group or gshadow files were previously locked.
* src/groupadd.c: Make sure failures are reported to syslog/audit
after the change is mentioned.
* src/groupmod.c: Add logging to syslog & audit on lock/unlock
failures.
* src/groupmod.c: Make sure issues are reported to syslog or audit
after the change is mentioned.
* src/groupdel.c: Only call gr_unlock() and sgr_unlock() in the
group or gshadow files were previously locked.
* src/groupdel.c: Simplify the handling of PAM errors.
-2008-08-01 Nicolas François <nicolas.francois@centraliens.net>
+2008-08-02 Nicolas François <nicolas.francois@centraliens.net>
* src/groupadd.c: Harmonize error & syslog messages.
- * src/groupadd.c: Add logging to syslog in some error cases.
+ * src/groupadd.c: Add logging to syslog & audit on lock/unlock
+ failures.
+ * src/groupadd.c: Only call gr_unlock() and sgr_unlock() in the
+ group or gshadow files were previously locked.
+ * src/groupadd.c: Make sure failures are reported to syslog/audit
+ after the change is mentioned.
* src/groupmod.c: Harmonize error & syslog messages.
+ * src/groupmod.c: Add logging to syslog & audit on lock/unlock
+ failures.
+ * src/groupmod.c: Make sure issues are reported to syslog or audit
+ after the change is mentioned.
* src/groupdel.c: Harmonize error & syslog messages.
* src/groupdel.c: Add logging to syslog & audit on lock/unlock
failures.
+ * src/groupdel.c: Only call gr_unlock() and sgr_unlock() in the
+ group or gshadow files were previously locked.
+ * src/groupdel.c: Simplify the handling of PAM errors.
2008-08-01 Nicolas François <nicolas.francois@centraliens.net>
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
-static bool is_shadow_grp;
#endif
/*
static bool rflg = false; /* create a system account */
static bool pflg = false; /* new encrypted password */
+#ifdef SHADOWGRP
+static bool is_shadow_grp;
+static bool gshadow_locked = false;
+#endif
+static bool group_locked = false;
+
+
#ifdef USE_PAM
static pam_handle_t *pamh = NULL;
#endif
SYSLOG ((LOG_WARN, "cannot rewrite the group file"));
fail_exit (E_GRP_UPDATE);
}
- gr_unlock ();
-#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_close () == 0)) {
- fprintf (stderr,
- _("%s: cannot rewrite the shadow group file\n"), Prog);
- SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
- fail_exit (E_GRP_UPDATE);
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
}
+ group_locked = false;
+#ifdef SHADOWGRP
if (is_shadow_grp) {
- sgr_unlock ();
+ if (sgr_close () == 0) {
+ fprintf (stderr,
+ _("%s: cannot rewrite the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
+ fail_exit (E_GRP_UPDATE);
+ }
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
+ gshadow_locked = false;
}
#endif /* SHADOWGRP */
}
"locking group file",
group_name, AUDIT_NO_ID, 0);
#endif
- exit (E_GRP_UPDATE);
+ fail_exit (E_GRP_UPDATE);
}
+ group_locked = true;
if (gr_open (O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot open the group file"));
fail_exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_lock () == 0)) {
- fprintf (stderr,
- _("%s: cannot lock the shadow group file\n"), Prog);
- SYSLOG ((LOG_WARN, "cannot lock the shadow group file"));
- fail_exit (E_GRP_UPDATE);
- }
- if (is_shadow_grp && (sgr_open (O_RDWR) == 0)) {
- fprintf (stderr,
- _("%s: cannot open the shadow group file\n"), Prog);
- SYSLOG ((LOG_WARN, "cannot open the shadow group file"));
- fail_exit (E_GRP_UPDATE);
+ if (is_shadow_grp) {
+ if (sgr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot lock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "locking gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ fail_exit (E_GRP_UPDATE);
+ }
+ gshadow_locked = true;
+ if (sgr_open (O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot open the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "opening gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ fail_exit (E_GRP_UPDATE);
+ }
}
#endif /* SHADOWGRP */
}
*/
static void fail_exit (int code)
{
- (void) gr_unlock ();
+ if (group_locked) {
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
+ }
#ifdef SHADOWGRP
- if (is_shadow_grp) {
- sgr_unlock ();
+ if (gshadow_locked) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
}
#endif
/* OK, no need to do anything */
fail_exit (E_SUCCESS);
}
- fprintf (stderr, _("%s: group %s exists\n"), Prog, group_name);
+ fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name);
fail_exit (E_NAME_IN_USE);
}
/* Turn off -g, we can use any GID */
gflg = false;
} else {
- fprintf (stderr, _("%s: GID %u is not unique\n"),
+ fprintf (stderr, _("%s: GID '%u' already exists\n"),
Prog, (unsigned int) group_id);
fail_exit (E_GID_IN_USE);
}
*/
static void fail_exit (int code)
{
- if (gr_unlock () == 0) {
- fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
- SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+ if (group_locked) {
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "unlocking group file",
- group_name, AUDIT_NO_ID, 0);
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
#endif
+ /* continue */
+ }
}
#ifdef SHADOWGRP
- if (is_shadow_grp) {
+ if (gshadow_locked) {
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
"unlocking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
+ /* continue */
}
}
#endif
if (gr_close () == 0) {
fprintf (stderr, _("%s: cannot rewrite the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the group file"));
fail_exit (E_GRP_UPDATE);
}
if (gr_unlock () == 0) {
"unlocking group file",
group_name, AUDIT_NO_ID, 0);
#endif
+ /* continue */
}
+ group_locked = false;
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_close () == 0)) {
fprintf (stderr,
_("%s: cannot rewrite the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
if (sgr_unlock () == 0) {
"unlocking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
+ /* continue */
}
+ gshadow_locked = false;
}
#endif /* SHADOWGRP */
}
if (PAM_SUCCESS == retval) {
retval = pam_authenticate (pamh, 0);
- if (PAM_SUCCESS != retval) {
- (void) pam_end (pamh, retval);
- }
}
if (PAM_SUCCESS == retval) {
retval = pam_acct_mgmt (pamh, 0);
- if (PAM_SUCCESS != retval) {
- (void) pam_end (pamh, retval);
- }
}
if (PAM_SUCCESS != retval) {
+ (void) pam_end (pamh, retval);
fprintf (stderr, _("%s: PAM authentication failed\n"), Prog);
exit (1);
}
nscd_flush_cache ("group");
#ifdef USE_PAM
- if (PAM_SUCCESS == retval) {
- (void) pam_end (pamh, PAM_SUCCESS);
- }
+ (void) pam_end (pamh, PAM_SUCCESS);
#endif /* USE_PAM */
return E_SUCCESS;
static void fail_exit (int status)
{
if (group_locked) {
- gr_unlock ();
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
}
#ifdef SHADOWGRP
if (gshadow_locked) {
- sgr_unlock ();
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
}
#endif /* SHADOWGRP */
if (passwd_locked) {
- pw_unlock();
+ if (pw_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the passwd file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the passwd file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking passwd file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
}
exit (status);
}
*/
static void new_grent (struct group *grent)
{
- if (nflg)
+ if (nflg) {
grent->gr_name = xstrdup (group_newname);
+ }
- if (gflg)
+ if (gflg) {
grent->gr_gid = group_newid;
+ }
- if (pflg)
+ if (pflg) {
grent->gr_passwd = group_passwd;
+ }
}
#ifdef SHADOWGRP
*/
static void new_sgent (struct sgrp *sgent)
{
- if (nflg)
+ if (nflg) {
sgent->sg_name = xstrdup (group_newname);
+ }
- if (pflg)
+ if (pflg) {
sgent->sg_passwd = group_passwd;
+ }
}
#endif /* SHADOWGRP */
{
if (gr_close () == 0) {
fprintf (stderr, _("%s: cannot rewrite group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "rewrite group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
fail_exit (E_GRP_UPDATE);
}
- gr_unlock ();
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
group_locked = false;
#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_close () == 0)) {
- fprintf (stderr,
- _("%s: cannot rewrite shadow group file\n"), Prog);
- fail_exit (E_GRP_UPDATE);
- }
if (is_shadow_grp) {
- sgr_unlock ();
+ if (sgr_close () == 0)) {
+ fprintf (stderr,
+ _("%s: cannot rewrite the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "rewrite gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ fail_exit (E_GRP_UPDATE);
+ }
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking gshadow file",
+ group, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
gshadow_locked = false;
}
#endif /* SHADOWGRP */
if (gflg) {
if (pw_close () == 0) {
fprintf (stderr,
- _("%s: cannot rewrite passwd file\n"), Prog);
+ _("%s: cannot rewrite the passwd file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the passwd file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "rewrite passwd file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
fail_exit (E_GRP_UPDATE);
}
- pw_unlock();
+ if (pw_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the passwd file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the passwd file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking passwd file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
passwd_locked = false;
}
}
{
if (gr_lock () == 0) {
fprintf (stderr, _("%s: cannot lock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot lock the group file"));
fail_exit (E_GRP_UPDATE);
}
group_locked = true;
if (gr_open (O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot open the group file"));
fail_exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
fprintf (stderr,
_("%s: cannot lock the shadow group file\n"),
Prog);
+ SYSLOG ((LOG_WARN, "cannot lock the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
gshadow_locked = true;
fprintf (stderr,
_("%s: cannot open the shadow group file\n"),
Prog);
+ SYSLOG ((LOG_WARN, "cannot open the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
}
fprintf (stderr,
_("%s: cannot lock the passwd file\n"),
Prog);
+ SYSLOG ((LOG_WARN, "cannot lock the passwd file"));
fail_exit (E_GRP_UPDATE);
}
passwd_locked = true;
fprintf (stderr,
_("%s: cannot open the passwd file\n"),
Prog);
+ SYSLOG ((LOG_WARN, "cannot open the passwd file"));
fail_exit (E_GRP_UPDATE);
}
}
if (PAM_SUCCESS == retval) {
retval = pam_authenticate (pamh, 0);
- if (PAM_SUCCESS != retval) {
- (void) pam_end (pamh, retval);
- }
}
if (PAM_SUCCESS == retval) {
retval = pam_acct_mgmt (pamh, 0);
- if (PAM_SUCCESS != retval) {
- (void) pam_end (pamh, retval);
- }
}
if (PAM_SUCCESS != retval) {
+ (void) pam_end (pamh, retval);
fprintf (stderr, _("%s: PAM authentication failed\n"), Prog);
fail_exit (1);
}
nscd_flush_cache ("group");
#ifdef USE_PAM
- if (PAM_SUCCESS == retval) {
- (void) pam_end (pamh, PAM_SUCCESS);
- }
+ (void) pam_end (pamh, PAM_SUCCESS);
#endif /* USE_PAM */
exit (E_SUCCESS);
/* NOT REACHED */
projects / shadow / commitdiff