diff options
author | Balint Reczey <balint@balintreczey.hu> | 2021-11-07 15:18:49 +0100 |
---|---|---|
committer | Balint Reczey <balint@balintreczey.hu> | 2021-11-07 15:18:49 +0100 |
commit | 749c1780621163ca5108f164861324bafa9e0ae8 (patch) | |
tree | 51001872624a692018c45bf39276df94b603fb19 /lib | |
parent | d906ecd3b652d95af6ffb974a2f6669501bb9496 (diff) | |
download | shadow-749c1780621163ca5108f164861324bafa9e0ae8.tar.gz |
New upstream version 4.9upstream/4.9
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Makefile.am | 4 | ||||
-rw-r--r-- | lib/Makefile.in | 289 | ||||
-rw-r--r-- | lib/commonio.c | 52 | ||||
-rw-r--r-- | lib/commonio.h | 6 | ||||
-rw-r--r-- | lib/defines.h | 10 | ||||
-rw-r--r-- | lib/encrypt.c | 5 | ||||
-rw-r--r-- | lib/getdef.c | 31 | ||||
-rw-r--r-- | lib/groupmem.c | 47 | ||||
-rw-r--r-- | lib/nscd.c | 8 | ||||
-rw-r--r-- | lib/nss.c | 149 | ||||
-rw-r--r-- | lib/prototypes.h | 70 | ||||
-rw-r--r-- | lib/run_part.c | 102 | ||||
-rw-r--r-- | lib/run_part.h | 2 | ||||
-rw-r--r-- | lib/selinux.c | 63 | ||||
-rw-r--r-- | lib/semanage.c | 58 | ||||
-rw-r--r-- | lib/sgetspent.c | 1 | ||||
-rw-r--r-- | lib/shadow.c | 3 | ||||
-rw-r--r-- | lib/spawn.c | 8 | ||||
-rw-r--r-- | lib/sssd.c | 14 | ||||
-rw-r--r-- | lib/subordinateio.c | 382 | ||||
-rw-r--r-- | lib/subordinateio.h | 11 | ||||
-rw-r--r-- | lib/tcbfuncs.c | 64 |
22 files changed, 1031 insertions, 348 deletions
diff --git a/lib/Makefile.am b/lib/Makefile.am index a40c08a1..ecf3ee25 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -5,7 +5,6 @@ DEFS = noinst_LTLIBRARIES = libshadow.la -libshadow_la_LDFLAGS = -version-info 0:0:0 libshadow_la_CPPFLAGS = $(ECONF_CPPFLAGS) if HAVE_VENDORDIR libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" @@ -32,6 +31,7 @@ libshadow_la_SOURCES = \ groupio.h \ gshadow.c \ lockpw.c \ + nss.c \ nscd.c \ nscd.h \ sssd.c \ @@ -45,6 +45,8 @@ libshadow_la_SOURCES = \ pwio.c \ pwio.h \ pwmem.c \ + run_part.h \ + run_part.c \ subordinateio.h \ subordinateio.c \ selinux.c \ diff --git a/lib/Makefile.in b/lib/Makefile.in index abce42b6..3e6486d5 100644 --- a/lib/Makefile.in +++ b/lib/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -92,8 +92,14 @@ host_triplet = @host@ @WITH_TCB_TRUE@am__append_2 = tcbfuncs.c tcbfuncs.h subdir = lib ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/acinclude.m4 \ - $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) @@ -106,12 +112,13 @@ libshadow_la_LIBADD = am__libshadow_la_SOURCES_DIST = commonio.c commonio.h defines.h \ encrypt.c exitcodes.h faillog.h fields.c fputsx.c getdef.c \ getdef.h get_gid.c getlong.c get_pid.c get_uid.c getulong.c \ - groupio.c groupmem.c groupio.h gshadow.c lockpw.c nscd.c \ + groupio.c groupmem.c groupio.h gshadow.c lockpw.c nss.c nscd.c \ nscd.h sssd.c sssd.h pam_defs.h port.c port.h prototypes.h \ - pwauth.c pwauth.h pwio.c pwio.h pwmem.c subordinateio.h \ - subordinateio.c selinux.c semanage.c sgetgrent.c sgetpwent.c \ - sgetspent.c sgroupio.c sgroupio.h shadow.c shadowio.c \ - shadowio.h shadowmem.c spawn.c utent.c tcbfuncs.c tcbfuncs.h + pwauth.c pwauth.h pwio.c pwio.h pwmem.c run_part.h run_part.c \ + subordinateio.h subordinateio.c selinux.c semanage.c \ + sgetgrent.c sgetpwent.c sgetspent.c sgroupio.c sgroupio.h \ + shadow.c shadowio.c shadowio.h shadowmem.c spawn.c utent.c \ + tcbfuncs.c tcbfuncs.h @WITH_TCB_TRUE@am__objects_1 = libshadow_la-tcbfuncs.lo am_libshadow_la_OBJECTS = libshadow_la-commonio.lo \ libshadow_la-encrypt.lo libshadow_la-fields.lo \ @@ -120,24 +127,21 @@ am_libshadow_la_OBJECTS = libshadow_la-commonio.lo \ libshadow_la-get_pid.lo libshadow_la-get_uid.lo \ libshadow_la-getulong.lo libshadow_la-groupio.lo \ libshadow_la-groupmem.lo libshadow_la-gshadow.lo \ - libshadow_la-lockpw.lo libshadow_la-nscd.lo \ - libshadow_la-sssd.lo libshadow_la-port.lo \ + libshadow_la-lockpw.lo libshadow_la-nss.lo \ + libshadow_la-nscd.lo libshadow_la-sssd.lo libshadow_la-port.lo \ libshadow_la-pwauth.lo libshadow_la-pwio.lo \ - libshadow_la-pwmem.lo libshadow_la-subordinateio.lo \ - libshadow_la-selinux.lo libshadow_la-semanage.lo \ - libshadow_la-sgetgrent.lo libshadow_la-sgetpwent.lo \ - libshadow_la-sgetspent.lo libshadow_la-sgroupio.lo \ - libshadow_la-shadow.lo libshadow_la-shadowio.lo \ - libshadow_la-shadowmem.lo libshadow_la-spawn.lo \ - libshadow_la-utent.lo $(am__objects_1) + libshadow_la-pwmem.lo libshadow_la-run_part.lo \ + libshadow_la-subordinateio.lo libshadow_la-selinux.lo \ + libshadow_la-semanage.lo libshadow_la-sgetgrent.lo \ + libshadow_la-sgetpwent.lo libshadow_la-sgetspent.lo \ + libshadow_la-sgroupio.lo libshadow_la-shadow.lo \ + libshadow_la-shadowio.lo libshadow_la-shadowmem.lo \ + libshadow_la-spawn.lo libshadow_la-utent.lo $(am__objects_1) libshadow_la_OBJECTS = $(am_libshadow_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -libshadow_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(libshadow_la_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -152,40 +156,7 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp -am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/libshadow_la-commonio.Plo \ - ./$(DEPDIR)/libshadow_la-encrypt.Plo \ - ./$(DEPDIR)/libshadow_la-fields.Plo \ - ./$(DEPDIR)/libshadow_la-fputsx.Plo \ - ./$(DEPDIR)/libshadow_la-get_gid.Plo \ - ./$(DEPDIR)/libshadow_la-get_pid.Plo \ - ./$(DEPDIR)/libshadow_la-get_uid.Plo \ - ./$(DEPDIR)/libshadow_la-getdef.Plo \ - ./$(DEPDIR)/libshadow_la-getlong.Plo \ - ./$(DEPDIR)/libshadow_la-getulong.Plo \ - ./$(DEPDIR)/libshadow_la-groupio.Plo \ - ./$(DEPDIR)/libshadow_la-groupmem.Plo \ - ./$(DEPDIR)/libshadow_la-gshadow.Plo \ - ./$(DEPDIR)/libshadow_la-lockpw.Plo \ - ./$(DEPDIR)/libshadow_la-nscd.Plo \ - ./$(DEPDIR)/libshadow_la-port.Plo \ - ./$(DEPDIR)/libshadow_la-pwauth.Plo \ - ./$(DEPDIR)/libshadow_la-pwio.Plo \ - ./$(DEPDIR)/libshadow_la-pwmem.Plo \ - ./$(DEPDIR)/libshadow_la-selinux.Plo \ - ./$(DEPDIR)/libshadow_la-semanage.Plo \ - ./$(DEPDIR)/libshadow_la-sgetgrent.Plo \ - ./$(DEPDIR)/libshadow_la-sgetpwent.Plo \ - ./$(DEPDIR)/libshadow_la-sgetspent.Plo \ - ./$(DEPDIR)/libshadow_la-sgroupio.Plo \ - ./$(DEPDIR)/libshadow_la-shadow.Plo \ - ./$(DEPDIR)/libshadow_la-shadowio.Plo \ - ./$(DEPDIR)/libshadow_la-shadowmem.Plo \ - ./$(DEPDIR)/libshadow_la-spawn.Plo \ - ./$(DEPDIR)/libshadow_la-sssd.Plo \ - ./$(DEPDIR)/libshadow_la-subordinateio.Plo \ - ./$(DEPDIR)/libshadow_la-tcbfuncs.Plo \ - ./$(DEPDIR)/libshadow_la-utent.Plo +am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -259,7 +230,6 @@ ECONF_CPPFLAGS = @ECONF_CPPFLAGS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ -GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ @@ -288,9 +258,14 @@ LIBS = @LIBS@ LIBSELINUX = @LIBSELINUX@ LIBSEMANAGE = @LIBSEMANAGE@ LIBSKEY = @LIBSKEY@ +LIBSUBID_ABI = @LIBSUBID_ABI@ +LIBSUBID_ABI_MAJOR = @LIBSUBID_ABI_MAJOR@ +LIBSUBID_ABI_MICRO = @LIBSUBID_ABI_MICRO@ +LIBSUBID_ABI_MINOR = @LIBSUBID_ABI_MINOR@ LIBTCB = @LIBTCB@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ +LIYESCRYPT = @LIYESCRYPT@ LN_S = @LN_S@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ @@ -328,7 +303,6 @@ VENDORDIR = @VENDORDIR@ VERSION = @VERSION@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ -XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ XMLCATALOG = @XMLCATALOG@ XML_CATALOG_FILE = @XML_CATALOG_FILE@ XSLTPROC = @XSLTPROC@ @@ -390,17 +364,17 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = 1.0 foreign noinst_LTLIBRARIES = libshadow.la -libshadow_la_LDFLAGS = -version-info 0:0:0 libshadow_la_CPPFLAGS = $(ECONF_CPPFLAGS) $(am__append_1) libshadow_la_SOURCES = commonio.c commonio.h defines.h encrypt.c \ exitcodes.h faillog.h fields.c fputsx.c getdef.c getdef.h \ get_gid.c getlong.c get_pid.c get_uid.c getulong.c groupio.c \ - groupmem.c groupio.h gshadow.c lockpw.c nscd.c nscd.h sssd.c \ - sssd.h pam_defs.h port.c port.h prototypes.h pwauth.c pwauth.h \ - pwio.c pwio.h pwmem.c subordinateio.h subordinateio.c \ - selinux.c semanage.c sgetgrent.c sgetpwent.c sgetspent.c \ - sgroupio.c sgroupio.h shadow.c shadowio.c shadowio.h \ - shadowmem.c spawn.c utent.c $(am__append_2) + groupmem.c groupio.h gshadow.c lockpw.c nss.c nscd.c nscd.h \ + sssd.c sssd.h pam_defs.h port.c port.h prototypes.h pwauth.c \ + pwauth.h pwio.c pwio.h pwmem.c run_part.h run_part.c \ + subordinateio.h subordinateio.c selinux.c semanage.c \ + sgetgrent.c sgetpwent.c sgetspent.c sgroupio.c sgroupio.h \ + shadow.c shadowio.c shadowio.h shadowmem.c spawn.c utent.c \ + $(am__append_2) # These files are unneeded for some reason, listed in # order of appearance: @@ -431,8 +405,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -456,7 +430,7 @@ clean-noinstLTLIBRARIES: } libshadow.la: $(libshadow_la_OBJECTS) $(libshadow_la_DEPENDENCIES) $(EXTRA_libshadow_la_DEPENDENCIES) - $(AM_V_CCLD)$(libshadow_la_LINK) $(libshadow_la_OBJECTS) $(libshadow_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(LINK) $(libshadow_la_OBJECTS) $(libshadow_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -464,45 +438,41 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-commonio.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-encrypt.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-fields.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-fputsx.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-get_gid.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-get_pid.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-get_uid.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-getdef.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-getlong.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-getulong.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-groupio.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-groupmem.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-gshadow.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-lockpw.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-nscd.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-port.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-pwauth.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-pwio.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-pwmem.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-selinux.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-semanage.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sgetgrent.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sgetpwent.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sgetspent.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sgroupio.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-shadow.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-shadowio.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-shadowmem.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-spawn.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sssd.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-subordinateio.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-tcbfuncs.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-utent.Plo@am__quote@ # am--include-marker - -$(am__depfiles_remade): - @$(MKDIR_P) $(@D) - @echo '# dummy' >$@-t && $(am__mv) $@-t $@ - -am--depfiles: $(am__depfiles_remade) +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-commonio.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-encrypt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-fields.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-fputsx.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-get_gid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-get_pid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-get_uid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-getdef.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-getlong.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-getulong.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-groupio.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-groupmem.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-gshadow.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-lockpw.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-nscd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-nss.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-port.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-pwauth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-pwio.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-pwmem.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-run_part.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-selinux.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-semanage.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sgetgrent.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sgetpwent.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sgetspent.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sgroupio.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-shadow.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-shadowio.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-shadowmem.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-spawn.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-sssd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-subordinateio.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-tcbfuncs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libshadow_la-utent.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -623,6 +593,13 @@ libshadow_la-lockpw.lo: lockpw.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libshadow_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libshadow_la-lockpw.lo `test -f 'lockpw.c' || echo '$(srcdir)/'`lockpw.c +libshadow_la-nss.lo: nss.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libshadow_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libshadow_la-nss.lo -MD -MP -MF $(DEPDIR)/libshadow_la-nss.Tpo -c -o libshadow_la-nss.lo `test -f 'nss.c' || echo '$(srcdir)/'`nss.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libshadow_la-nss.Tpo $(DEPDIR)/libshadow_la-nss.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nss.c' object='libshadow_la-nss.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libshadow_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libshadow_la-nss.lo `test -f 'nss.c' || echo '$(srcdir)/'`nss.c + libshadow_la-nscd.lo: nscd.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libshadow_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libshadow_la-nscd.lo -MD -MP -MF $(DEPDIR)/libshadow_la-nscd.Tpo -c -o libshadow_la-nscd.lo `test -f 'nscd.c' || echo '$(srcdir)/'`nscd.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libshadow_la-nscd.Tpo $(DEPDIR)/libshadow_la-nscd.Plo @@ -665,6 +642,13 @@ libshadow_la-pwmem.lo: pwmem.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libshadow_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libshadow_la-pwmem.lo `test -f 'pwmem.c' || echo '$(srcdir)/'`pwmem.c +libshadow_la-run_part.lo: run_part.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libshadow_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libshadow_la-run_part.lo -MD -MP -MF $(DEPDIR)/libshadow_la-run_part.Tpo -c -o libshadow_la-run_part.lo `test -f 'run_part.c' || echo '$(srcdir)/'`run_part.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libshadow_la-run_part.Tpo $(DEPDIR)/libshadow_la-run_part.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='run_part.c' object='libshadow_la-run_part.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libshadow_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libshadow_la-run_part.lo `test -f 'run_part.c' || echo '$(srcdir)/'`run_part.c + libshadow_la-subordinateio.lo: subordinateio.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libshadow_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libshadow_la-subordinateio.lo -MD -MP -MF $(DEPDIR)/libshadow_la-subordinateio.Tpo -c -o libshadow_la-subordinateio.lo `test -f 'subordinateio.c' || echo '$(srcdir)/'`subordinateio.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libshadow_la-subordinateio.Tpo $(DEPDIR)/libshadow_la-subordinateio.Plo @@ -814,10 +798,7 @@ cscopelist-am: $(am__tagged_files) distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -distdir: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) distdir-am - -distdir-am: $(DISTFILES) +distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -887,39 +868,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -f ./$(DEPDIR)/libshadow_la-commonio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-encrypt.Plo - -rm -f ./$(DEPDIR)/libshadow_la-fields.Plo - -rm -f ./$(DEPDIR)/libshadow_la-fputsx.Plo - -rm -f ./$(DEPDIR)/libshadow_la-get_gid.Plo - -rm -f ./$(DEPDIR)/libshadow_la-get_pid.Plo - -rm -f ./$(DEPDIR)/libshadow_la-get_uid.Plo - -rm -f ./$(DEPDIR)/libshadow_la-getdef.Plo - -rm -f ./$(DEPDIR)/libshadow_la-getlong.Plo - -rm -f ./$(DEPDIR)/libshadow_la-getulong.Plo - -rm -f ./$(DEPDIR)/libshadow_la-groupio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-groupmem.Plo - -rm -f ./$(DEPDIR)/libshadow_la-gshadow.Plo - -rm -f ./$(DEPDIR)/libshadow_la-lockpw.Plo - -rm -f ./$(DEPDIR)/libshadow_la-nscd.Plo - -rm -f ./$(DEPDIR)/libshadow_la-port.Plo - -rm -f ./$(DEPDIR)/libshadow_la-pwauth.Plo - -rm -f ./$(DEPDIR)/libshadow_la-pwio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-pwmem.Plo - -rm -f ./$(DEPDIR)/libshadow_la-selinux.Plo - -rm -f ./$(DEPDIR)/libshadow_la-semanage.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sgetgrent.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sgetpwent.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sgetspent.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sgroupio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-shadow.Plo - -rm -f ./$(DEPDIR)/libshadow_la-shadowio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-shadowmem.Plo - -rm -f ./$(DEPDIR)/libshadow_la-spawn.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sssd.Plo - -rm -f ./$(DEPDIR)/libshadow_la-subordinateio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-tcbfuncs.Plo - -rm -f ./$(DEPDIR)/libshadow_la-utent.Plo + -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -965,39 +914,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -f ./$(DEPDIR)/libshadow_la-commonio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-encrypt.Plo - -rm -f ./$(DEPDIR)/libshadow_la-fields.Plo - -rm -f ./$(DEPDIR)/libshadow_la-fputsx.Plo - -rm -f ./$(DEPDIR)/libshadow_la-get_gid.Plo - -rm -f ./$(DEPDIR)/libshadow_la-get_pid.Plo - -rm -f ./$(DEPDIR)/libshadow_la-get_uid.Plo - -rm -f ./$(DEPDIR)/libshadow_la-getdef.Plo - -rm -f ./$(DEPDIR)/libshadow_la-getlong.Plo - -rm -f ./$(DEPDIR)/libshadow_la-getulong.Plo - -rm -f ./$(DEPDIR)/libshadow_la-groupio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-groupmem.Plo - -rm -f ./$(DEPDIR)/libshadow_la-gshadow.Plo - -rm -f ./$(DEPDIR)/libshadow_la-lockpw.Plo - -rm -f ./$(DEPDIR)/libshadow_la-nscd.Plo - -rm -f ./$(DEPDIR)/libshadow_la-port.Plo - -rm -f ./$(DEPDIR)/libshadow_la-pwauth.Plo - -rm -f ./$(DEPDIR)/libshadow_la-pwio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-pwmem.Plo - -rm -f ./$(DEPDIR)/libshadow_la-selinux.Plo - -rm -f ./$(DEPDIR)/libshadow_la-semanage.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sgetgrent.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sgetpwent.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sgetspent.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sgroupio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-shadow.Plo - -rm -f ./$(DEPDIR)/libshadow_la-shadowio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-shadowmem.Plo - -rm -f ./$(DEPDIR)/libshadow_la-spawn.Plo - -rm -f ./$(DEPDIR)/libshadow_la-sssd.Plo - -rm -f ./$(DEPDIR)/libshadow_la-subordinateio.Plo - -rm -f ./$(DEPDIR)/libshadow_la-tcbfuncs.Plo - -rm -f ./$(DEPDIR)/libshadow_la-utent.Plo + -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1018,16 +935,16 @@ uninstall-am: .MAKE: install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ - clean-generic clean-libtool clean-noinstLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am diff --git a/lib/commonio.c b/lib/commonio.c index 16fa7e75..cef404b9 100644 --- a/lib/commonio.c +++ b/lib/commonio.c @@ -144,7 +144,7 @@ static int do_lock_file (const char *file, const char *lock, bool log) fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600); if (-1 == fd) { if (log) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: %s: %s\n", Prog, file, strerror (errno)); } @@ -156,8 +156,18 @@ static int do_lock_file (const char *file, const char *lock, bool log) len = (ssize_t) strlen (buf) + 1; if (write (fd, buf, (size_t) len) != len) { if (log) { - (void) fprintf (stderr, - "%s: %s: %s\n", + (void) fprintf (shadow_logfd, + "%s: %s file write error: %s\n", + Prog, file, strerror (errno)); + } + (void) close (fd); + unlink (file); + return 0; + } + if (fdatasync (fd) == -1) { + if (log) { + (void) fprintf (shadow_logfd, + "%s: %s file sync error: %s\n", Prog, file, strerror (errno)); } (void) close (fd); @@ -169,7 +179,7 @@ static int do_lock_file (const char *file, const char *lock, bool log) if (link (file, lock) == 0) { retval = check_link_count (file); if ((0==retval) && log) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: %s: lock file already used\n", Prog, file); } @@ -180,7 +190,7 @@ static int do_lock_file (const char *file, const char *lock, bool log) fd = open (lock, O_RDWR); if (-1 == fd) { if (log) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: %s: %s\n", Prog, lock, strerror (errno)); } @@ -192,7 +202,7 @@ static int do_lock_file (const char *file, const char *lock, bool log) close (fd); if (len <= 0) { if (log) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: existing lock file %s without a PID\n", Prog, lock); } @@ -203,7 +213,7 @@ static int do_lock_file (const char *file, const char *lock, bool log) buf[len] = '\0'; if (get_pid (buf, &pid) == 0) { if (log) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: existing lock file %s with an invalid PID '%s'\n", Prog, lock, buf); } @@ -213,7 +223,7 @@ static int do_lock_file (const char *file, const char *lock, bool log) } if (kill (pid, 0) == 0) { if (log) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: lock %s already used by PID %lu\n", Prog, lock, (unsigned long) pid); } @@ -223,7 +233,7 @@ static int do_lock_file (const char *file, const char *lock, bool log) } if (unlink (lock) != 0) { if (log) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: cannot get lock %s: %s\n", Prog, lock, strerror (errno)); } @@ -235,13 +245,13 @@ static int do_lock_file (const char *file, const char *lock, bool log) if (link (file, lock) == 0) { retval = check_link_count (file); if ((0==retval) && log) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: %s: lock file already used\n", Prog, file); } } else { if (log) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: cannot get lock %s: %s\n", Prog, lock, strerror (errno)); } @@ -326,8 +336,12 @@ static int create_backup (const char *backup, FILE * fp) /* FIXME: unlink the backup file? */ return -1; } - if ( (fsync (fileno (bkfp)) != 0) - || (fclose (bkfp) != 0)) { + if (fsync (fileno (bkfp)) != 0) { + (void) fclose (bkfp); + /* FIXME: unlink the backup file? */ + return -1; + } + if (fclose (bkfp) != 0) { /* FIXME: unlink the backup file? */ return -1; } @@ -432,7 +446,7 @@ int commonio_lock (struct commonio_db *db) if (0 == lock_count) { if (lckpwdf () == -1) { if (geteuid () != 0) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, "%s: Permission denied.\n", Prog); } @@ -468,7 +482,7 @@ int commonio_lock (struct commonio_db *db) } /* no unnecessary retries on "permission denied" errors */ if (geteuid () != 0) { - (void) fprintf (stderr, "%s: Permission denied.\n", + (void) fprintf (shadow_logfd, "%s: Permission denied.\n", Prog); return 0; } @@ -964,7 +978,7 @@ int commonio_close (struct commonio_db *db) snprintf (buf, sizeof buf, "%s-", db->filename); #ifdef WITH_SELINUX - if (set_selinux_file_context (buf) != 0) { + if (set_selinux_file_context (db->filename, S_IFREG) != 0) { errors++; } #endif @@ -997,7 +1011,7 @@ int commonio_close (struct commonio_db *db) snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX - if (set_selinux_file_context (buf) != 0) { + if (set_selinux_file_context (db->filename, S_IFREG) != 0) { errors++; } #endif @@ -1099,7 +1113,7 @@ int commonio_update (struct commonio_db *db, const void *eptr) p = find_entry_by_name (db, db->ops->getname (eptr)); if (NULL != p) { if (next_entry_by_name (db, p->next, db->ops->getname (eptr)) != NULL) { - fprintf (stderr, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), db->ops->getname (eptr), db->filename); + fprintf (shadow_logfd, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), db->ops->getname (eptr), db->filename); db->ops->free (nentry); return 0; } @@ -1204,7 +1218,7 @@ int commonio_remove (struct commonio_db *db, const char *name) return 0; } if (next_entry_by_name (db, p->next, name) != NULL) { - fprintf (stderr, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), name, db->filename); + fprintf (shadow_logfd, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), name, db->filename); return 0; } diff --git a/lib/commonio.h b/lib/commonio.h index 64e83073..2bad47a5 100644 --- a/lib/commonio.h +++ b/lib/commonio.h @@ -34,10 +34,6 @@ #ifndef COMMONIO_H #define COMMONIO_H -#ifdef WITH_SELINUX -#include <selinux/selinux.h> -#endif - #include "defines.h" /* bool */ /* @@ -121,7 +117,7 @@ struct commonio_db { /*@dependent@*/ /*@null@*/FILE *fp; #ifdef WITH_SELINUX - /*@null@*/security_context_t scontext; + /*@null@*/char *scontext; #endif /* * Default permissions and owner for newly created data file. diff --git a/lib/defines.h b/lib/defines.h index 2fb1b56e..e1500a76 100644 --- a/lib/defines.h +++ b/lib/defines.h @@ -4,6 +4,8 @@ #ifndef _DEFINES_H_ #define _DEFINES_H_ +#include "config.h" + #if HAVE_STDBOOL_H # include <stdbool.h> #else @@ -94,6 +96,14 @@ char *strchr (), *strrchr (), *strtok (); # include <unistd.h> #endif +/* + * crypt(3), crypt_gensalt(3), and their + * feature test macros may be defined in here. + */ +#if HAVE_CRYPT_H +# include <crypt.h> +#endif + #if TIME_WITH_SYS_TIME # include <sys/time.h> # include <time.h> diff --git a/lib/encrypt.c b/lib/encrypt.c index 4247f241..66c52f2d 100644 --- a/lib/encrypt.c +++ b/lib/encrypt.c @@ -74,6 +74,9 @@ case '6': method = "SHA512"; break; + case 'y': + method = "YESCRYPT"; + break; default: { static char nummethod[4] = "$x$"; @@ -81,7 +84,7 @@ method = &nummethod[0]; } } - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, _("crypt method not supported by libcrypt? (%s)\n"), method); exit (EXIT_FAILURE); diff --git a/lib/getdef.c b/lib/getdef.c index 00f6abfe..80eb18c4 100644 --- a/lib/getdef.c +++ b/lib/getdef.c @@ -61,6 +61,7 @@ struct itemdef { {"ENV_TZ", NULL}, \ {"FAILLOG_ENAB", NULL}, \ {"FTMP_FILE", NULL}, \ + {"HMAC_CRYPTO_ALGO", NULL}, \ {"ISSUE_FILE", NULL}, \ {"LASTLOG_ENAB", NULL}, \ {"LOGIN_STRING", NULL}, \ @@ -77,6 +78,16 @@ struct itemdef { {"SU_WHEEL_ONLY", NULL}, \ {"ULIMIT", NULL}, +/* + * Items used in other tools (util-linux, etc.) + */ +#define FOREIGNDEFS \ + {"ALWAYS_SET_PATH", NULL}, \ + {"ENV_ROOTPATH", NULL}, \ + {"LOGIN_KEEP_USERNAME", NULL}, \ + {"LOGIN_PLAIN_PROMPT", NULL}, \ + {"MOTD_FIRSTONLY", NULL}, \ + #define NUMDEFS (sizeof(def_table)/sizeof(def_table[0])) static struct itemdef def_table[] = { @@ -105,6 +116,7 @@ static struct itemdef def_table[] = { {"MAIL_FILE", NULL}, {"MAX_MEMBERS_PER_GROUP", NULL}, {"MD5_CRYPT_ENAB", NULL}, + {"NONEXISTENT", NULL}, {"PASS_MAX_DAYS", NULL}, {"PASS_MIN_DAYS", NULL}, {"PASS_WARN_AGE", NULL}, @@ -116,6 +128,9 @@ static struct itemdef def_table[] = { {"BCRYPT_MAX_ROUNDS", NULL}, {"BCRYPT_MIN_ROUNDS", NULL}, #endif +#ifdef USE_YESCRYPT + {"YESCRYPT_COST_FACTOR", NULL}, +#endif {"SUB_GID_COUNT", NULL}, {"SUB_GID_MAX", NULL}, {"SUB_GID_MIN", NULL}, @@ -149,6 +164,8 @@ static struct itemdef def_table[] = { {"USE_TCB", NULL}, #endif {"FORCE_SHADOW", NULL}, + {"GRANT_AUX_GROUP_SUBIDS", NULL}, + {"PREVENT_NO_AUTH", NULL}, {NULL, NULL} }; @@ -157,6 +174,7 @@ static struct itemdef knowndef_table[] = { #ifdef USE_PAM PAMDEFS #endif + FOREIGNDEFS {NULL, NULL} }; @@ -249,7 +267,7 @@ int getdef_num (const char *item, int dflt) if ( (getlong (d->value, &val) == 0) || (val > INT_MAX) || (val < INT_MIN)) { - fprintf (stderr, + fprintf (shadow_logfd, _("configuration error - cannot parse %s value: '%s'"), item, d->value); return dflt; @@ -284,7 +302,7 @@ unsigned int getdef_unum (const char *item, unsigned int dflt) if ( (getlong (d->value, &val) == 0) || (val < 0) || (val > INT_MAX)) { - fprintf (stderr, + fprintf (shadow_logfd, _("configuration error - cannot parse %s value: '%s'"), item, d->value); return dflt; @@ -317,7 +335,7 @@ long getdef_long (const char *item, long dflt) } if (getlong (d->value, &val) == 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("configuration error - cannot parse %s value: '%s'"), item, d->value); return dflt; @@ -350,7 +368,7 @@ unsigned long getdef_ulong (const char *item, unsigned long dflt) if (getulong (d->value, &val) == 0) { /* FIXME: we should have a getulong */ - fprintf (stderr, + fprintf (shadow_logfd, _("configuration error - cannot parse %s value: '%s'"), item, d->value); return dflt; @@ -388,7 +406,7 @@ int putdef_str (const char *name, const char *value) cp = strdup (value); if (NULL == cp) { (void) fputs (_("Could not allocate space for config info.\n"), - stderr); + shadow_logfd); SYSLOG ((LOG_ERR, "could not allocate space for config info")); return -1; } @@ -413,7 +431,6 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name) { struct itemdef *ptr; - /* * Search into the table. */ @@ -433,7 +450,7 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name) goto out; } } - fprintf (stderr, + fprintf (shadow_logfd, _("configuration error - unknown item '%s' (notify administrator)\n"), name); SYSLOG ((LOG_CRIT, "unknown configuration item `%s'", name)); diff --git a/lib/groupmem.c b/lib/groupmem.c index 1fd1c135..2060d03b 100644 --- a/lib/groupmem.c +++ b/lib/groupmem.c @@ -87,20 +87,55 @@ return gr; } -void gr_free (/*@out@*/ /*@only@*/struct group *grent) +void gr_free_members (struct group *grent) { - free (grent->gr_name); - if (NULL != grent->gr_passwd) { - memzero (grent->gr_passwd, strlen (grent->gr_passwd)); - free (grent->gr_passwd); - } if (NULL != grent->gr_mem) { size_t i; for (i = 0; NULL != grent->gr_mem[i]; i++) { free (grent->gr_mem[i]); } free (grent->gr_mem); + grent->gr_mem = NULL; } +} + +void gr_free (/*@out@*/ /*@only@*/struct group *grent) +{ + free (grent->gr_name); + if (NULL != grent->gr_passwd) { + memzero (grent->gr_passwd, strlen (grent->gr_passwd)); + free (grent->gr_passwd); + } + gr_free_members(grent); free (grent); } +bool gr_append_member(struct group *grp, char *member) +{ + int i; + + if (NULL == grp->gr_mem || grp->gr_mem[0] == NULL) { + grp->gr_mem = (char **)malloc(2 * sizeof(char *)); + if (!grp->gr_mem) { + return false; + } + grp->gr_mem[0] = strdup(member); + if (!grp->gr_mem[0]) { + return false; + } + grp->gr_mem[1] = NULL; + return true; + } + + for (i = 0; grp->gr_mem[i]; i++) ; + grp->gr_mem = realloc(grp->gr_mem, (i + 2) * sizeof(char *)); + if (NULL == grp->gr_mem) { + return false; + } + grp->gr_mem[i] = strdup(member); + if (NULL == grp->gr_mem[i]) { + return false; + } + grp->gr_mem[i + 1] = NULL; + return true; +} @@ -25,13 +25,13 @@ int nscd_flush_cache (const char *service) if (run_command (cmd, spawnedArgs, spawnedEnv, &status) != 0) { /* run_command writes its own more detailed message. */ - (void) fprintf (stderr, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog); + (void) fprintf (shadow_logfd, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog); return -1; } code = WEXITSTATUS (status); if (!WIFEXITED (status)) { - (void) fprintf (stderr, + (void) fprintf (shadow_logfd, _("%s: nscd did not terminate normally (signal %d)\n"), Prog, WTERMSIG (status)); return -1; @@ -43,9 +43,9 @@ int nscd_flush_cache (const char *service) /* nscd is installed, but it isn't active. */ return 0; } else if (code != 0) { - (void) fprintf (stderr, _("%s: nscd exited with status %d\n"), + (void) fprintf (shadow_logfd, _("%s: nscd exited with status %d\n"), Prog, code); - (void) fprintf (stderr, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog); + (void) fprintf (shadow_logfd, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog); return -1; } diff --git a/lib/nss.c b/lib/nss.c new file mode 100644 index 00000000..7c082758 --- /dev/null +++ b/lib/nss.c @@ -0,0 +1,149 @@ +#include <stdio.h> +#include <stdlib.h> +#include <dlfcn.h> +#include <stdbool.h> +#include <string.h> +#include <strings.h> +#include <ctype.h> +#include <stdatomic.h> +#include "prototypes.h" +#include "../libsubid/subid.h" + +#define NSSWITCH "/etc/nsswitch.conf" + +// NSS plugin handling for subids +// If nsswitch has a line like +// subid: sssd +// then sssd will be consulted for subids. Unlike normal NSS dbs, +// only one db is supported at a time. That's open to debate, but +// the subids are a pretty limited resource, and local files seem +// bound to step on any other allocations leading to insecure +// conditions. +static atomic_flag nss_init_started; +static atomic_bool nss_init_completed; + +static struct subid_nss_ops *subid_nss; + +bool nss_is_initialized() { + return atomic_load(&nss_init_completed); +} + +void nss_exit() { + if (nss_is_initialized() && subid_nss) { + dlclose(subid_nss->handle); + free(subid_nss); + subid_nss = NULL; + } +} + +// nsswitch_path is an argument only to support testing. +void nss_init(char *nsswitch_path) { + FILE *nssfp = NULL; + char *line = NULL, *p, *token, *saveptr; + size_t len = 0; + + if (atomic_flag_test_and_set(&nss_init_started)) { + // Another thread has started nss_init, wait for it to complete + while (!atomic_load(&nss_init_completed)) + usleep(100); + return; + } + + if (!nsswitch_path) + nsswitch_path = NSSWITCH; + + // read nsswitch.conf to check for a line like: + // subid: files + nssfp = fopen(nsswitch_path, "r"); + if (!nssfp) { + fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path); + atomic_store(&nss_init_completed, true); + return; + } + while ((getline(&line, &len, nssfp)) != -1) { + if (line[0] == '\0' || line[0] == '#') + continue; + if (strlen(line) < 8) + continue; + if (strncasecmp(line, "subid:", 6) != 0) + continue; + p = &line[6]; + while ((*p) && isspace(*p)) + p++; + if (!*p) + continue; + for (token = strtok_r(p, " \n\t", &saveptr); + token; + token = strtok_r(NULL, " \n\t", &saveptr)) { + char libname[65]; + void *h; + if (strcmp(token, "files") == 0) { + subid_nss = NULL; + goto done; + } + if (strlen(token) > 50) { + fprintf(shadow_logfd, "Subid NSS module name too long (longer than 50 characters): %s\n", token); + fprintf(shadow_logfd, "Using files\n"); + subid_nss = NULL; + goto done; + } + snprintf(libname, 64, "libsubid_%s.so", token); + h = dlopen(libname, RTLD_LAZY); + if (!h) { + fprintf(shadow_logfd, "Error opening %s: %s\n", libname, dlerror()); + fprintf(shadow_logfd, "Using files\n"); + subid_nss = NULL; + goto done; + } + subid_nss = malloc(sizeof(*subid_nss)); + if (!subid_nss) { + dlclose(h); + goto done; + } + subid_nss->has_range = dlsym(h, "shadow_subid_has_range"); + if (!subid_nss->has_range) { + fprintf(shadow_logfd, "%s did not provide @has_range@\n", libname); + dlclose(h); + free(subid_nss); + subid_nss = NULL; + goto done; + } + subid_nss->list_owner_ranges = dlsym(h, "shadow_subid_list_owner_ranges"); + if (!subid_nss->list_owner_ranges) { + fprintf(shadow_logfd, "%s did not provide @list_owner_ranges@\n", libname); + dlclose(h); + free(subid_nss); + subid_nss = NULL; + goto done; + } + subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners"); + if (!subid_nss->find_subid_owners) { + fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname); + dlclose(h); + free(subid_nss); + subid_nss = NULL; + goto done; + } + subid_nss->handle = h; + goto done; + } + fprintf(shadow_logfd, "No usable subid NSS module found, using files\n"); + // subid_nss has to be null here, but to ease reviews: + free(subid_nss); + subid_nss = NULL; + goto done; + } + +done: + atomic_store(&nss_init_completed, true); + free(line); + if (nssfp) { + atexit(nss_exit); + fclose(nssfp); + } +} + +struct subid_nss_ops *get_subid_nss_handle() { + nss_init(NULL); + return subid_nss; +} diff --git a/lib/prototypes.h b/lib/prototypes.h index 22603b98..1d1586d4 100644 --- a/lib/prototypes.h +++ b/lib/prototypes.h @@ -59,7 +59,8 @@ #include "defines.h" #include "commonio.h" -extern /*@observer@*/ const char *Prog; +extern /*@observer@*/ const char *Prog; /* Program name showed in error messages */ +extern FILE *shadow_logfd; /* file descripter to which error messages are printed */ /* addgrps.c */ #if defined (HAVE_SETGROUPS) && ! defined (USE_PAM) @@ -161,12 +162,10 @@ extern int find_new_uid (bool sys_user, #ifdef ENABLE_SUBIDS /* find_new_sub_gids.c */ -extern int find_new_sub_gids (const char *owner, - gid_t *range_start, unsigned long *range_count); +extern int find_new_sub_gids (gid_t *range_start, unsigned long *range_count); /* find_new_sub_uids.c */ -extern int find_new_sub_uids (const char *owner, - uid_t *range_start, unsigned long *range_count); +extern int find_new_sub_uids (uid_t *range_start, unsigned long *range_count); #endif /* ENABLE_SUBIDS */ @@ -208,7 +207,9 @@ extern void __gr_set_changed (void); /* groupmem.c */ extern /*@null@*/ /*@only@*/struct group *__gr_dup (const struct group *grent); +extern void gr_free_members (struct group *grent); extern void gr_free (/*@out@*/ /*@only@*/struct group *grent); +extern bool gr_append_member (struct group *grp, char *member); /* hushed.c */ extern bool hushed (const char *username); @@ -262,6 +263,62 @@ extern void motd (void); /* myname.c */ extern /*@null@*//*@only@*/struct passwd *get_my_pwent (void); +/* nss.c */ +#include <libsubid/subid.h> +extern void nss_init(char *nsswitch_path); +extern bool nss_is_initialized(); + +struct subid_nss_ops { + /* + * nss_has_range: does a user own a given subid range + * + * @owner: username + * @start: first subid in queried range + * @count: number of subids in queried range + * @idtype: subuid or subgid + * @result: true if @owner has been allocated the subid range. + * + * returns success if the module was able to determine an answer (true or false), + * else an error status. + */ + enum subid_status (*has_range)(const char *owner, unsigned long start, unsigned long count, enum subid_type idtype, bool *result); + + /* + * nss_list_owner_ranges: list the subid ranges delegated to a user. + * + * @owner - string representing username being queried + * @id_type - subuid or subgid + * @ranges - pointer to an array of struct subid_range, or NULL. The + * returned array must be freed by the caller. + * @count - pointer to an integer into which the number of returned ranges + * is written. + + * returns success if the module was able to determine an answer, + * else an error status. + */ + enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subid_range **ranges, int *count); + + /* + * nss_find_subid_owners: find uids who own a given subuid or subgid. + * + * @id - the delegated id (subuid or subgid) being queried + * @id_type - subuid or subgid + * @uids - pointer to an array of uids which will be allocated by + * nss_find_subid_owners() + * @count - number of uids found + * + * returns success if the module was able to determine an answer, + * else an error status. + */ + enum subid_status (*find_subid_owners)(unsigned long id, enum subid_type id_type, uid_t **uids, int *count); + + /* The dlsym handle to close */ + void *handle; +}; + +extern struct subid_nss_ops *get_subid_nss_handle(); + + /* pam_pass_non_interactive.c */ #ifdef USE_PAM extern int do_pam_passwd_non_interactive (const char *pam_service, @@ -334,7 +391,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const /* selinux.c */ #ifdef WITH_SELINUX -extern int set_selinux_file_context (const char *dst_name); +extern int set_selinux_file_context (const char *dst_name, mode_t mode); extern int reset_selinux_file_context (void); extern int check_selinux_permit (const char *perm_name); #endif @@ -448,6 +505,7 @@ extern bool valid (const char *, const struct passwd *); extern /*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/char *xmalloc (size_t size) /*@ensures MaxSet(result) == (size - 1); @*/; extern /*@maynotreturn@*/ /*@only@*//*@notnull@*/char *xstrdup (const char *); +extern void xfree(void *ap); /* xgetpwnam.c */ extern /*@null@*/ /*@only@*/struct passwd *xgetpwnam (const char *); diff --git a/lib/run_part.c b/lib/run_part.c new file mode 100644 index 00000000..03d1d675 --- /dev/null +++ b/lib/run_part.c @@ -0,0 +1,102 @@ +#include <dirent.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <unistd.h> +#include <lib/prototypes.h> + +int run_part (char *script_path, char *name, char *action) +{ + int pid; + int wait_status; + int pid_status; + char *args[] = { script_path, NULL }; + + pid=fork(); + if (pid==-1){ + perror ("Could not fork"); + return 1; + } + if (pid==0) { + setenv ("ACTION",action,1); + setenv ("SUBJECT",name,1); + execv (script_path,args); + perror ("execv"); + exit(1); + } + + pid_status = wait (&wait_status); + if (pid_status == pid) { + return (wait_status); + } + + perror ("waitpid"); + return (1); +} + +int run_parts (char *directory, char *name, char *action) +{ + struct dirent **namelist; + int scanlist; + int n; + int execute_result; + + scanlist = scandir (directory, &namelist, 0, alphasort); + if (scanlist<0) { + return (0); + } + + for (n=0; n<scanlist; n++) { + int path_length; + struct stat sb; + + path_length=strlen(directory) + strlen(namelist[n]->d_name) + 2; + char *s = (char*)malloc(path_length); + if (!s) { + printf ("could not allocate memory\n"); + for (; n<scanlist; n++) { + free (namelist[n]); + } + free (namelist); + return (1); + } + snprintf (s, path_length, "%s/%s", directory, namelist[n]->d_name); + + execute_result = 0; + if (stat (s, &sb) == -1) { + perror ("stat"); + free (s); + for (; n<scanlist; n++) { + free (namelist[n]); + } + free (namelist); + return (1); + } + + if (S_ISREG (sb.st_mode) || S_ISLNK (sb.st_mode)) { + execute_result = run_part (s, name, action); + } + + free (s); + + if (execute_result!=0) { + fprintf (shadow_logfd, + "%s: did not exit cleanly.\n", + namelist[n]->d_name); + for (; n<scanlist; n++) { + free (namelist[n]); + } + break; + } + + free (namelist[n]); + } + free (namelist); + + return (execute_result); +} + diff --git a/lib/run_part.h b/lib/run_part.h new file mode 100644 index 00000000..d3d80663 --- /dev/null +++ b/lib/run_part.h @@ -0,0 +1,2 @@ +int run_part (char *script_path, char *name, char *action); +int run_parts (char *directory, char *name, char *action); diff --git a/lib/selinux.c b/lib/selinux.c index 8cc444f0..c83545f9 100644 --- a/lib/selinux.c +++ b/lib/selinux.c @@ -35,11 +35,20 @@ #include "defines.h" #include <selinux/selinux.h> -#include <selinux/context.h> +#include <selinux/label.h> #include "prototypes.h" static bool selinux_checked = false; static bool selinux_enabled; +static /*@null@*/struct selabel_handle *selabel_hnd = NULL; + +static void cleanup(void) +{ + if (selabel_hnd) { + selabel_close(selabel_hnd); + selabel_hnd = NULL; + } +} /* * set_selinux_file_context - Set the security context before any file or @@ -51,10 +60,8 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context */ -int set_selinux_file_context (const char *dst_name) +int set_selinux_file_context (const char *dst_name, mode_t mode) { - /*@null@*/security_context_t scontext = NULL; - if (!selinux_checked) { selinux_enabled = is_selinux_enabled () > 0; selinux_checked = true; @@ -62,18 +69,34 @@ int set_selinux_file_context (const char *dst_name) if (selinux_enabled) { /* Get the default security context for this file */ - if (matchpathcon (dst_name, 0, &scontext) < 0) { - if (security_getenforce () != 0) { - return 1; + + /*@null@*/char *fcontext_raw = NULL; + int r; + + if (selabel_hnd == NULL) { + selabel_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (selabel_hnd == NULL) { + return security_getenforce () != 0; } + (void) atexit(cleanup); } - /* Set the security context for the next created file */ - if (setfscreatecon (scontext) < 0) { - if (security_getenforce () != 0) { - return 1; + + r = selabel_lookup_raw(selabel_hnd, &fcontext_raw, dst_name, mode); + if (r < 0) { + /* No context specified for the searched path */ + if (errno == ENOENT) { + return 0; } + + return security_getenforce () != 0; + } + + /* Set the security context for the next created file */ + r = setfscreatecon_raw (fcontext_raw); + freecon (fcontext_raw); + if (r < 0) { + return security_getenforce () != 0; } - freecon (scontext); } return 0; } @@ -92,8 +115,8 @@ int reset_selinux_file_context (void) selinux_checked = true; } if (selinux_enabled) { - if (setfscreatecon (NULL) != 0) { - return 1; + if (setfscreatecon_raw (NULL) != 0) { + return security_getenforce () != 0; } } return 0; @@ -131,7 +154,7 @@ static int selinux_log_cb (int type, const char *fmt, ...) { && (errno != EAFNOSUPPORT)) { (void) fputs (_("Cannot open audit interface.\n"), - stderr); + shadow_logfd); SYSLOG ((LOG_WARN, "Cannot open audit interface.")); } } @@ -174,7 +197,7 @@ skip_syslog: */ int check_selinux_permit (const char *perm_name) { - char *user_context_str; + char *user_context_raw; int r; if (0 == is_selinux_enabled ()) { @@ -183,8 +206,8 @@ int check_selinux_permit (const char *perm_name) selinux_set_callback (SELINUX_CB_LOG, (union selinux_callback) selinux_log_cb); - if (getprevcon (&user_context_str) != 0) { - fprintf (stderr, + if (getprevcon_raw (&user_context_raw) != 0) { + fprintf (shadow_logfd, _("%s: can not get previous SELinux process context: %s\n"), Prog, strerror (errno)); SYSLOG ((LOG_WARN, @@ -193,8 +216,8 @@ int check_selinux_permit (const char *perm_name) return (security_getenforce () != 0); } - r = selinux_check_access (user_context_str, user_context_str, "passwd", perm_name, NULL); - freecon (user_context_str); + r = selinux_check_access (user_context_raw, user_context_raw, "passwd", perm_name, NULL); + freecon (user_context_raw); return r; } diff --git a/lib/semanage.c b/lib/semanage.c index e983f5f7..766ad6d0 100644 --- a/lib/semanage.c +++ b/lib/semanage.c @@ -69,7 +69,7 @@ static void semanage_error_callback (unused void *varg, switch (semanage_msg_get_level (handle)) { case SEMANAGE_MSG_ERR: case SEMANAGE_MSG_WARN: - fprintf (stderr, _("[libsemanage]: %s\n"), message); + fprintf (shadow_logfd, _("[libsemanage]: %s\n"), message); break; case SEMANAGE_MSG_INFO: /* nop */ @@ -87,7 +87,7 @@ static semanage_handle_t *semanage_init (void) handle = semanage_handle_create (); if (NULL == handle) { - fprintf (stderr, + fprintf (shadow_logfd, _("Cannot create SELinux management handle\n")); return NULL; } @@ -96,26 +96,26 @@ static semanage_handle_t *semanage_init (void) ret = semanage_is_managed (handle); if (ret != 1) { - fprintf (stderr, _("SELinux policy not managed\n")); + fprintf (shadow_logfd, _("SELinux policy not managed\n")); goto fail; } ret = semanage_access_check (handle); if (ret < SEMANAGE_CAN_READ) { - fprintf (stderr, _("Cannot read SELinux policy store\n")); + fprintf (shadow_logfd, _("Cannot read SELinux policy store\n")); goto fail; } ret = semanage_connect (handle); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Cannot establish SELinux management connection\n")); goto fail; } ret = semanage_begin_transaction (handle); if (ret != 0) { - fprintf (stderr, _("Cannot begin SELinux transaction\n")); + fprintf (shadow_logfd, _("Cannot begin SELinux transaction\n")); goto fail; } @@ -137,7 +137,7 @@ static int semanage_user_mod (semanage_handle_t *handle, semanage_seuser_query (handle, key, &seuser); if (NULL == seuser) { - fprintf (stderr, + fprintf (shadow_logfd, _("Could not query seuser for %s\n"), login_name); ret = 1; goto done; @@ -145,7 +145,7 @@ static int semanage_user_mod (semanage_handle_t *handle, ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Could not set serange for %s\n"), login_name); ret = 1; goto done; @@ -153,7 +153,7 @@ static int semanage_user_mod (semanage_handle_t *handle, ret = semanage_seuser_set_sename (handle, seuser, seuser_name); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Could not set sename for %s\n"), login_name); ret = 1; @@ -162,7 +162,7 @@ static int semanage_user_mod (semanage_handle_t *handle, ret = semanage_seuser_modify_local (handle, key, seuser); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Could not modify login mapping for %s\n"), login_name); ret = 1; @@ -186,7 +186,7 @@ static int semanage_user_add (semanage_handle_t *handle, ret = semanage_seuser_create (handle, &seuser); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Cannot create SELinux login mapping for %s\n"), login_name); ret = 1; @@ -195,14 +195,14 @@ static int semanage_user_add (semanage_handle_t *handle, ret = semanage_seuser_set_name (handle, seuser, login_name); if (ret != 0) { - fprintf (stderr, _("Could not set name for %s\n"), login_name); + fprintf (shadow_logfd, _("Could not set name for %s\n"), login_name); ret = 1; goto done; } ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Could not set serange for %s\n"), login_name); ret = 1; @@ -211,7 +211,7 @@ static int semanage_user_add (semanage_handle_t *handle, ret = semanage_seuser_set_sename (handle, seuser, seuser_name); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Could not set SELinux user for %s\n"), login_name); ret = 1; @@ -220,7 +220,7 @@ static int semanage_user_add (semanage_handle_t *handle, ret = semanage_seuser_modify_local (handle, key, seuser); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Could not add login mapping for %s\n"), login_name); ret = 1; @@ -248,21 +248,21 @@ int set_seuser (const char *login_name, const char *seuser_name) handle = semanage_init (); if (NULL == handle) { - fprintf (stderr, _("Cannot init SELinux management\n")); + fprintf (shadow_logfd, _("Cannot init SELinux management\n")); ret = 1; goto done; } ret = semanage_seuser_key_create (handle, login_name, &key); if (ret != 0) { - fprintf (stderr, _("Cannot create SELinux user key\n")); + fprintf (shadow_logfd, _("Cannot create SELinux user key\n")); ret = 1; goto done; } ret = semanage_seuser_exists (handle, key, &seuser_exists); if (ret < 0) { - fprintf (stderr, _("Cannot verify the SELinux user\n")); + fprintf (shadow_logfd, _("Cannot verify the SELinux user\n")); ret = 1; goto done; } @@ -270,7 +270,7 @@ int set_seuser (const char *login_name, const char *seuser_name) if (0 != seuser_exists) { ret = semanage_user_mod (handle, key, login_name, seuser_name); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Cannot modify SELinux user mapping\n")); ret = 1; goto done; @@ -278,7 +278,7 @@ int set_seuser (const char *login_name, const char *seuser_name) } else { ret = semanage_user_add (handle, key, login_name, seuser_name); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Cannot add SELinux user mapping\n")); ret = 1; goto done; @@ -287,7 +287,7 @@ int set_seuser (const char *login_name, const char *seuser_name) ret = semanage_commit (handle); if (ret < 0) { - fprintf (stderr, _("Cannot commit SELinux transaction\n")); + fprintf (shadow_logfd, _("Cannot commit SELinux transaction\n")); ret = 1; goto done; } @@ -310,27 +310,27 @@ int del_seuser (const char *login_name) handle = semanage_init (); if (NULL == handle) { - fprintf (stderr, _("Cannot init SELinux management\n")); + fprintf (shadow_logfd, _("Cannot init SELinux management\n")); ret = 1; goto done; } ret = semanage_seuser_key_create (handle, login_name, &key); if (ret != 0) { - fprintf (stderr, _("Cannot create SELinux user key\n")); + fprintf (shadow_logfd, _("Cannot create SELinux user key\n")); ret = 1; goto done; } ret = semanage_seuser_exists (handle, key, &exists); if (ret < 0) { - fprintf (stderr, _("Cannot verify the SELinux user\n")); + fprintf (shadow_logfd, _("Cannot verify the SELinux user\n")); ret = 1; goto done; } if (0 == exists) { - fprintf (stderr, + fprintf (shadow_logfd, _("Login mapping for %s is not defined, OK if default mapping was used\n"), login_name); ret = 0; /* probably default mapping */ @@ -339,13 +339,13 @@ int del_seuser (const char *login_name) ret = semanage_seuser_exists_local (handle, key, &exists); if (ret < 0) { - fprintf (stderr, _("Cannot verify the SELinux user\n")); + fprintf (shadow_logfd, _("Cannot verify the SELinux user\n")); ret = 1; goto done; } if (0 == exists) { - fprintf (stderr, + fprintf (shadow_logfd, _("Login mapping for %s is defined in policy, cannot be deleted\n"), login_name); ret = 0; /* Login mapping defined in policy can't be deleted */ @@ -354,7 +354,7 @@ int del_seuser (const char *login_name) ret = semanage_seuser_del_local (handle, key); if (ret != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("Could not delete login mapping for %s"), login_name); ret = 1; @@ -363,7 +363,7 @@ int del_seuser (const char *login_name) ret = semanage_commit (handle); if (ret < 0) { - fprintf (stderr, _("Cannot commit SELinux transaction\n")); + fprintf (shadow_logfd, _("Cannot commit SELinux transaction\n")); ret = 1; goto done; } diff --git a/lib/sgetspent.c b/lib/sgetspent.c index 20531eba..8251a561 100644 --- a/lib/sgetspent.c +++ b/lib/sgetspent.c @@ -52,7 +52,6 @@ struct spwd *sgetspent (const char *string) static struct spwd spwd; char *fields[FIELDS]; char *cp; - char *cpp; int i; /* diff --git a/lib/shadow.c b/lib/shadow.c index 05cb0e4a..e743b2ce 100644 --- a/lib/shadow.c +++ b/lib/shadow.c @@ -130,7 +130,6 @@ static struct spwd *my_sgetspent (const char *string) static struct spwd spwd; char *fields[FIELDS]; char *cp; - char *cpp; int i; /* @@ -389,7 +388,6 @@ struct spwd *getspent (void) #ifdef USE_NIS int nis_1_user = 0; struct spwd *val; - char buf[BUFSIZ]; #endif if (NULL == shadow) { setspent (); @@ -484,7 +482,6 @@ struct spwd *getspnam (const char *name) struct spwd *sp; #ifdef USE_NIS - char buf[BUFSIZ]; static char save_name[16]; bool nis_disabled = false; #endif diff --git a/lib/spawn.c b/lib/spawn.c index d0b5fb26..c53742cc 100644 --- a/lib/spawn.c +++ b/lib/spawn.c @@ -48,7 +48,7 @@ int run_command (const char *cmd, const char *argv[], } (void) fflush (stdout); - (void) fflush (stderr); + (void) fflush (shadow_logfd); pid = fork (); if (0 == pid) { @@ -57,11 +57,11 @@ int run_command (const char *cmd, const char *argv[], if (ENOENT == errno) { exit (E_CMD_NOTFOUND); } - fprintf (stderr, "%s: cannot execute %s: %s\n", + fprintf (shadow_logfd, "%s: cannot execute %s: %s\n", Prog, cmd, strerror (errno)); exit (E_CMD_NOEXEC); } else if ((pid_t)-1 == pid) { - fprintf (stderr, "%s: cannot execute %s: %s\n", + fprintf (shadow_logfd, "%s: cannot execute %s: %s\n", Prog, cmd, strerror (errno)); return -1; } @@ -74,7 +74,7 @@ int run_command (const char *cmd, const char *argv[], || ((pid_t)-1 != wpid && wpid != pid)); if ((pid_t)-1 == wpid) { - fprintf (stderr, "%s: waitpid (status: %d): %s\n", + fprintf (shadow_logfd, "%s: waitpid (status: %d): %s\n", Prog, *status, strerror (errno)); return -1; } @@ -11,7 +11,7 @@ #include "prototypes.h" #include "sssd.h" -#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n" +#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache." int sssd_flush_cache (int dbflags) { @@ -46,24 +46,22 @@ int sssd_flush_cache (int dbflags) free(sss_cache_args); if (rv != 0) { /* run_command writes its own more detailed message. */ - (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog); + SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog)); return -1; } code = WEXITSTATUS (status); if (!WIFEXITED (status)) { - (void) fprintf (stderr, - _("%s: sss_cache did not terminate normally (signal %d)\n"), - Prog, WTERMSIG (status)); + SYSLOG ((LOG_WARN, "%s: sss_cache did not terminate normally (signal %d)", + Prog, WTERMSIG (status))); return -1; } else if (code == E_CMD_NOTFOUND) { /* sss_cache is not installed, or it is installed but uses an interpreter that is missing. Probably the former. */ return 0; } else if (code != 0) { - (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"), - Prog, code); - (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog); + SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", Prog, code)); + SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog)); return -1; } diff --git a/lib/subordinateio.c b/lib/subordinateio.c index 0d89a64e..fbff3eae 100644 --- a/lib/subordinateio.c +++ b/lib/subordinateio.c @@ -11,16 +11,11 @@ #include <stdio.h> #include "commonio.h" #include "subordinateio.h" +#include "../libsubid/subid.h" #include <sys/types.h> #include <pwd.h> - -struct subordinate_range { - const char *owner; - unsigned long start; - unsigned long count; -}; - -#define NFIELDS 3 +#include <ctype.h> +#include <fcntl.h> /* * subordinate_dup: create a duplicate range @@ -78,7 +73,7 @@ static void *subordinate_parse (const char *line) static char rangebuf[1024]; int i; char *cp; - char *fields[NFIELDS]; + char *fields[SUBID_NFIELDS]; /* * Copy the string to a temporary buffer so the substrings can @@ -93,7 +88,7 @@ static void *subordinate_parse (const char *line) * field. The fields are converted into NUL terminated strings. */ - for (cp = rangebuf, i = 0; (i < NFIELDS) && (NULL != cp); i++) { + for (cp = rangebuf, i = 0; (i < SUBID_NFIELDS) && (NULL != cp); i++) { fields[i] = cp; while (('\0' != *cp) && (':' != *cp)) { cp++; @@ -108,10 +103,10 @@ static void *subordinate_parse (const char *line) } /* - * There must be exactly NFIELDS colon separated fields or + * There must be exactly SUBID_NFIELDS colon separated fields or * the entry is invalid. Also, fields must be non-blank. */ - if (i != NFIELDS || *fields[0] == '\0' || *fields[1] == '\0' || *fields[2] == '\0') + if (i != SUBID_NFIELDS || *fields[0] == '\0' || *fields[1] == '\0' || *fields[2] == '\0') return NULL; range.owner = fields[0]; if (getulong (fields[1], &range.start) == 0) @@ -314,6 +309,35 @@ static bool have_range(struct commonio_db *db, return false; } +static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n) +{ + if (!*ranges) { + *ranges = malloc(sizeof(struct subid_range)); + if (!*ranges) + return false; + } else { + struct subid_range *alloced; + alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range))); + if (!alloced) + return false; + *ranges = alloced; + } + (*ranges)[n].start = new->start; + (*ranges)[n].count = new->count; + return true; +} + +void free_subordinate_ranges(struct subordinate_range **ranges, int count) +{ + int i; + + if (!ranges) + return; + for (i = 0; i < count; i++) + subordinate_free(ranges[i]); + free(ranges); +} + /* * subordinate_range_cmp: compare uid ranges * @@ -574,23 +598,37 @@ int sub_uid_open (int mode) return commonio_open (&subordinate_uid_db, mode); } -bool sub_uid_assigned(const char *owner) +bool local_sub_uid_assigned(const char *owner) { return range_exists (&subordinate_uid_db, owner); } bool have_sub_uids(const char *owner, uid_t start, unsigned long count) { + struct subid_nss_ops *h; + bool found; + enum subid_status status; + h = get_subid_nss_handle(); + if (h) { + status = h->has_range(owner, start, count, ID_TYPE_UID, &found); + if (status == SUBID_STATUS_SUCCESS && found) + return true; + return false; + } return have_range (&subordinate_uid_db, owner, start, count); } int sub_uid_add (const char *owner, uid_t start, unsigned long count) { + if (get_subid_nss_handle()) + return -EOPNOTSUPP; return add_range (&subordinate_uid_db, owner, start, count); } int sub_uid_remove (const char *owner, uid_t start, unsigned long count) { + if (get_subid_nss_handle()) + return -EOPNOTSUPP; return remove_range (&subordinate_uid_db, owner, start, count); } @@ -658,21 +696,35 @@ int sub_gid_open (int mode) bool have_sub_gids(const char *owner, gid_t start, unsigned long count) { + struct subid_nss_ops *h; + bool found; + enum subid_status status; + h = get_subid_nss_handle(); + if (h) { + status = h->has_range(owner, start, count, ID_TYPE_GID, &found); + if (status == SUBID_STATUS_SUCCESS && found) + return true; + return false; + } return have_range(&subordinate_gid_db, owner, start, count); } -bool sub_gid_assigned(const char *owner) +bool local_sub_gid_assigned(const char *owner) { return range_exists (&subordinate_gid_db, owner); } int sub_gid_add (const char *owner, gid_t start, unsigned long count) { + if (get_subid_nss_handle()) + return -EOPNOTSUPP; return add_range (&subordinate_gid_db, owner, start, count); } int sub_gid_remove (const char *owner, gid_t start, unsigned long count) { + if (get_subid_nss_handle()) + return -EOPNOTSUPP; return remove_range (&subordinate_gid_db, owner, start, count); } @@ -692,6 +744,308 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count) start = find_free_range (&subordinate_gid_db, min, max, count); return start == ULONG_MAX ? (gid_t) -1 : start; } + +/* + * int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges) + * + * @owner: username + * @id_type: UID or GUID + * @ranges: pointer to array of ranges into which results will be placed. + * + * Fills in the subuid or subgid ranges which are owned by the specified + * user. Username may be a username or a string representation of a + * UID number. If id_type is UID, then subuids are returned, else + * subgids are given. + + * Returns the number of ranges found, or < 0 on error. + * + * The caller must free the subordinate range list. + */ +int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges) +{ + // TODO - need to handle owner being either uid or username + struct subid_range *ranges = NULL; + const struct subordinate_range *range; + struct commonio_db *db; + enum subid_status status; + int count = 0; + struct subid_nss_ops *h; + + *in_ranges = NULL; + + h = get_subid_nss_handle(); + if (h) { + status = h->list_owner_ranges(owner, id_type, in_ranges, &count); + if (status == SUBID_STATUS_SUCCESS) + return count; + return -1; + } + + switch (id_type) { + case ID_TYPE_UID: + if (!sub_uid_open(O_RDONLY)) { + return -1; + } + db = &subordinate_uid_db; + break; + case ID_TYPE_GID: + if (!sub_gid_open(O_RDONLY)) { + return -1; + } + db = &subordinate_gid_db; + break; + default: + return -1; + } + + commonio_rewind(db); + while ((range = commonio_next(db)) != NULL) { + if (0 == strcmp(range->owner, owner)) { + if (!append_range(&ranges, range, count++)) { + free(ranges); + ranges = NULL; + count = -1; + goto out; + } + } + } + +out: + if (id_type == ID_TYPE_UID) + sub_uid_close(); + else + sub_gid_close(); + + *in_ranges = ranges; + return count; +} + +static bool all_digits(const char *str) +{ + int i; + + for (i = 0; str[i] != '\0'; i++) + if (!isdigit(str[i])) + return false; + return true; +} + +static int append_uids(uid_t **uids, const char *owner, int n) +{ + uid_t owner_uid; + uid_t *ret; + int i; + + if (all_digits(owner)) { + i = sscanf(owner, "%d", &owner_uid); + if (i != 1) { + // should not happen + free(*uids); + *uids = NULL; + return -1; + } + } else { + struct passwd *pwd = getpwnam(owner); + if (NULL == pwd) { + /* Username not defined in /etc/passwd, or error occured during lookup */ + free(*uids); + *uids = NULL; + return -1; + } + owner_uid = pwd->pw_uid; + } + + for (i = 0; i < n; i++) { + if (owner_uid == (*uids)[i]) + return n; + } + + ret = realloc(*uids, (n + 1) * sizeof(uid_t)); + if (!ret) { + free(*uids); + return -1; + } + ret[n] = owner_uid; + *uids = ret; + return n+1; +} + +int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids) +{ + const struct subordinate_range *range; + struct subid_nss_ops *h; + enum subid_status status; + struct commonio_db *db; + int n = 0; + + h = get_subid_nss_handle(); + if (h) { + status = h->find_subid_owners(id, id_type, uids, &n); + // Several ways we could handle the error cases here. + if (status != SUBID_STATUS_SUCCESS) + return -1; + return n; + } + + switch (id_type) { + case ID_TYPE_UID: + if (!sub_uid_open(O_RDONLY)) { + return -1; + } + db = &subordinate_uid_db; + break; + case ID_TYPE_GID: + if (!sub_gid_open(O_RDONLY)) { + return -1; + } + db = &subordinate_gid_db; + break; + default: + return -1; + } + + *uids = NULL; + + commonio_rewind(db); + while ((range = commonio_next(db)) != NULL) { + if (id >= range->start && id < range->start + range-> count) { + n = append_uids(uids, range->owner, n); + if (n < 0) + break; + } + } + + if (id_type == ID_TYPE_UID) + sub_uid_close(); + else + sub_gid_close(); + + return n; +} + +bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse) +{ + struct commonio_db *db; + const struct subordinate_range *r; + bool ret; + + if (get_subid_nss_handle()) + return false; + + switch (id_type) { + case ID_TYPE_UID: + if (!sub_uid_lock()) { + printf("Failed loging subuids (errno %d)\n", errno); + return false; + } + if (!sub_uid_open(O_CREAT | O_RDWR)) { + printf("Failed opening subuids (errno %d)\n", errno); + sub_uid_unlock(); + return false; + } + db = &subordinate_uid_db; + break; + case ID_TYPE_GID: + if (!sub_gid_lock()) { + printf("Failed loging subgids (errno %d)\n", errno); + return false; + } + if (!sub_gid_open(O_CREAT | O_RDWR)) { + printf("Failed opening subgids (errno %d)\n", errno); + sub_gid_unlock(); + return false; + } + db = &subordinate_gid_db; + break; + default: + return false; + } + + commonio_rewind(db); + if (reuse) { + while ((r = commonio_next(db)) != NULL) { + // TODO account for username vs uid_t + if (0 != strcmp(r->owner, range->owner)) + continue; + if (r->count >= range->count) { + range->count = r->count; + range->start = r->start; + return true; + } + } + } + + range->start = find_free_range(db, range->start, ULONG_MAX, range->count); + + if (range->start == ULONG_MAX) { + ret = false; + goto out; + } + + ret = add_range(db, range->owner, range->start, range->count) == 1; + +out: + if (id_type == ID_TYPE_UID) { + sub_uid_close(); + sub_uid_unlock(); + } else { + sub_gid_close(); + sub_gid_unlock(); + } + + return ret; +} + +bool release_subid_range(struct subordinate_range *range, enum subid_type id_type) +{ + struct commonio_db *db; + bool ret; + + if (get_subid_nss_handle()) + return false; + + switch (id_type) { + case ID_TYPE_UID: + if (!sub_uid_lock()) { + printf("Failed loging subuids (errno %d)\n", errno); + return false; + } + if (!sub_uid_open(O_CREAT | O_RDWR)) { + printf("Failed opening subuids (errno %d)\n", errno); + sub_uid_unlock(); + return false; + } + db = &subordinate_uid_db; + break; + case ID_TYPE_GID: + if (!sub_gid_lock()) { + printf("Failed loging subgids (errno %d)\n", errno); + return false; + } + if (!sub_gid_open(O_CREAT | O_RDWR)) { + printf("Failed opening subgids (errno %d)\n", errno); + sub_gid_unlock(); + return false; + } + db = &subordinate_gid_db; + break; + default: + return false; + } + + ret = remove_range(db, range->owner, range->start, range->count) == 1; + + if (id_type == ID_TYPE_UID) { + sub_uid_close(); + sub_uid_unlock(); + } else { + sub_gid_close(); + sub_gid_unlock(); + } + + return ret; +} + #else /* !ENABLE_SUBIDS */ extern int errno; /* warning: ANSI C forbids an empty source file */ #endif /* !ENABLE_SUBIDS */ diff --git a/lib/subordinateio.h b/lib/subordinateio.h index a21d72b8..d32733de 100644 --- a/lib/subordinateio.h +++ b/lib/subordinateio.h @@ -11,10 +11,12 @@ #include <sys/types.h> +#include "../libsubid/subid.h" + extern int sub_uid_close(void); extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count); extern bool sub_uid_file_present (void); -extern bool sub_uid_assigned(const char *owner); +extern bool local_sub_uid_assigned(const char *owner); extern int sub_uid_lock (void); extern int sub_uid_setdbname (const char *filename); extern /*@observer@*/const char *sub_uid_dbname (void); @@ -23,11 +25,16 @@ extern int sub_uid_unlock (void); extern int sub_uid_add (const char *owner, uid_t start, unsigned long count); extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count); extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count); +extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges); +extern bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse); +extern bool release_subid_range(struct subordinate_range *range, enum subid_type id_type); +extern int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids); +extern void free_subordinate_ranges(struct subordinate_range **ranges, int count); extern int sub_gid_close(void); extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count); extern bool sub_gid_file_present (void); -extern bool sub_gid_assigned(const char *owner); +extern bool local_sub_gid_assigned(const char *owner); extern int sub_gid_lock (void); extern int sub_gid_setdbname (const char *filename); extern /*@observer@*/const char *sub_gid_dbname (void); diff --git a/lib/tcbfuncs.c b/lib/tcbfuncs.c index 2f694bd7..e9496cdf 100644 --- a/lib/tcbfuncs.c +++ b/lib/tcbfuncs.c @@ -72,8 +72,8 @@ shadowtcb_status shadowtcb_gain_priv (void) * to exit soon. */ #define OUT_OF_MEMORY do { \ - fprintf (stderr, _("%s: out of memory\n"), Prog); \ - (void) fflush (stderr); \ + fprintf (shadow_logfd, _("%s: out of memory\n"), Prog); \ + (void) fflush (shadow_logfd); \ } while (false) /* Returns user's tcb directory path relative to TCB_DIR. */ @@ -116,7 +116,7 @@ static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name) return NULL; } if (lstat (path, &st) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot stat %s: %s\n"), Prog, path, strerror (errno)); free (path); @@ -132,7 +132,7 @@ static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name) return rval; } if (!S_ISLNK (st.st_mode)) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: %s is neither a directory, nor a symlink.\n"), Prog, path); free (path); @@ -140,7 +140,7 @@ static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name) } ret = readlink (path, link, sizeof (link) - 1); if (-1 == ret) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot read symbolic link %s: %s\n"), Prog, path, strerror (errno)); free (path); @@ -149,7 +149,7 @@ static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name) free (path); if ((size_t)ret >= sizeof(link) - 1) { link[sizeof(link) - 1] = '\0'; - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Suspiciously long symlink: %s\n"), Prog, link); return NULL; @@ -207,7 +207,7 @@ static shadowtcb_status mkdir_leading (const char *name, uid_t uid) } ptr = path; if (stat (TCB_DIR, &st) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot stat %s: %s\n"), Prog, TCB_DIR, strerror (errno)); goto out_free_path; @@ -219,19 +219,19 @@ static shadowtcb_status mkdir_leading (const char *name, uid_t uid) return SHADOWTCB_FAILURE; } if ((mkdir (dir, 0700) != 0) && (errno != EEXIST)) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot create directory %s: %s\n"), Prog, dir, strerror (errno)); goto out_free_dir; } if (chown (dir, 0, st.st_gid) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change owner of %s: %s\n"), Prog, dir, strerror (errno)); goto out_free_dir; } if (chmod (dir, 0711) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change mode of %s: %s\n"), Prog, dir, strerror (errno)); goto out_free_dir; @@ -261,7 +261,7 @@ static shadowtcb_status unlink_suffs (const char *user) return SHADOWTCB_FAILURE; } if ((unlink (tmp) != 0) && (errno != ENOENT)) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: unlink: %s: %s\n"), Prog, tmp, strerror (errno)); free (tmp); @@ -286,7 +286,7 @@ static shadowtcb_status rmdir_leading (char *path) } if (rmdir (dir) != 0) { if (errno != ENOTEMPTY) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot remove directory %s: %s\n"), Prog, dir, strerror (errno)); ret = SHADOWTCB_FAILURE; @@ -315,7 +315,7 @@ static shadowtcb_status move_dir (const char *user_newname, uid_t user_newid) goto out_free_nomem; } if (stat (olddir, &oldmode) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot stat %s: %s\n"), Prog, olddir, strerror (errno)); goto out_free; @@ -342,7 +342,7 @@ static shadowtcb_status move_dir (const char *user_newname, uid_t user_newid) goto out_free; } if (rename (real_old_dir, real_new_dir) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot rename %s to %s: %s\n"), Prog, real_old_dir, real_new_dir, strerror (errno)); goto out_free; @@ -351,7 +351,7 @@ static shadowtcb_status move_dir (const char *user_newname, uid_t user_newid) goto out_free; } if ((unlink (olddir) != 0) && (errno != ENOENT)) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot remove %s: %s\n"), Prog, olddir, strerror (errno)); goto out_free; @@ -365,7 +365,7 @@ static shadowtcb_status move_dir (const char *user_newname, uid_t user_newid) } if ( (strcmp (real_new_dir, newdir) != 0) && (symlink (real_new_dir_rel, newdir) != 0)) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot create symbolic link %s: %s\n"), Prog, real_new_dir_rel, strerror (errno)); goto out_free; @@ -464,37 +464,37 @@ shadowtcb_status shadowtcb_move (/*@NULL@*/const char *user_newname, uid_t user_ return SHADOWTCB_FAILURE; } if (stat (tcbdir, &dirmode) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot stat %s: %s\n"), Prog, tcbdir, strerror (errno)); goto out_free; } if (chown (tcbdir, 0, 0) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change owners of %s: %s\n"), Prog, tcbdir, strerror (errno)); goto out_free; } if (chmod (tcbdir, 0700) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change mode of %s: %s\n"), Prog, tcbdir, strerror (errno)); goto out_free; } if (lstat (shadow, &filemode) != 0) { if (errno != ENOENT) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot lstat %s: %s\n"), Prog, shadow, strerror (errno)); goto out_free; } - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Warning, user %s has no tcb shadow file.\n"), Prog, user_newname); } else { if (!S_ISREG (filemode.st_mode) || filemode.st_nlink != 1) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Emergency: %s's tcb shadow is not a " "regular file with st_nlink=1.\n" "The account is left locked.\n"), @@ -502,13 +502,13 @@ shadowtcb_status shadowtcb_move (/*@NULL@*/const char *user_newname, uid_t user_ goto out_free; } if (chown (shadow, user_newid, filemode.st_gid) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change owner of %s: %s\n"), Prog, shadow, strerror (errno)); goto out_free; } if (chmod (shadow, filemode.st_mode & 07777) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change mode of %s: %s\n"), Prog, shadow, strerror (errno)); goto out_free; @@ -518,7 +518,7 @@ shadowtcb_status shadowtcb_move (/*@NULL@*/const char *user_newname, uid_t user_ goto out_free; } if (chown (tcbdir, user_newid, dirmode.st_gid) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change owner of %s: %s\n"), Prog, tcbdir, strerror (errno)); goto out_free; @@ -543,7 +543,7 @@ shadowtcb_status shadowtcb_create (const char *name, uid_t uid) return SHADOWTCB_SUCCESS; } if (stat (TCB_DIR, &tcbdir_stat) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot stat %s: %s\n"), Prog, TCB_DIR, strerror (errno)); return SHADOWTCB_FAILURE; @@ -563,39 +563,39 @@ shadowtcb_status shadowtcb_create (const char *name, uid_t uid) return SHADOWTCB_FAILURE; } if (mkdir (dir, 0700) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: mkdir: %s: %s\n"), Prog, dir, strerror (errno)); goto out_free; } fd = open (shadow, O_RDWR | O_CREAT | O_TRUNC, 0600); if (fd < 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot open %s: %s\n"), Prog, shadow, strerror (errno)); goto out_free; } close (fd); if (chown (shadow, 0, authgid) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change owner of %s: %s\n"), Prog, shadow, strerror (errno)); goto out_free; } if (chmod (shadow, (mode_t) ((authgid == shadowgid) ? 0600 : 0640)) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change mode of %s: %s\n"), Prog, shadow, strerror (errno)); goto out_free; } if (chown (dir, 0, authgid) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change owner of %s: %s\n"), Prog, dir, strerror (errno)); goto out_free; } if (chmod (dir, (mode_t) ((authgid == shadowgid) ? 02700 : 02710)) != 0) { - fprintf (stderr, + fprintf (shadow_logfd, _("%s: Cannot change mode of %s: %s\n"), Prog, dir, strerror (errno)); goto out_free; |