null@*/FILE *fp;
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
/*@null@*/char *scontext;
|
||||
#endif
|
||||
/*
|
||||
* Default permissions and owner for newly created data file.
|
||||
*/
|
||||
mode_t st_mode;
|
||||
uid_t st_uid;
|
||||
gid_t st_gid;
|
||||
/*
|
||||
* Head, tail, current position in linked list.
|
||||
*/
|
||||
/*@owned@*/ /*@null@*/struct commonio_entry *head;
|
||||
/*@dependent@*/ /*@null@*/struct commonio_entry *tail;
|
||||
/*@dependent@*/ /*@null@*/struct commonio_entry *cursor;
|
||||
|
||||
/*
|
||||
* Various flags.
|
||||
*/
|
||||
bool changed:1;
|
||||
bool isopen:1;
|
||||
bool locked:1;
|
||||
bool readonly:1;
|
||||
bool setname:1;
|
||||
};
|
||||
|
||||
extern int commonio_setname (struct commonio_db *, const char *);
|
||||
extern bool commonio_present (const struct commonio_db *db);
|
||||
extern int commonio_lock (struct commonio_db *);
|
||||
extern int commonio_lock_nowait (struct commonio_db *, bool log);
|
||||
extern int do_fcntl_lock (const char *file, bool log, short type);
|
||||
extern int commonio_open (struct commonio_db *, int);
|
||||
extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
|
||||
extern int commonio_update (struct commonio_db *, const void *);
|
||||
#ifdef ENABLE_SUBIDS
|
||||
extern int commonio_append (struct commonio_db *, const void *);
|
||||
#endif /* ENABLE_SUBIDS */
|
||||
extern int commonio_remove (struct commonio_db *, const char *);
|
||||
extern int commonio_rewind (struct commonio_db *);
|
||||
extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);
|
||||
extern int commonio_close (struct commonio_db *);
|
||||
extern int commonio_unlock (struct commonio_db *);
|
||||
extern void commonio_del_entry (struct commonio_db *,
|
||||
const struct commonio_entry *);
|
||||
extern int commonio_sort_wrt (struct commonio_db *shadow,
|
||||
const struct commonio_db *passwd);
|
||||
extern int commonio_sort (struct commonio_db *db,
|
||||
int (*cmp) (const void *, const void *));
|
||||
|
||||
#endif
|
||||
-108
@@ -1,108 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1991 , Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1991 , Chip Rosenthal
|
||||
* SPDX-FileCopyrightText: 1996 - 1998, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2003 - 2005, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2007 - 2010, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
#include "defines.h"
|
||||
#include <stdio.h>
|
||||
#include "getdef.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
/*
|
||||
* This is now rather generic function which decides if "tty" is listed
|
||||
* under "cfgin" in config (directly or indirectly). Fallback to default if
|
||||
* something is bad.
|
||||
*/
|
||||
static bool is_listed (const char *cfgin, const char *tty, bool def)
|
||||
{
|
||||
FILE *fp;
|
||||
char buf[1024], *s;
|
||||
const char *cons;
|
||||
|
||||
/*
|
||||
* If the CONSOLE configuration definition isn't given,
|
||||
* fallback to default.
|
||||
*/
|
||||
|
||||
cons = getdef_str (cfgin);
|
||||
if (NULL == cons) {
|
||||
return def;
|
||||
}
|
||||
|
||||
/*
|
||||
* If this isn't a filename, then it is a ":" delimited list of
|
||||
* console devices upon which root logins are allowed.
|
||||
*/
|
||||
|
||||
if (*cons != '/') {
|
||||
char *pbuf;
|
||||
strlcpy (buf, cons, sizeof (buf));
|
||||
pbuf = &buf[0];
|
||||
while ((s = strtok (pbuf, ":")) != NULL) {
|
||||
if (strcmp (s, tty) == 0) {
|
||||
return true;
|
||||
}
|
||||
|
||||
pbuf = NULL;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/*
|
||||
* If we can't open the console list, then call everything a
|
||||
* console - otherwise root will never be allowed to login.
|
||||
*/
|
||||
|
||||
fp = fopen (cons, "r");
|
||||
if (NULL == fp) {
|
||||
return def;
|
||||
}
|
||||
|
||||
/*
|
||||
* See if this tty is listed in the console file.
|
||||
*/
|
||||
|
||||
while (fgets (buf, sizeof (buf), fp) != NULL) {
|
||||
/* Remove optional trailing '\n'. */
|
||||
buf[strcspn (buf, "\n")] = '\0';
|
||||
if (strcmp (buf, tty) == 0) {
|
||||
(void) fclose (fp);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* This tty isn't a console.
|
||||
*/
|
||||
|
||||
(void) fclose (fp);
|
||||
return false;
|
||||
}
|
||||
|
||||
/*
|
||||
* console - return 1 if the "tty" is a console device, else 0.
|
||||
*
|
||||
* Note - we need to take extreme care here to avoid locking out root logins
|
||||
* if something goes awry. That's why we do things like call everything a
|
||||
* console if the consoles file can't be opened. Because of this, we must
|
||||
* warn the user to protect against the remove of the consoles file since
|
||||
* that would allow an unauthorized root login.
|
||||
*/
|
||||
|
||||
bool console (const char *tty)
|
||||
{
|
||||
if (strncmp (tty, "/dev/", 5) == 0) {
|
||||
tty += 5;
|
||||
}
|
||||
|
||||
return is_listed ("CONSOLE", tty, true);
|
||||
}
|
||||
|
||||
-934
@@ -1,934 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1991 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 2001, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2003 - 2006, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2007 - 2010, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include <assert.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "alloc.h"
|
||||
#include "prototypes.h"
|
||||
#include "defines.h"
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#endif /* WITH_SELINUX */
|
||||
#if defined(WITH_ACL) || defined(WITH_ATTR)
|
||||
#include <stdarg.h>
|
||||
#include <attr/error_context.h>
|
||||
#endif /* WITH_ACL || WITH_ATTR */
|
||||
#ifdef WITH_ACL
|
||||
#include <acl/libacl.h>
|
||||
#endif /* WITH_ACL */
|
||||
#ifdef WITH_ATTR
|
||||
#include <attr/libattr.h>
|
||||
#endif /* WITH_ATTR */
|
||||
#include "shadowlog.h"
|
||||
|
||||
|
||||
static /*@null@*/const char *src_orig;
|
||||
static /*@null@*/const char *dst_orig;
|
||||
|
||||
struct link_name {
|
||||
dev_t ln_dev;
|
||||
ino_t ln_ino;
|
||||
nlink_t ln_count;
|
||||
char *ln_name;
|
||||
/*@dependent@*/struct link_name *ln_next;
|
||||
};
|
||||
static /*@exposed@*/struct link_name *links;
|
||||
|
||||
struct path_info {
|
||||
const char *full_path;
|
||||
int dirfd;
|
||||
const char *name;
|
||||
};
|
||||
|
||||
static int copy_entry (const struct path_info *src, const struct path_info *dst,
|
||||
bool reset_selinux,
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid);
|
||||
static int copy_dir (const struct path_info *src, const struct path_info *dst,
|
||||
bool reset_selinux,
|
||||
const struct stat *statp, const struct timespec mt[],
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid);
|
||||
static /*@null@*/char *readlink_malloc (const char *filename);
|
||||
static int copy_symlink (const struct path_info *src, const struct path_info *dst,
|
||||
unused bool reset_selinux,
|
||||
const struct stat *statp, const struct timespec mt[],
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid);
|
||||
static int copy_hardlink (const struct path_info *dst,
|
||||
unused bool reset_selinux,
|
||||
struct link_name *lp);
|
||||
static int copy_special (const struct path_info *src, const struct path_info *dst,
|
||||
bool reset_selinux,
|
||||
const struct stat *statp, const struct timespec mt[],
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid);
|
||||
static int copy_file (const struct path_info *src, const struct path_info *dst,
|
||||
bool reset_selinux,
|
||||
const struct stat *statp, const struct timespec mt[],
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid);
|
||||
static int chownat_if_needed (const struct path_info *dst, const struct stat *statp,
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid);
|
||||
static int fchown_if_needed (int fdst, const struct stat *statp,
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid);
|
||||
|
||||
#if defined(WITH_ACL) || defined(WITH_ATTR)
|
||||
/*
|
||||
* error_acl - format the error messages for the ACL and EQ libraries.
|
||||
*/
|
||||
format_attr(printf, 2, 3)
|
||||
static void error_acl (unused struct error_context *ctx, const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
FILE *shadow_logfd = log_get_logfd();
|
||||
|
||||
/* ignore the case when destination does not support ACLs
|
||||
* or extended attributes */
|
||||
if (ENOTSUP == errno) {
|
||||
errno = 0;
|
||||
return;
|
||||
}
|
||||
|
||||
va_start (ap, fmt);
|
||||
(void) fprintf (shadow_logfd, _("%s: "), log_get_progname());
|
||||
if (vfprintf (shadow_logfd, fmt, ap) != 0) {
|
||||
(void) fputs (_(": "), shadow_logfd);
|
||||
}
|
||||
(void) fprintf (shadow_logfd, "%s\n", strerror (errno));
|
||||
va_end (ap);
|
||||
}
|
||||
|
||||
static struct error_context ctx = {
|
||||
error_acl, NULL, NULL
|
||||
};
|
||||
#endif /* WITH_ACL || WITH_ATTR */
|
||||
|
||||
#ifdef WITH_ACL
|
||||
static int perm_copy_path(const struct path_info *src,
|
||||
const struct path_info *dst,
|
||||
struct error_context *errctx)
|
||||
{
|
||||
int src_fd, dst_fd, ret;
|
||||
|
||||
src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
|
||||
if (src_fd < 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
|
||||
if (dst_fd < 0) {
|
||||
(void) close (src_fd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
ret = perm_copy_fd(src->full_path, src_fd, dst->full_path, dst_fd, errctx);
|
||||
(void) close (src_fd);
|
||||
(void) close (dst_fd);
|
||||
return ret;
|
||||
}
|
||||
#endif /* WITH_ACL */
|
||||
|
||||
#ifdef WITH_ATTR
|
||||
static int attr_copy_path(const struct path_info *src,
|
||||
const struct path_info *dst,
|
||||
int (*callback) (const char *, struct error_context *),
|
||||
struct error_context *errctx)
|
||||
{
|
||||
int src_fd, dst_fd, ret;
|
||||
|
||||
src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
|
||||
if (src_fd < 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
|
||||
if (dst_fd < 0) {
|
||||
(void) close (src_fd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
ret = attr_copy_fd(src->full_path, src_fd, dst->full_path, dst_fd, callback, errctx);
|
||||
(void) close (src_fd);
|
||||
(void) close (dst_fd);
|
||||
return ret;
|
||||
}
|
||||
#endif /* WITH_ATTR */
|
||||
|
||||
/*
|
||||
* remove_link - delete a link from the linked list
|
||||
*/
|
||||
static void remove_link (/*@only@*/struct link_name *ln)
|
||||
{
|
||||
struct link_name *lp;
|
||||
|
||||
if (links == ln) {
|
||||
links = ln->ln_next;
|
||||
free (ln->ln_name);
|
||||
free (ln);
|
||||
return;
|
||||
}
|
||||
for (lp = links; NULL !=lp; lp = lp->ln_next) {
|
||||
if (lp->ln_next == ln) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (NULL == lp) {
|
||||
free (ln->ln_name);
|
||||
free (ln);
|
||||
return;
|
||||
}
|
||||
|
||||
lp->ln_next = lp->ln_next->ln_next;
|
||||
free (ln->ln_name);
|
||||
free (ln);
|
||||
}
|
||||
|
||||
/*
|
||||
* check_link - see if a file is really a link
|
||||
*/
|
||||
|
||||
static /*@exposed@*/ /*@null@*/struct link_name *check_link (const char *name, const struct stat *sb)
|
||||
{
|
||||
struct link_name *lp;
|
||||
size_t src_len;
|
||||
size_t dst_len;
|
||||
size_t name_len;
|
||||
size_t len;
|
||||
|
||||
/* copy_tree () must be the entry point */
|
||||
assert (NULL != src_orig);
|
||||
assert (NULL != dst_orig);
|
||||
|
||||
for (lp = links; NULL != lp; lp = lp->ln_next) {
|
||||
if ((lp->ln_dev == sb->st_dev) && (lp->ln_ino == sb->st_ino)) {
|
||||
return lp;
|
||||
}
|
||||
}
|
||||
|
||||
if (sb->st_nlink == 1) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
lp = XMALLOC(1, struct link_name);
|
||||
src_len = strlen (src_orig);
|
||||
dst_len = strlen (dst_orig);
|
||||
name_len = strlen (name);
|
||||
lp->ln_dev = sb->st_dev;
|
||||
lp->ln_ino = sb->st_ino;
|
||||
lp->ln_count = sb->st_nlink;
|
||||
len = name_len - src_len + dst_len + 1;
|
||||
lp->ln_name = XMALLOC(len, char);
|
||||
(void) snprintf (lp->ln_name, len, "%s%s", dst_orig, name + src_len);
|
||||
lp->ln_next = links;
|
||||
links = lp;
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static int copy_tree_impl (const struct path_info *src, const struct path_info *dst,
|
||||
bool copy_root, bool reset_selinux,
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
int dst_fd, src_fd, err = 0;
|
||||
bool set_orig = false;
|
||||
const struct dirent *ent;
|
||||
DIR *dir;
|
||||
|
||||
if (copy_root) {
|
||||
struct stat sb;
|
||||
|
||||
if ( fstatat (dst->dirfd, dst->name, &sb, 0) == 0
|
||||
|| errno != ENOENT) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (fstatat (src->dirfd, src->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!S_ISDIR (sb.st_mode)) {
|
||||
fprintf (log_get_logfd(),
|
||||
"%s: %s is not a directory",
|
||||
log_get_progname(), src->full_path);
|
||||
return -1;
|
||||
}
|
||||
|
||||
return copy_entry (src, dst, reset_selinux,
|
||||
old_uid, new_uid, old_gid, new_gid);
|
||||
}
|
||||
|
||||
/*
|
||||
* Make certain both directories exist. This routine is called
|
||||
* after the home directory is created, or recursively after the
|
||||
* target is created. It assumes the target directory exists.
|
||||
*/
|
||||
|
||||
src_fd = openat (src->dirfd, src->name, O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
|
||||
if (src_fd < 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
dst_fd = openat (dst->dirfd, dst->name, O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
|
||||
if (dst_fd < 0) {
|
||||
(void) close (src_fd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Open the source directory and read each entry. Every file
|
||||
* entry in the directory is copied with the UID and GID set
|
||||
* to the provided values. As an added security feature only
|
||||
* regular files (and directories ...) are copied, and no file
|
||||
* is made set-ID.
|
||||
*/
|
||||
dir = fdopendir (src_fd);
|
||||
if (NULL == dir) {
|
||||
(void) close (src_fd);
|
||||
(void) close (dst_fd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (src_orig == NULL) {
|
||||
src_orig = src->full_path;
|
||||
dst_orig = dst->full_path;
|
||||
set_orig = true;
|
||||
}
|
||||
while ((0 == err) && (ent = readdir (dir)) != NULL) {
|
||||
/*
|
||||
* Skip the "." and ".." entries
|
||||
*/
|
||||
if ((strcmp (ent->d_name, ".") != 0) &&
|
||||
(strcmp (ent->d_name, "..") != 0)) {
|
||||
char *src_name;
|
||||
char *dst_name;
|
||||
size_t src_len = strlen (ent->d_name) + 2;
|
||||
size_t dst_len = strlen (ent->d_name) + 2;
|
||||
src_len += strlen (src->full_path);
|
||||
dst_len += strlen (dst->full_path);
|
||||
|
||||
src_name = MALLOC(src_len, char);
|
||||
dst_name = MALLOC(dst_len, char);
|
||||
|
||||
if ((NULL == src_name) || (NULL == dst_name)) {
|
||||
err = -1;
|
||||
} else {
|
||||
/*
|
||||
* Build the filename for both the source and
|
||||
* the destination files.
|
||||
*/
|
||||
struct path_info src_entry, dst_entry;
|
||||
|
||||
(void) snprintf (src_name, src_len, "%s/%s",
|
||||
src->full_path, ent->d_name);
|
||||
(void) snprintf (dst_name, dst_len, "%s/%s",
|
||||
dst->full_path, ent->d_name);
|
||||
|
||||
src_entry.full_path = src_name;
|
||||
src_entry.dirfd = dirfd(dir);
|
||||
src_entry.name = ent->d_name;
|
||||
|
||||
dst_entry.full_path = dst_name;
|
||||
dst_entry.dirfd = dst_fd;
|
||||
dst_entry.name = ent->d_name;
|
||||
|
||||
err = copy_entry (&src_entry, &dst_entry,
|
||||
reset_selinux,
|
||||
old_uid, new_uid,
|
||||
old_gid, new_gid);
|
||||
}
|
||||
free (src_name);
|
||||
free (dst_name);
|
||||
}
|
||||
}
|
||||
(void) closedir (dir);
|
||||
(void) close (dst_fd);
|
||||
|
||||
if (set_orig) {
|
||||
src_orig = NULL;
|
||||
dst_orig = NULL;
|
||||
/* FIXME: clean links
|
||||
* Since there can be hardlinks elsewhere on the device,
|
||||
* we cannot check that all the hardlinks were found:
|
||||
assert (NULL == links);
|
||||
*/
|
||||
}
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
/* Reset SELinux to create files with default contexts.
|
||||
* Note that the context is only reset on exit of copy_tree (it is
|
||||
* assumed that the program would quit without needing a restored
|
||||
* context if copy_tree failed previously), and that copy_tree can
|
||||
* be called recursively (hence the context is set on the
|
||||
* sub-functions of copy_entry).
|
||||
*/
|
||||
if (reset_selinux_file_context () != 0) {
|
||||
err = -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_entry - copy the entry of a directory
|
||||
*
|
||||
* Copy the entry src to dst.
|
||||
* Depending on the type of entry, this function will forward the
|
||||
* request to copy_dir(), copy_symlink(), copy_hardlink(),
|
||||
* copy_special(), or copy_file().
|
||||
*
|
||||
* The access and modification time will not be modified.
|
||||
*
|
||||
* The permissions will be set to new_uid/new_gid.
|
||||
*
|
||||
* If new_uid (resp. new_gid) is equal to -1, the user (resp. group) will
|
||||
* not be modified.
|
||||
*
|
||||
* Only the files owned (resp. group-owned) by old_uid (resp.
|
||||
* old_gid) will be modified, unless old_uid (resp. old_gid) is set
|
||||
* to -1.
|
||||
*/
|
||||
static int copy_entry (const struct path_info *src, const struct path_info *dst,
|
||||
bool reset_selinux,
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
int err = 0;
|
||||
struct stat sb;
|
||||
struct link_name *lp;
|
||||
struct timespec mt[2];
|
||||
|
||||
if (fstatat(src->dirfd, src->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
|
||||
/* If we cannot stat the file, do not care. */
|
||||
} else {
|
||||
mt[0].tv_sec = sb.st_atim.tv_sec;
|
||||
mt[0].tv_nsec = sb.st_atim.tv_nsec;
|
||||
|
||||
mt[1].tv_sec = sb.st_mtim.tv_sec;
|
||||
mt[1].tv_nsec = sb.st_mtim.tv_nsec;
|
||||
|
||||
if (S_ISDIR (sb.st_mode)) {
|
||||
err = copy_dir (src, dst, reset_selinux, &sb, mt,
|
||||
old_uid, new_uid, old_gid, new_gid);
|
||||
}
|
||||
|
||||
/*
|
||||
* If the destination already exists do nothing.
|
||||
* This is after the copy_dir above to still iterate into subdirectories.
|
||||
*/
|
||||
if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Copy any symbolic links
|
||||
*/
|
||||
|
||||
else if (S_ISLNK (sb.st_mode)) {
|
||||
err = copy_symlink (src, dst, reset_selinux, &sb, mt,
|
||||
old_uid, new_uid, old_gid, new_gid);
|
||||
}
|
||||
|
||||
/*
|
||||
* See if this is a previously copied link
|
||||
*/
|
||||
|
||||
else if ((lp = check_link (src->full_path, &sb)) != NULL) {
|
||||
err = copy_hardlink (dst, reset_selinux, lp);
|
||||
}
|
||||
|
||||
/*
|
||||
* Deal with FIFOs and special files. The user really
|
||||
* shouldn't have any of these, but it seems like it
|
||||
* would be nice to copy everything ...
|
||||
*/
|
||||
|
||||
else if (!S_ISREG (sb.st_mode)) {
|
||||
err = copy_special (src, dst, reset_selinux, &sb, mt,
|
||||
old_uid, new_uid, old_gid, new_gid);
|
||||
}
|
||||
|
||||
/*
|
||||
* Create the new file and copy the contents. The new
|
||||
* file will be owned by the provided UID and GID values.
|
||||
*/
|
||||
|
||||
else {
|
||||
err = copy_file (src, dst, reset_selinux, &sb, mt,
|
||||
old_uid, new_uid, old_gid, new_gid);
|
||||
}
|
||||
}
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_dir - copy a directory
|
||||
*
|
||||
* Copy a directory (recursively) from src to dst.
|
||||
*
|
||||
* statp, mt, old_uid, new_uid, old_gid, and new_gid are used to set
|
||||
* the access and modification and the access rights.
|
||||
*
|
||||
* Return 0 on success, -1 on error.
|
||||
*/
|
||||
static int copy_dir (const struct path_info *src, const struct path_info *dst,
|
||||
bool reset_selinux,
|
||||
const struct stat *statp, const struct timespec mt[],
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
int err = 0;
|
||||
struct stat dst_sb;
|
||||
|
||||
/*
|
||||
* Create a new target directory, make it owned by
|
||||
* the user and then recursively copy that directory.
|
||||
*/
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
if (set_selinux_file_context (dst->full_path, S_IFDIR) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
/*
|
||||
* If the destination is already a directory, don't change it
|
||||
* but copy into it (recursively).
|
||||
*/
|
||||
if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) {
|
||||
return (copy_tree_impl (src, dst, false, reset_selinux,
|
||||
old_uid, new_uid, old_gid, new_gid) != 0);
|
||||
}
|
||||
|
||||
if ( (mkdirat (dst->dirfd, dst->name, 0700) != 0)
|
||||
|| (chownat_if_needed (dst, statp,
|
||||
old_uid, new_uid, old_gid, new_gid) != 0)
|
||||
|| (fchmodat (dst->dirfd, dst->name, statp->st_mode & 07777, AT_SYMLINK_NOFOLLOW) != 0)
|
||||
#ifdef WITH_ACL
|
||||
|| ( (perm_copy_path (src, dst, &ctx) != 0)
|
||||
&& (errno != 0))
|
||||
#endif /* WITH_ACL */
|
||||
#ifdef WITH_ATTR
|
||||
/*
|
||||
* If the third parameter is NULL, all extended attributes
|
||||
* except those that define Access Control Lists are copied.
|
||||
* ACLs are excluded by default because copying them between
|
||||
* file systems with and without ACL support needs some
|
||||
* additional logic so that no unexpected permissions result.
|
||||
*/
|
||||
|| ( !reset_selinux
|
||||
&& (attr_copy_path (src, dst, NULL, &ctx) != 0)
|
||||
&& (errno != 0))
|
||||
#endif /* WITH_ATTR */
|
||||
|| (copy_tree_impl (src, dst, false, reset_selinux,
|
||||
old_uid, new_uid, old_gid, new_gid) != 0)
|
||||
|| (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0)) {
|
||||
err = -1;
|
||||
}
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
/*
|
||||
* readlink_malloc - wrapper for readlink
|
||||
*
|
||||
* return NULL on error.
|
||||
* The return string shall be freed by the caller.
|
||||
*/
|
||||
static /*@null@*/char *readlink_malloc (const char *filename)
|
||||
{
|
||||
size_t size = 1024;
|
||||
|
||||
while (true) {
|
||||
ssize_t nchars;
|
||||
char *buffer = MALLOC(size, char);
|
||||
if (NULL == buffer) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
nchars = readlink (filename, buffer, size);
|
||||
|
||||
if (nchars < 0) {
|
||||
free(buffer);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ((size_t) nchars < size) { /* The buffer was large enough */
|
||||
/* readlink does not nul-terminate */
|
||||
buffer[nchars] = '\0';
|
||||
return buffer;
|
||||
}
|
||||
|
||||
/* Try again with a bigger buffer */
|
||||
free (buffer);
|
||||
size *= 2;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_symlink - copy a symlink
|
||||
*
|
||||
* Copy a symlink from src to dst.
|
||||
*
|
||||
* statp, mt, old_uid, new_uid, old_gid, and new_gid are used to set
|
||||
* the access and modification and the access rights.
|
||||
*
|
||||
* Return 0 on success, -1 on error.
|
||||
*/
|
||||
static int copy_symlink (const struct path_info *src, const struct path_info *dst,
|
||||
unused bool reset_selinux,
|
||||
const struct stat *statp, const struct timespec mt[],
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
char *oldlink;
|
||||
|
||||
/* copy_tree () must be the entry point */
|
||||
assert (NULL != src_orig);
|
||||
assert (NULL != dst_orig);
|
||||
|
||||
/*
|
||||
* Get the name of the file which the link points
|
||||
* to. If that name begins with the original
|
||||
* source directory name, that part of the link
|
||||
* name will be replaced with the original
|
||||
* destination directory name.
|
||||
*/
|
||||
|
||||
oldlink = readlink_malloc (src->full_path);
|
||||
if (NULL == oldlink) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* If src was a link to an entry of the src_orig directory itself,
|
||||
* create a link to the corresponding entry in the dst_orig
|
||||
* directory.
|
||||
*/
|
||||
if (strncmp (oldlink, src_orig, strlen (src_orig)) == 0) {
|
||||
size_t len = strlen (dst_orig) + strlen (oldlink) - strlen (src_orig) + 1;
|
||||
char *dummy = XMALLOC(len, char);
|
||||
(void) snprintf (dummy, len, "%s%s",
|
||||
dst_orig,
|
||||
oldlink + strlen (src_orig));
|
||||
free (oldlink);
|
||||
oldlink = dummy;
|
||||
}
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
if (set_selinux_file_context (dst->full_path, S_IFLNK) != 0) {
|
||||
free (oldlink);
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
if ( (symlinkat (oldlink, dst->dirfd, dst->name) != 0)
|
||||
|| (chownat_if_needed (dst, statp,
|
||||
old_uid, new_uid, old_gid, new_gid) != 0)) {
|
||||
/* FIXME: there are no modes on symlinks, right?
|
||||
* ACL could be copied, but this would be much more
|
||||
* complex than calling perm_copy_file.
|
||||
* Ditto for Extended Attributes.
|
||||
* We currently only document that ACL and Extended
|
||||
* Attributes are not copied.
|
||||
*/
|
||||
free (oldlink);
|
||||
return -1;
|
||||
}
|
||||
free (oldlink);
|
||||
|
||||
if (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_hardlink - copy a hardlink
|
||||
*
|
||||
* Copy a hardlink from src to dst.
|
||||
*
|
||||
* Return 0 on success, -1 on error.
|
||||
*/
|
||||
static int copy_hardlink (const struct path_info *dst,
|
||||
unused bool reset_selinux,
|
||||
struct link_name *lp)
|
||||
{
|
||||
/* FIXME: selinux, ACL, Extended Attributes needed? */
|
||||
|
||||
if (linkat (AT_FDCWD, lp->ln_name, dst->dirfd, dst->name, 0) != 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* If the file could be unlinked, decrement the links counter,
|
||||
* and forget about this link if it was the last reference */
|
||||
lp->ln_count--;
|
||||
if (lp->ln_count <= 0) {
|
||||
remove_link (lp);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_special - copy a special file
|
||||
*
|
||||
* Copy a special file from src to dst.
|
||||
*
|
||||
* statp, mt, old_uid, new_uid, old_gid, and new_gid are used to set
|
||||
* the access and modification and the access rights.
|
||||
*
|
||||
* Return 0 on success, -1 on error.
|
||||
*/
|
||||
static int copy_special (const struct path_info *src, const struct path_info *dst,
|
||||
bool reset_selinux,
|
||||
const struct stat *statp, const struct timespec mt[],
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
int err = 0;
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
if (set_selinux_file_context (dst->full_path, statp->st_mode & S_IFMT) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
if ( (mknodat (dst->dirfd, dst->name, statp->st_mode & ~07777U, statp->st_rdev) != 0)
|
||||
|| (chownat_if_needed (dst, statp,
|
||||
old_uid, new_uid, old_gid, new_gid) != 0)
|
||||
|| (fchmodat (dst->dirfd, dst->name, statp->st_mode & 07777, AT_SYMLINK_NOFOLLOW) != 0)
|
||||
#ifdef WITH_ACL
|
||||
|| ( (perm_copy_path (src, dst, &ctx) != 0)
|
||||
&& (errno != 0))
|
||||
#endif /* WITH_ACL */
|
||||
#ifdef WITH_ATTR
|
||||
/*
|
||||
* If the third parameter is NULL, all extended attributes
|
||||
* except those that define Access Control Lists are copied.
|
||||
* ACLs are excluded by default because copying them between
|
||||
* file systems with and without ACL support needs some
|
||||
* additional logic so that no unexpected permissions result.
|
||||
*/
|
||||
|| ( !reset_selinux
|
||||
&& (attr_copy_path (src, dst, NULL, &ctx) != 0)
|
||||
&& (errno != 0))
|
||||
#endif /* WITH_ATTR */
|
||||
|| (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0)) {
|
||||
err = -1;
|
||||
}
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_file - copy a file
|
||||
*
|
||||
* Copy a file from src to dst.
|
||||
*
|
||||
* statp, mt, old_uid, new_uid, old_gid, and new_gid are used to set
|
||||
* the access and modification and the access rights.
|
||||
*
|
||||
* Return 0 on success, -1 on error.
|
||||
*/
|
||||
static int copy_file (const struct path_info *src, const struct path_info *dst,
|
||||
bool reset_selinux,
|
||||
const struct stat *statp, const struct timespec mt[],
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
int err = 0;
|
||||
int ifd;
|
||||
int ofd;
|
||||
|
||||
ifd = openat (src->dirfd, src->name, O_RDONLY|O_NOFOLLOW|O_CLOEXEC);
|
||||
if (ifd < 0) {
|
||||
return -1;
|
||||
}
|
||||
#ifdef WITH_SELINUX
|
||||
if (set_selinux_file_context (dst->full_path, S_IFREG) != 0) {
|
||||
(void) close (ifd);
|
||||
return -1;
|
||||
}
|
||||
#endif /* WITH_SELINUX */
|
||||
ofd = openat (dst->dirfd, dst->name, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC | O_NOFOLLOW | O_CLOEXEC, 0600);
|
||||
if ( (ofd < 0)
|
||||
|| (fchown_if_needed (ofd, statp,
|
||||
old_uid, new_uid, old_gid, new_gid) != 0)
|
||||
|| (fchmod (ofd, statp->st_mode & 07777) != 0)
|
||||
#ifdef WITH_ACL
|
||||
|| ( (perm_copy_fd (src->full_path, ifd, dst->full_path, ofd, &ctx) != 0)
|
||||
&& (errno != 0))
|
||||
#endif /* WITH_ACL */
|
||||
#ifdef WITH_ATTR
|
||||
/*
|
||||
* If the third parameter is NULL, all extended attributes
|
||||
* except those that define Access Control Lists are copied.
|
||||
* ACLs are excluded by default because copying them between
|
||||
* file systems with and without ACL support needs some
|
||||
* additional logic so that no unexpected permissions result.
|
||||
*/
|
||||
|| ( !reset_selinux
|
||||
&& (attr_copy_fd (src->full_path, ifd, dst->full_path, ofd, NULL, &ctx) != 0)
|
||||
&& (errno != 0))
|
||||
#endif /* WITH_ATTR */
|
||||
) {
|
||||
if (ofd >= 0) {
|
||||
(void) close (ofd);
|
||||
}
|
||||
(void) close (ifd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
while (true) {
|
||||
char buf[8192];
|
||||
ssize_t cnt;
|
||||
|
||||
cnt = read (ifd, buf, sizeof buf);
|
||||
if (cnt < 0) {
|
||||
if (errno == EINTR) {
|
||||
continue;
|
||||
}
|
||||
(void) close (ofd);
|
||||
(void) close (ifd);
|
||||
return -1;
|
||||
}
|
||||
if (cnt == 0) {
|
||||
break;
|
||||
}
|
||||
|
||||
if (write_full (ofd, buf, cnt) < 0) {
|
||||
(void) close (ofd);
|
||||
(void) close (ifd);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
(void) close (ifd);
|
||||
if (close (ofd) != 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
#define def_chown_if_needed(chown_function, type_dst) \
|
||||
static int chown_function ## _if_needed (type_dst dst, \
|
||||
const struct stat *statp, \
|
||||
uid_t old_uid, uid_t new_uid, \
|
||||
gid_t old_gid, gid_t new_gid) \
|
||||
{ \
|
||||
uid_t tmpuid = (uid_t) -1; \
|
||||
gid_t tmpgid = (gid_t) -1; \
|
||||
\
|
||||
/* Use new_uid if old_uid is set to -1 or if the file was \
|
||||
* owned by the user. */ \
|
||||
if (((uid_t) -1 == old_uid) || (statp->st_uid == old_uid)) { \
|
||||
tmpuid = new_uid; \
|
||||
} \
|
||||
/* Otherwise, or if new_uid was set to -1, we keep the same \
|
||||
* owner. */ \
|
||||
if ((uid_t) -1 == tmpuid) { \
|
||||
tmpuid = statp->st_uid; \
|
||||
} \
|
||||
\
|
||||
if (((gid_t) -1 == old_gid) || (statp->st_gid == old_gid)) { \
|
||||
tmpgid = new_gid; \
|
||||
} \
|
||||
if ((gid_t) -1 == tmpgid) { \
|
||||
tmpgid = statp->st_gid; \
|
||||
} \
|
||||
\
|
||||
return chown_function (dst, tmpuid, tmpgid); \
|
||||
}
|
||||
|
||||
def_chown_if_needed (fchown, int)
|
||||
|
||||
static int chownat_if_needed (const struct path_info *dst,
|
||||
const struct stat *statp,
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
uid_t tmpuid = (uid_t) -1;
|
||||
gid_t tmpgid = (gid_t) -1;
|
||||
|
||||
/* Use new_uid if old_uid is set to -1 or if the file was
|
||||
* owned by the user. */
|
||||
if (((uid_t) -1 == old_uid) || (statp->st_uid == old_uid)) {
|
||||
tmpuid = new_uid;
|
||||
}
|
||||
/* Otherwise, or if new_uid was set to -1, we keep the same
|
||||
* owner. */
|
||||
if ((uid_t) -1 == tmpuid) {
|
||||
tmpuid = statp->st_uid;
|
||||
}
|
||||
|
||||
if (((gid_t) -1 == old_gid) || (statp->st_gid == old_gid)) {
|
||||
tmpgid = new_gid;
|
||||
}
|
||||
if ((gid_t) -1 == tmpgid) {
|
||||
tmpgid = statp->st_gid;
|
||||
}
|
||||
|
||||
return fchownat (dst->dirfd, dst->name, tmpuid, tmpgid, AT_SYMLINK_NOFOLLOW);
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_tree - copy files in a directory tree
|
||||
*
|
||||
* copy_tree() walks a directory tree and copies ordinary files
|
||||
* as it goes.
|
||||
*
|
||||
* When reset_selinux is enabled, extended attributes (and thus
|
||||
* SELinux attributes) are not copied.
|
||||
*
|
||||
* old_uid and new_uid are used to set the ownership of the copied
|
||||
* files. Unless old_uid is set to -1, only the files owned by
|
||||
* old_uid have their ownership changed to new_uid. In addition, if
|
||||
* new_uid is set to -1, no ownership will be changed.
|
||||
*
|
||||
* The same logic applies for the group-ownership and
|
||||
* old_gid/new_gid.
|
||||
*/
|
||||
int copy_tree (const char *src_root, const char *dst_root,
|
||||
bool copy_root, bool reset_selinux,
|
||||
uid_t old_uid, uid_t new_uid,
|
||||
gid_t old_gid, gid_t new_gid)
|
||||
{
|
||||
const struct path_info src = {
|
||||
.full_path = src_root,
|
||||
.dirfd = AT_FDCWD,
|
||||
.name = src_root
|
||||
};
|
||||
const struct path_info dst = {
|
||||
.full_path = dst_root,
|
||||
.dirfd = AT_FDCWD,
|
||||
.name = dst_root
|
||||
};
|
||||
|
||||
return copy_tree_impl(&src, &dst, copy_root, reset_selinux,
|
||||
old_uid, new_uid, old_gid, new_gid);
|
||||
}
|
||||
-141
@@ -1,141 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: Alejandro Colomar <alx@kernel.org>
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include <limits.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#if HAVE_SYS_RANDOM_H
|
||||
#include <sys/random.h>
|
||||
#endif
|
||||
#include "bit.h"
|
||||
#include "defines.h"
|
||||
#include "prototypes.h"
|
||||
#include "shadowlog.h"
|
||||
|
||||
|
||||
static uint32_t csrand_uniform32(uint32_t n);
|
||||
static unsigned long csrand_uniform_slow(unsigned long n);
|
||||
|
||||
|
||||
/*
|
||||
* Return a uniformly-distributed CS random u_long value.
|
||||
*/
|
||||
unsigned long
|
||||
csrand(void)
|
||||
{
|
||||
FILE *fp;
|
||||
unsigned long r;
|
||||
|
||||
#ifdef HAVE_GETENTROPY
|
||||
/* getentropy may exist but lack kernel support. */
|
||||
if (getentropy(&r, sizeof(r)) == 0)
|
||||
return r;
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_GETRANDOM
|
||||
/* Likewise getrandom. */
|
||||
if (getrandom(&r, sizeof(r), 0) == sizeof(r))
|
||||
return r;
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_ARC4RANDOM_BUF
|
||||
/* arc4random_buf can never fail. */
|
||||
arc4random_buf(&r, sizeof(r));
|
||||
return r;
|
||||
#endif
|
||||
|
||||
/* Use /dev/urandom as a last resort. */
|
||||
fp = fopen("/dev/urandom", "r");
|
||||
if (NULL == fp) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (fread(&r, sizeof(r), 1, fp) != 1) {
|
||||
fclose(fp);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
fclose(fp);
|
||||
return r;
|
||||
|
||||
fail:
|
||||
fprintf(log_get_logfd(), _("Unable to obtain random bytes.\n"));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Return a uniformly-distributed CS random value in the interval [0, n-1].
|
||||
*/
|
||||
unsigned long
|
||||
csrand_uniform(unsigned long n)
|
||||
{
|
||||
if (n == 0 || n > UINT32_MAX)
|
||||
return csrand_uniform_slow(n);
|
||||
|
||||
return csrand_uniform32(n);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Return a uniformly-distributed CS random value in the interval [min, max].
|
||||
*/
|
||||
unsigned long
|
||||
csrand_interval(unsigned long min, unsigned long max)
|
||||
{
|
||||
return csrand_uniform(max - min + 1) + min;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Fast Random Integer Generation in an Interval
|
||||
* ACM Transactions on Modeling and Computer Simulation 29 (1), 2019
|
||||
* <https://arxiv.org/abs/1805.10941>
|
||||
*/
|
||||
static uint32_t
|
||||
csrand_uniform32(uint32_t n)
|
||||
{
|
||||
uint32_t bound, rem;
|
||||
uint64_t r, mult;
|
||||
|
||||
if (n == 0)
|
||||
return csrand();
|
||||
|
||||
bound = -n % n; // analogous to `2^32 % n`, since `x % y == (x-y) % y`
|
||||
|
||||
do {
|
||||
r = csrand();
|
||||
mult = r * n;
|
||||
rem = mult; // analogous to `mult % 2^32`
|
||||
} while (rem < bound); // p = (2^32 % n) / 2^32; W.C.: n=2^31+1, p=0.5
|
||||
|
||||
r = mult >> WIDTHOF(n); // analogous to `mult / 2^32`
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
|
||||
static unsigned long
|
||||
csrand_uniform_slow(unsigned long n)
|
||||
{
|
||||
unsigned long r, max, mask;
|
||||
|
||||
max = n - 1;
|
||||
mask = bit_ceil_wrapul(n) - 1;
|
||||
|
||||
do {
|
||||
r = csrand();
|
||||
r &= mask; // optimization
|
||||
} while (r > max); // p = ((mask+1) % n) / (mask+1); W.C.: p=0.5
|
||||
|
||||
return r;
|
||||
}
|
||||
@@ -1,56 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2021, Alejandro Colomar <alx.manpages@gmail.com>
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the copyright holders or contributors may not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
||||
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include "prototypes.h"
|
||||
|
||||
void
|
||||
date_to_str(size_t size, char buf[size], long date)
|
||||
{
|
||||
time_t t;
|
||||
const struct tm *tm;
|
||||
|
||||
t = date;
|
||||
if (date < 0) {
|
||||
(void) strlcpy(buf, "never", size);
|
||||
return;
|
||||
}
|
||||
|
||||
tm = gmtime(&t);
|
||||
if (tm == NULL) {
|
||||
(void) strlcpy(buf, "future", size);
|
||||
return;
|
||||
}
|
||||
|
||||
(void) strftime(buf, size, "%Y-%m-%d", tm);
|
||||
buf[size - 1] = '\0';
|
||||
}
|
||||
-250
@@ -1,250 +0,0 @@
|
||||
/* $Id$ */
|
||||
/* some useful defines */
|
||||
|
||||
#ifndef _DEFINES_H_
|
||||
#define _DEFINES_H_
|
||||
|
||||
#include "config.h"
|
||||
|
||||
#include <stdbool.h>
|
||||
#include <locale.h>
|
||||
|
||||
#define gettext_noop(String) (String)
|
||||
/* #define gettext_def(String) "#define String" */
|
||||
|
||||
#ifdef ENABLE_NLS
|
||||
# include <libintl.h>
|
||||
# define _(Text) gettext (Text)
|
||||
#else
|
||||
# undef bindtextdomain
|
||||
# define bindtextdomain(Domain, Directory) (NULL)
|
||||
# undef textdomain
|
||||
# define textdomain(Domain) (NULL)
|
||||
# define _(Text) Text
|
||||
# define ngettext(Msgid1, Msgid2, N) \
|
||||
((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2))
|
||||
#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <errno.h>
|
||||
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
#include <unistd.h>
|
||||
|
||||
/*
|
||||
* crypt(3), crypt_gensalt(3), and their
|
||||
* feature test macros may be defined in here.
|
||||
*/
|
||||
#if HAVE_CRYPT_H
|
||||
# include <crypt.h>
|
||||
#endif
|
||||
|
||||
#include <sys/time.h>
|
||||
#include <time.h>
|
||||
|
||||
#ifdef HAVE_MEMSET_EXPLICIT
|
||||
# define memzero(ptr, size) memset_explicit((ptr), 0, (size))
|
||||
#elif defined HAVE_EXPLICIT_BZERO /* !HAVE_MEMSET_S */
|
||||
# define memzero(ptr, size) explicit_bzero((ptr), (size))
|
||||
#else /* !HAVE_MEMSET_S && HAVE_EXPLICIT_BZERO */
|
||||
static inline void memzero(void *ptr, size_t size)
|
||||
{
|
||||
ptr = memset(ptr, '\0', size);
|
||||
__asm__ __volatile__ ("" : : "r"(ptr) : "memory");
|
||||
}
|
||||
#endif /* !HAVE_MEMSET_S && !HAVE_EXPLICIT_BZERO */
|
||||
|
||||
#define strzero(s) memzero(s, strlen(s)) /* warning: evaluates twice */
|
||||
|
||||
#include <dirent.h>
|
||||
|
||||
/*
|
||||
* Possible cases:
|
||||
* - /usr/include/shadow.h exists and includes the shadow group stuff.
|
||||
* - /usr/include/shadow.h exists, but we use our own gshadow.h.
|
||||
*/
|
||||
#include <shadow.h>
|
||||
#if defined(SHADOWGRP) && !defined(GSHADOW)
|
||||
#include "gshadow_.h"
|
||||
#endif
|
||||
|
||||
#include <limits.h>
|
||||
|
||||
#ifndef NGROUPS_MAX
|
||||
#ifdef NGROUPS
|
||||
#define NGROUPS_MAX NGROUPS
|
||||
#else
|
||||
#define NGROUPS_MAX 64
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include <syslog.h>
|
||||
|
||||
#ifndef LOG_WARN
|
||||
#define LOG_WARN LOG_WARNING
|
||||
#endif
|
||||
|
||||
/* LOG_NOWAIT is deprecated */
|
||||
#ifndef LOG_NOWAIT
|
||||
#define LOG_NOWAIT 0
|
||||
#endif
|
||||
|
||||
/* LOG_AUTH is deprecated, use LOG_AUTHPRIV instead */
|
||||
#ifndef LOG_AUTHPRIV
|
||||
#define LOG_AUTHPRIV LOG_AUTH
|
||||
#endif
|
||||
|
||||
/* cleaner than lots of #ifdefs everywhere - use this as follows:
|
||||
SYSLOG((LOG_CRIT, "user %s cracked root", user)); */
|
||||
#ifdef ENABLE_NLS
|
||||
/* Temporarily set LC_TIME to "C" to avoid strange dates in syslog.
|
||||
This is a workaround for a more general syslog(d) design problem -
|
||||
syslogd should log the current system time for each event, and not
|
||||
trust the formatted time received from the unix domain (or worse,
|
||||
UDP) socket. -MM */
|
||||
/* Avoid translated PAM error messages: Set LC_ALL to "C".
|
||||
* --Nekral */
|
||||
#define SYSLOG(x) \
|
||||
do { \
|
||||
char *old_locale = setlocale (LC_ALL, NULL); \
|
||||
char *saved_locale = NULL; \
|
||||
if (NULL != old_locale) { \
|
||||
saved_locale = strdup (old_locale); \
|
||||
} \
|
||||
if (NULL != saved_locale) { \
|
||||
(void) setlocale (LC_ALL, "C"); \
|
||||
} \
|
||||
syslog x ; \
|
||||
if (NULL != saved_locale) { \
|
||||
(void) setlocale (LC_ALL, saved_locale); \
|
||||
free (saved_locale); \
|
||||
} \
|
||||
} while (false)
|
||||
#else /* !ENABLE_NLS */
|
||||
#define SYSLOG(x) syslog x
|
||||
#endif /* !ENABLE_NLS */
|
||||
|
||||
/* The default syslog settings can now be changed here,
|
||||
in just one place. */
|
||||
|
||||
#ifndef SYSLOG_OPTIONS
|
||||
/* #define SYSLOG_OPTIONS (LOG_PID | LOG_CONS | LOG_NOWAIT) */
|
||||
#define SYSLOG_OPTIONS (LOG_PID)
|
||||
#endif
|
||||
|
||||
#ifndef SYSLOG_FACILITY
|
||||
#define SYSLOG_FACILITY LOG_AUTHPRIV
|
||||
#endif
|
||||
|
||||
#define OPENLOG(progname) openlog(progname, SYSLOG_OPTIONS, SYSLOG_FACILITY)
|
||||
|
||||
#include <termios.h>
|
||||
#define STTY(fd, termio) tcsetattr(fd, TCSANOW, termio)
|
||||
#define GTTY(fd, termio) tcgetattr(fd, termio)
|
||||
#define TERMIO struct termios
|
||||
|
||||
/*
|
||||
* Password aging constants
|
||||
*
|
||||
* DAY - seconds / day
|
||||
* WEEK - seconds / week
|
||||
* SCALE - seconds / aging unit
|
||||
*/
|
||||
|
||||
/* Solaris defines this in shadow.h */
|
||||
#ifndef DAY
|
||||
#define DAY (24L*3600L)
|
||||
#endif
|
||||
|
||||
#define WEEK (7*DAY)
|
||||
|
||||
#ifdef ITI_AGING
|
||||
#define SCALE 1
|
||||
#else
|
||||
#define SCALE DAY
|
||||
#endif
|
||||
|
||||
#define WIDTHOF(x) (sizeof(x) * CHAR_BIT)
|
||||
#define NITEMS(arr) (sizeof((arr)) / sizeof((arr)[0]))
|
||||
#define STRLEN(s) (NITEMS(s) - 1)
|
||||
|
||||
/* Copy string pointed by B to array A with size checking. It was originally
|
||||
in lmain.c but is _very_ useful elsewhere. Some setuid root programs with
|
||||
very sloppy coding used to assume that BUFSIZ will always be enough... */
|
||||
|
||||
/* danger - side effects */
|
||||
#define STRFCPY(A,B) \
|
||||
(strncpy((A), (B), sizeof(A) - 1), (A)[sizeof(A) - 1] = '\0')
|
||||
|
||||
#ifndef PASSWD_FILE
|
||||
#define PASSWD_FILE "/etc/passwd"
|
||||
#endif
|
||||
|
||||
#ifndef GROUP_FILE
|
||||
#define GROUP_FILE "/etc/group"
|
||||
#endif
|
||||
|
||||
#ifndef SHADOW_FILE
|
||||
#define SHADOW_FILE "/etc/shadow"
|
||||
#endif
|
||||
|
||||
#ifdef SHADOWGRP
|
||||
#ifndef SGROUP_FILE
|
||||
#define SGROUP_FILE "/etc/gshadow"
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
* string to use for the pw_passwd field in /etc/passwd when using
|
||||
* shadow passwords - most systems use "x" but there are a few
|
||||
* exceptions, so it can be changed here if necessary. --marekm
|
||||
*/
|
||||
#ifndef SHADOW_PASSWD_STRING
|
||||
#define SHADOW_PASSWD_STRING "x"
|
||||
#endif
|
||||
|
||||
#define SHADOW_SP_FLAG_UNSET ((unsigned long int)-1)
|
||||
|
||||
#ifdef WITH_AUDIT
|
||||
#ifdef __u8 /* in case we use pam < 0.80 */
|
||||
#undef __u8
|
||||
#endif
|
||||
#ifdef __u32
|
||||
#undef __u32
|
||||
#endif
|
||||
|
||||
#include <libaudit.h>
|
||||
#endif
|
||||
|
||||
/* To be used for verified unused parameters */
|
||||
#if defined(__GNUC__) && !defined(__STRICT_ANSI__)
|
||||
# define unused __attribute__((unused))
|
||||
# define NORETURN __attribute__((__noreturn__))
|
||||
# define format_attr(type, index, check) __attribute__((format (type, index, check)))
|
||||
#else
|
||||
# define unused
|
||||
# define NORETURN
|
||||
# define format_attr(type, index, check)
|
||||
#endif
|
||||
|
||||
/* Maximum length of passwd entry */
|
||||
#define PASSWD_ENTRY_MAX_LENGTH 32768
|
||||
|
||||
#if (__GNUC__ >= 11) && !defined(__clang__)
|
||||
# define ATTR_MALLOC(deallocator) [[gnu::malloc(deallocator)]]
|
||||
#else
|
||||
# define ATTR_MALLOC(deallocator)
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SECURE_GETENV
|
||||
# define shadow_getenv(name) secure_getenv(name)
|
||||
# else
|
||||
# define shadow_getenv(name) getenv(name)
|
||||
#endif
|
||||
|
||||
#endif /* _DEFINES_H_ */
|
||||
@@ -1,79 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1990 - 1993, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2005 , Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2007 - 2010, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "prototypes.h"
|
||||
#include "defines.h"
|
||||
#include "shadowlog_internal.h"
|
||||
|
||||
/*@exposed@*//*@null@*/char *pw_encrypt (const char *clear, const char *salt)
|
||||
{
|
||||
static char cipher[128];
|
||||
char *cp;
|
||||
|
||||
cp = crypt (clear, salt);
|
||||
if (NULL == cp) {
|
||||
/*
|
||||
* Single Unix Spec: crypt() may return a null pointer,
|
||||
* and set errno to indicate an error. In this case return
|
||||
* the NULL so the caller can handle appropriately.
|
||||
*/
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* Some crypt() do not return NULL if the algorithm is not
|
||||
* supported, and return a DES encrypted password. */
|
||||
if ((NULL != salt) && (salt[0] == '$') && (strlen (cp) <= 13))
|
||||
{
|
||||
/*@observer@*/const char *method;
|
||||
switch (salt[1])
|
||||
{
|
||||
case '1':
|
||||
method = "MD5";
|
||||
break;
|
||||
case '2':
|
||||
method = "BCRYPT";
|
||||
break;
|
||||
case '5':
|
||||
method = "SHA256";
|
||||
break;
|
||||
case '6':
|
||||
method = "SHA512";
|
||||
break;
|
||||
case 'y':
|
||||
method = "YESCRYPT";
|
||||
break;
|
||||
default:
|
||||
{
|
||||
static char nummethod[4] = "$x$";
|
||||
nummethod[1] = salt[1];
|
||||
method = &nummethod[0];
|
||||
}
|
||||
}
|
||||
(void) fprintf (shadow_logfd,
|
||||
_("crypt method not supported by libcrypt? (%s)\n"),
|
||||
method);
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (strlen (cp) != 13) {
|
||||
return cp; /* nonstandard crypt() in libc, better bail out */
|
||||
}
|
||||
|
||||
strcpy (cipher, cp);
|
||||
|
||||
return cipher;
|
||||
}
|
||||
|
||||
-47
@@ -1,47 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1989 - 1994, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2003 - 2005, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2007 - 2008, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "alloc.h"
|
||||
#include "prototypes.h"
|
||||
#include "defines.h"
|
||||
#include <pwd.h>
|
||||
|
||||
void pw_entry (const char *name, struct passwd *pwent)
|
||||
{
|
||||
struct passwd *passwd;
|
||||
|
||||
struct spwd *spwd;
|
||||
|
||||
if (!(passwd = getpwnam (name))) { /* local, no need for xgetpwnam */
|
||||
pwent->pw_name = NULL;
|
||||
return;
|
||||
} else {
|
||||
pwent->pw_name = xstrdup (passwd->pw_name);
|
||||
pwent->pw_uid = passwd->pw_uid;
|
||||
pwent->pw_gid = passwd->pw_gid;
|
||||
pwent->pw_gecos = xstrdup (passwd->pw_gecos);
|
||||
pwent->pw_dir = xstrdup (passwd->pw_dir);
|
||||
pwent->pw_shell = xstrdup (passwd->pw_shell);
|
||||
#if !defined(AUTOSHADOW)
|
||||
/* local, no need for xgetspnam */
|
||||
if ((spwd = getspnam (name))) {
|
||||
pwent->pw_passwd = xstrdup (spwd->sp_pwdp);
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
pwent->pw_passwd = xstrdup (passwd->pw_passwd);
|
||||
}
|
||||
}
|
||||
@@ -1,253 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 1989 - 1992, Julianne Frances Haugh
|
||||
* SPDX-FileCopyrightText: 1996 - 1999, Marek Michałkiewicz
|
||||
* SPDX-FileCopyrightText: 2003 - 2005, Tomasz Kłoczko
|
||||
* SPDX-FileCopyrightText: 2008 - 2009, Nicolas François
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#ident "$Id$"
|
||||
|
||||
#include <assert.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "alloc.h"
|
||||
#include "prototypes.h"
|
||||
#include "defines.h"
|
||||
#include "shadowlog.h"
|
||||
/*
|
||||
* NEWENVP_STEP must be a power of two. This is the number
|
||||
* of (char *) pointers to allocate at a time, to avoid using
|
||||
* realloc() too often.
|
||||
*/
|
||||
#define NEWENVP_STEP 16
|
||||
size_t newenvc = 0;
|
||||
/*@null@*/char **newenvp = NULL;
|
||||
|
||||
static const char *const forbid[] = {
|
||||
"_RLD_=",
|
||||
"BASH_ENV=", /* GNU creeping featurism strikes again... */
|
||||
"ENV=",
|
||||
"HOME=",
|
||||
"IFS=",
|
||||
"KRB_CONF=",
|
||||
"LD_", /* anything with the LD_ prefix */
|
||||
"LIBPATH=",
|
||||
"MAIL=",
|
||||
"NLSPATH=",
|
||||
"PATH=",
|
||||
"SHELL=",
|
||||
"SHLIB_PATH=",
|
||||
NULL
|
||||
};
|
||||
|
||||
/* these are allowed, but with no slashes inside
|
||||
(to work around security problems in GNU gettext) */
|
||||
static const char *const noslash[] = {
|
||||
"LANG=",
|
||||
"LANGUAGE=",
|
||||
"LC_", /* anything with the LC_ prefix */
|
||||
NULL
|
||||
};
|
||||
|
||||
/*
|
||||
* initenv() must be called once before using addenv().
|
||||
*/
|
||||
void initenv (void)
|
||||
{
|
||||
newenvp = XMALLOC(NEWENVP_STEP, char *);
|
||||
*newenvp = NULL;
|
||||
}
|
||||
|
||||
|
||||
void addenv (const char *string, /*@null@*/const char *value)
|
||||
{
|
||||
char *cp, *newstring;
|
||||
size_t i;
|
||||
size_t n;
|
||||
|
||||
if (NULL != value) {
|
||||
size_t len = strlen (string) + strlen (value) + 2;
|
||||
int wlen;
|
||||
newstring = XMALLOC(len, char);
|
||||
wlen = snprintf (newstring, len, "%s=%s", string, value);
|
||||
assert (wlen == (int) len -1);
|
||||
} else {
|
||||
newstring = xstrdup (string);
|
||||
}
|
||||
|
||||
/*
|
||||
* Search for a '=' character within the string and if none is found
|
||||
* just ignore the whole string.
|
||||
*/
|
||||
|
||||
cp = strchr (newstring, '=');
|
||||
if (NULL == cp) {
|
||||
free (newstring);
|
||||
return;
|
||||
}
|
||||
|
||||
n = (size_t) (cp - newstring);
|
||||
|
||||
/*
|
||||
* If this environment variable is already set, change its value.
|
||||
*/
|
||||
for (i = 0; i < newenvc; i++) {
|
||||
if ( (strncmp (newstring, newenvp[i], n) == 0)
|
||||
&& (('=' == newenvp[i][n]) || ('\0' == newenvp[i][n]))) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (i < newenvc) {
|
||||
free (newenvp[i]);
|
||||
newenvp[i] = newstring;
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* Otherwise, save the new environment variable
|
||||
*/
|
||||
newenvp[newenvc++] = newstring;
|
||||
|
||||
/*
|
||||
* And extend the environment if needed.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Check whether newenvc is a multiple of NEWENVP_STEP.
|
||||
* If so we have to resize the vector.
|
||||
* the expression (newenvc & (NEWENVP_STEP - 1)) == 0
|
||||
* is equal to (newenvc % NEWENVP_STEP) == 0
|
||||
* as long as NEWENVP_STEP is a power of 2.
|
||||
*/
|
||||
|
||||
if ((newenvc & (NEWENVP_STEP - 1)) == 0) {
|
||||
bool update_environ;
|
||||
char **__newenvp;
|
||||
|
||||
/*
|
||||
* If the resize operation succeeds we can
|
||||
* happily go on, else print a message.
|
||||
*/
|
||||
update_environ = (environ == newenvp);
|
||||
|
||||
__newenvp = REALLOC(newenvp, newenvc + NEWENVP_STEP, char *);
|
||||
|
||||
if (NULL != __newenvp) {
|
||||
/*
|
||||
* If this is our current environment, update
|
||||
* environ so that it doesn't point to some
|
||||
* free memory area (realloc() could move it).
|
||||
*/
|
||||
if (update_environ)
|
||||
environ = __newenvp;
|
||||
newenvp = __newenvp;
|
||||
} else {
|
||||
(void) fputs (_("Environment overflow\n"), log_get_logfd());
|
||||
newenvc--;
|
||||
free (newenvp[newenvc]);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* The last entry of newenvp must be NULL
|
||||
*/
|
||||
|
||||
newenvp[newenvc] = NULL;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* set_env - copy command line arguments into the environment
|
||||
*/
|
||||
void set_env (int argc, char *const *argv)
|
||||
{
|
||||
int noname = 1;
|
||||
char variable[1024];
|
||||
char *cp;
|
||||
|
||||
for (; argc > 0; argc--, argv++) {
|
||||
if (strlen (*argv) >= sizeof variable) {
|
||||
continue; /* ignore long entries */
|
||||
}
|
||||
|
||||
cp = strchr (*argv, '=');
|
||||
if (NULL == cp) {
|
||||
int wlen;
|
||||
wlen = snprintf (variable, sizeof variable, "L%d", noname);
|
||||
assert (wlen < (int) sizeof(variable));
|
||||
noname++;
|
||||
addenv (variable, *argv);
|
||||
} else {
|
||||
const char *const *p;
|
||||
|
||||
for (p = forbid; NULL != *p; p++) {
|
||||
if (strncmp (*argv, *p, strlen (*p)) == 0) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (NULL != *p) {
|
||||
strncpy (variable, *argv, (size_t)(cp - *argv));
|
||||
variable[cp - *argv] = '\0';
|
||||
printf (_("You may not change $%s\n"),
|
||||
variable);
|
||||
continue;
|
||||
}
|
||||
|
||||
addenv (*argv, NULL);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* sanitize_env - remove some nasty environment variables
|
||||
* If you fall into a total paranoia, you should call this
|
||||
* function for any root-setuid program or anything the user
|
||||
* might change the environment with. 99% useless as almost
|
||||
* all modern Unixes will handle setuid executables properly,
|
||||
* but... I feel better with that silly precaution. -j.
|
||||
*/
|
||||
|
||||
void sanitize_env (void)
|
||||
{
|
||||
char **envp = environ;
|
||||
const char *const *bad;
|
||||
char **cur;
|
||||
char **move;
|
||||
|
||||
for (cur = envp; NULL != *cur; cur++) {
|
||||
for (bad = forbid; NULL != *bad; bad++) {
|
||||
if (strncmp (*cur, *bad, strlen (*bad)) == 0) {
|
||||
for (move = cur; NULL != *move; move++) {
|
||||
*move = *(move + 1);
|
||||
}
|
||||
cur--;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for (cur = envp; NULL != *cur; cur++) {
|
||||
for (bad = noslash; NULL != *bad; bad++) {
|
||||
if (strncmp (*cur, *bad, strlen (*bad)) != 0) {
|
||||
continue;
|
||||
}
|
||||
if (strchr (*cur, '/') == NULL) {
|
||||
continue; /* OK */
|
||||
}
|
||||
for (move = cur; NULL != *move; move++) {
|
||||
*move = *(move + 1);
|
||||
}
|
||||
cur--;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2005 - 2006, Tomasz Kłoczko
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
||||
/* $Id$ */
|
||||
|
||||
/*
|
||||
* Exit codes used by shadow programs
|
||||
*/
|
||||
#define E_SUCCESS EXIT_SUCCESS /* success */
|
||||
/*
|
||||
* FIXME: other values should differ from EXIT_FAILURE (and EXIT_SUCCESS).
|
||||
*
|
||||
* FIXME: reserve EXIT_FAILURE for internal failures.
|
||||
*/
|
||||
#define E_NOPERM 1 /* permission denied */
|
||||
#define E_USAGE 2 /* invalid command syntax */
|
||||
#define E_BAD_ARG 3 /* invalid argument to option */
|
||||
#define E_PASSWD_NOTFOUND 14 /* not found password file */
|
||||
#define E_SHADOW_NOTFOUND 15 /* not found shadow password file */
|
||||
#define E_GROUP_NOTFOUND 16 /* not found group file */
|
||||
#define E_GSHADOW_NOTFOUND 17 /* not found shadow group file */
|
||||
#define E_CMD_NOEXEC 126 /* can't run command/shell */
|
||||
#define E_CMD_NOTFOUND 127 /* can't find command/shell to run */
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user