2 * Copyright (c) 1991 - 1994, Julianne Frances Haugh
3 * Copyright (c) 1996 - 2000, Marek Michałkiewicz
4 * Copyright (c) 2000 - 2006, Tomasz Kłoczko
5 * Copyright (c) 2007 - 2011, Nicolas François
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the copyright holders or contributors may not be used to
17 * endorse or promote products derived from this software without
18 * specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
41 #ifdef ACCT_TOOLS_SETUID
45 #endif /* ACCT_TOOLS_SETUID */
47 #include <sys/types.h>
52 #include "prototypes.h"
61 static char *group_name;
62 static gid_t group_id = -1;
65 static bool is_shadow_grp;
72 #define E_SUCCESS 0 /* success */
73 #define E_USAGE 2 /* invalid command syntax */
74 #define E_NOTFOUND 6 /* specified group doesn't exist */
75 #define E_GROUP_BUSY 8 /* can't remove user's primary group */
76 #define E_GRP_UPDATE 10 /* can't update group file */
78 /* local function prototypes */
79 static /*@noreturn@*/void usage (int status);
80 static void grp_update (void);
81 static void close_files (void);
82 static void open_files (void);
83 static void group_busy (gid_t gid);
84 static void process_flags (int argc, char **argv);
87 * usage - display usage message and exit
89 static /*@noreturn@*/void usage (int status)
91 FILE *usageout = (E_SUCCESS != status) ? stderr : stdout;
92 (void) fprintf (usageout,
93 _("Usage: %s [options] GROUP\n"
97 (void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
98 (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
99 (void) fputs ("\n", usageout);
104 * grp_update - update group file entries
106 * grp_update() writes the new records to the group files.
108 static void grp_update (void)
111 * To add the group, we need to update /etc/group.
112 * Make sure failures will be reported.
114 add_cleanup (cleanup_report_del_group_group, group_name);
117 /* We also need to update /etc/gshadow */
118 add_cleanup (cleanup_report_del_group_gshadow, group_name);
123 * Delete the group entry.
125 if (gr_remove (group_name) == 0) {
127 _("%s: cannot remove entry '%s' from %s\n"),
128 Prog, group_name, gr_dbname ());
134 * Delete the shadow group entries as well.
136 if (is_shadow_grp && (sgr_locate (group_name) != NULL)) {
137 if (sgr_remove (group_name) == 0) {
139 _("%s: cannot remove entry '%s' from %s\n"),
140 Prog, group_name, sgr_dbname ());
144 #endif /* SHADOWGRP */
148 * close_files - close all of the files that were opened
150 * close_files() closes all of the files that were opened for this
151 * new group. This causes any modified entries to be written out.
153 static void close_files (void)
155 /* First, write the changes in the regular group database */
156 if (gr_close () == 0) {
158 _("%s: failure while writing changes to %s\n"),
164 audit_logger (AUDIT_DEL_GROUP, Prog,
165 "removing group from /etc/group",
166 group_name, (unsigned int) group_id,
167 SHADOW_AUDIT_SUCCESS);
170 "group '%s' removed from %s",
171 group_name, gr_dbname ()));
172 del_cleanup (cleanup_report_del_group_group);
174 cleanup_unlock_group (NULL);
175 del_cleanup (cleanup_unlock_group);
178 /* Then, write the changes in the shadow database */
181 if (sgr_close () == 0) {
183 _("%s: failure while writing changes to %s\n"),
184 Prog, sgr_dbname ());
189 audit_logger (AUDIT_DEL_GROUP, Prog,
190 "removing group from /etc/gshadow",
191 group_name, (unsigned int) group_id,
192 SHADOW_AUDIT_SUCCESS);
195 "group '%s' removed from %s",
196 group_name, sgr_dbname ()));
197 del_cleanup (cleanup_report_del_group_gshadow);
199 cleanup_unlock_gshadow (NULL);
200 del_cleanup (cleanup_unlock_gshadow);
202 #endif /* SHADOWGRP */
204 /* Report success at the system level */
206 audit_logger (AUDIT_DEL_GROUP, Prog,
208 group_name, (unsigned int) group_id,
209 SHADOW_AUDIT_SUCCESS);
211 SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name));
212 del_cleanup (cleanup_report_del_group);
216 * open_files - lock and open the group files
218 * open_files() opens the two group files.
220 static void open_files (void)
222 /* First, lock the databases */
223 if (gr_lock () == 0) {
225 _("%s: cannot lock %s; try again later.\n"),
229 add_cleanup (cleanup_unlock_group, NULL);
232 if (sgr_lock () == 0) {
234 _("%s: cannot lock %s; try again later.\n"),
235 Prog, sgr_dbname ());
238 add_cleanup (cleanup_unlock_gshadow, NULL);
243 * Now, if the group is not removed, it's our fault.
244 * Make sure failures will be reported.
246 add_cleanup (cleanup_report_del_group, group_name);
248 /* An now open the databases */
249 if (gr_open (O_RDWR) == 0) {
251 _("%s: cannot open %s\n"),
253 SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
258 if (sgr_open (O_RDWR) == 0) {
260 _("%s: cannot open %s\n"),
261 Prog, sgr_dbname ());
262 SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
266 #endif /* SHADOWGRP */
270 * group_busy - check if this is any user's primary group
272 * group_busy verifies that this group is not the primary group
273 * for any user. You must remove all users before you remove
276 static void group_busy (gid_t gid)
281 * Nice slow linear search.
286 while ( ((pwd = getpwent ()) != NULL) && (pwd->pw_gid != gid) );
291 * If pwd isn't NULL, it stopped because the gid's matched.
294 if (pwd == (struct passwd *) 0) {
299 * Can't remove the group.
302 _("%s: cannot remove the primary group of user '%s'\n"),
308 * process_flags - parse the command line options
310 * It will not return if an error is encountered.
312 static void process_flags (int argc, char **argv)
315 * Parse the command line options.
318 static struct option long_options[] = {
319 {"help", no_argument, NULL, 'h'},
320 {"root", required_argument, NULL, 'R'},
321 {NULL, 0, NULL, '\0'}
324 while ((c = getopt_long (argc, argv, "hR:",
325 long_options, NULL)) != -1) {
329 /*@notreached@*/break;
330 case 'R': /* no-op, handled in process_root_flag () */
337 if (optind != argc - 1) {
340 group_name = argv[optind];
344 * main - groupdel command
346 * The syntax of the groupdel command is
350 * The named group will be deleted.
353 int main (int argc, char **argv)
355 #ifdef ACCT_TOOLS_SETUID
357 pam_handle_t *pamh = NULL;
360 #endif /* ACCT_TOOLS_SETUID */
363 * Get my name so that I can use it to report errors.
365 Prog = Basename (argv[0]);
367 (void) setlocale (LC_ALL, "");
368 (void) bindtextdomain (PACKAGE, LOCALEDIR);
369 (void) textdomain (PACKAGE);
371 process_root_flag ("-R", argc, argv);
373 OPENLOG ("groupdel");
378 if (atexit (do_cleanups) != 0) {
380 _("%s: Cannot setup cleanup service.\n"),
385 process_flags (argc, argv);
387 #ifdef ACCT_TOOLS_SETUID
390 struct passwd *pampw;
391 pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
394 _("%s: Cannot determine your user name.\n"),
399 retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh);
402 if (PAM_SUCCESS == retval) {
403 retval = pam_authenticate (pamh, 0);
406 if (PAM_SUCCESS == retval) {
407 retval = pam_acct_mgmt (pamh, 0);
410 if (PAM_SUCCESS != retval) {
411 fprintf (stderr, _("%s: PAM: %s\n"),
412 Prog, pam_strerror (pamh, retval));
413 SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
415 (void) pam_end (pamh, retval);
419 (void) pam_end (pamh, retval);
421 #endif /* ACCT_TOOLS_SETUID */
424 is_shadow_grp = sgr_file_present ();
430 * Start with a quick check to see if the group exists.
432 grp = getgrnam (group_name); /* local, no need for xgetgrnam */
435 _("%s: group '%s' does not exist\n"),
440 group_id = grp->gr_gid;
445 * Make sure this isn't a NIS group
452 _("%s: group '%s' is a NIS group\n"),
455 if (!yp_get_default_domain (&nis_domain) &&
456 !yp_master (nis_domain, "group.byname", &nis_master)) {
458 _("%s: %s is the NIS master\n"),
466 * Make sure this isn't the primary group of anyone.
468 group_busy (group_id);
471 * Do the hard stuff - open the files, delete the group entries,
472 * then close and update the files.
480 nscd_flush_cache ("group");