+2013-08-11 Nicolas François <nicolas.francois@centraliens.net>
+
+ * configure.in: Add configure options --enable-subordinate-ids /
+ --disable-subordinate-ids. Enabled by default.
+ * lib/prototypes.h: Include <config.h> before using its macros.
+ * lib/commonio.h, lib/commonio.c: Define commonio_append only when
+ ENABLE_SUBIDS is defined.
+ * lib/prototypes.h, libmisc/find_new_sub_gids.c,
+ libmisc/find_new_sub_uids.c: Likewise.
+ * lib/subordinateio.h, lib/subordinateio.c: Likewise.
+ * libmisc/user_busy.c: Only check if subordinate IDs are in use if
+ ENABLE_SUBIDS is defined.
+ * src/Makefile.am: Create newgidmap and newuidmap only if
+ ENABLE_SUBIDS is defined.
+ * src/newusers.c: Check for ENABLE_SUBIDS to enable support for
+ subordinate IDs.
+ * src/useradd.c: Likewise.
+ * src/userdel.c: Likewise.
+ * src/usermod.c: Likewise.
+ * man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
+ man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
+ * man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
+ man5/subgid.5, and man5/subuid.5 (not translated yet).
+ * man/generate_mans.mak: Add xsltproc conditionals
+ subids/no_subids.
+ * man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
+ condition.
+ * man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
+ * man/usermod.8.xml: Document options for subordinate IDs and
+ reference subgid(5) / subuid(5) depending on the subids condition.
+
2013-08-09 Nicolas François <nicolas.francois@centraliens.net>
* libmisc/salt.c: Remove unused variable.
[enable_utmpx="no"]
)
+AC_ARG_ENABLE(subordinate-ids,
+ [AC_HELP_STRING([--enable-subordinate-ids],
+ [support subordinate ids @<:@default=yes@:>@])],
+ [enable_subids="${enableval}"],
+ [enable_subids="yes"]
+)
+
AC_ARG_WITH(audit,
[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
[with_audit=$withval], [with_audit=maybe])
fi
AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test "x$enable_man" != "xno")
+if test "$enable_subids" = "yes"; then
+ dnl
+ dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
+ dnl
+ AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
+ enable_subids="yes"
+fi
+AM_CONDITIONAL(ENABLE_SUBIDS, test "x$enable_subids" != "xno")
+
AC_SUBST(LIBCRYPT)
AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
[AC_MSG_ERROR([crypt() not found])])
echo " S/Key support: $with_skey"
echo " SHA passwords encryption: $with_sha_crypt"
echo " nscd support: $with_nscd"
+echo " subordinate IDs support: $enable_subids"
echo
return 1;
}
+#ifdef ENABLE_SUBIDS
int commonio_append (struct commonio_db *db, const void *eptr)
{
struct commonio_entry *p;
db->changed = true;
return 1;
}
+#endif /* ENABLE_SUBIDS */
void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p)
{
extern int commonio_open (struct commonio_db *, int);
extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
extern int commonio_update (struct commonio_db *, const void *);
+#ifdef ENABLE_SUBIDS
extern int commonio_append (struct commonio_db *, const void *);
+#endif /* ENABLE_SUBIDS */
extern int commonio_remove (struct commonio_db *, const char *);
extern int commonio_rewind (struct commonio_db *);
extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);
#ifndef _PROTOTYPES_H
#define _PROTOTYPES_H
+#include <config.h>
+
#include <sys/stat.h>
#ifdef USE_UTMPX
#include <utmpx.h>
uid_t *uid,
/*@null@*/uid_t const *preferred_uid);
+#ifdef ENABLE_SUBIDS
/* find_new_sub_gids.c */
extern int find_new_sub_gids (const char *owner,
gid_t *range_start, unsigned long *range_count);
/* find_new_sub_uids.c */
extern int find_new_sub_uids (const char *owner,
uid_t *range_start, unsigned long *range_count);
+#endif /* ENABLE_SUBIDS */
/* get_gid.c */
*/
#include <config.h>
+
+#ifdef ENABLE_SUBIDS
+
#include "prototypes.h"
#include "defines.h"
#include <stdio.h>
start = find_free_range (&subordinate_gid_db, min, max, count);
return start == ULONG_MAX ? (gid_t) -1 : start;
}
+#else /* !ENABLE_SUBIDS */
+extern int errno; /* warning: ANSI C forbids an empty source file */
+#endif /* !ENABLE_SUBIDS */
+
#ifndef _SUBORDINATEIO_H
#define _SUBORDINATEIO_H
+#include <config.h>
+
+#ifdef ENABLE_SUBIDS
+
#include <sys/types.h>
extern int sub_uid_close(void);
extern int sub_gid_add (const char *owner, gid_t start, unsigned long count);
extern int sub_gid_remove (const char *owner, gid_t start, unsigned long count);
extern uid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count);
+#endif /* ENABLE_SUBIDS */
#endif
#include <config.h>
+#ifdef ENABLE_SUBIDS
+
#include <assert.h>
#include <stdio.h>
#include <errno.h>
*range_count = count;
return 0;
}
+#else /* !ENABLE_SUBIDS */
+extern int errno; /* warning: ANSI C forbids an empty source file */
+#endif /* !ENABLE_SUBIDS */
#include <config.h>
+#ifdef ENABLE_SUBIDS
+
#include <assert.h>
#include <stdio.h>
#include <errno.h>
*range_count = count;
return 0;
}
+#else /* !ENABLE_SUBIDS */
+extern int errno; /* warning: ANSI C forbids an empty source file */
+#endif /* !ENABLE_SUBIDS */
#include <fcntl.h>
#include "defines.h"
#include "prototypes.h"
+#ifdef ENABLE_SUBIDS
#include "subordinateio.h"
+#endif /* ENABLE_SUBIDS */
#ifdef __linux__
static int check_status (const char *name, const char *sname, uid_t uid);
if ( (ruid == (unsigned long) uid)
|| (euid == (unsigned long) uid)
|| (suid == (unsigned long) uid)
+#ifdef ENABLE_SUBIDS
|| have_sub_uids(name, ruid, 1)
|| have_sub_uids(name, euid, 1)
- || have_sub_uids(name, suid, 1)) {
+ || have_sub_uids(name, suid, 1)
+#endif /* ENABLE_SUBIDS */
+ ) {
(void) fclose (sfile);
return 1;
}
struct stat sbroot;
struct stat sbroot_process;
+#ifdef ENABLE_SUBIDS
sub_uid_open (O_RDONLY);
+#endif /* ENABLE_SUBIDS */
proc = opendir ("/proc");
if (proc == NULL) {
}
(void) closedir (proc);
+#ifdef ENABLE_SUBIDS
sub_uid_close();
+#endif /* ENABLE_SUBIDS */
return 0;
}
#endif /* __linux__ */
man1/login.1 \
man5/login.defs.5 \
man8/logoutd.8 \
- man1/newgidmap.1 \
man1/newgrp.1 \
- man1/newuidmap.1 \
man8/newusers.8 \
man8/nologin.8 \
man1/passwd.1 \
man5/shadow.5 \
man1/su.1 \
man5/suauth.5 \
- man5/subgid.5 \
- man5/subuid.5 \
man8/useradd.8 \
man8/userdel.8 \
man8/usermod.8 \
man_MANS += $(man_nopam)
endif
+man_subids = \
+ man1/newgidmap.1 \
+ man1/newuidmap.1 \
+ man5/subgid.5 \
+ man5/subuid.5
+
+if ENABLE_SUBIDS
+man_MANS += $(man_subids)
+endif
+
man_XMANS = \
chage.1.xml \
chfn.1.xml \
EXTRA_DIST += $(man_nopam)
endif
+if !ENABLE_SUBIDS
+EXTRA_DIST += $(man_subids)
+endif
+
generate_mans.deps: *.xml
echo "# This file is generated" > $@
awk 'BEGIN{FS="\"";} /^<!ENTITY .* * SYSTEM ".*">$$/{ f=FILENAME; sub(/.xml/,"",f); print "man" substr(f, length (f)) "/" f ": " $$2 }' $(man_XMANS) >> $@
man_MANS += $(man_nopam)
endif
+man_subids = \
+ man1/newgidmap.1 \
+ man1/newuidmap.1 \
+ man5/subgid.5 \
+ man5/subuid.5
+
+if ENABLE_SUBIDS
+man_MANS += $(man_subids)
+endif
+
EXTRA_DIST = \
$(man_MANS) \
man1/id.1 \
EXTRA_DIST += $(man_nopam)
endif
+if !ENABLE_SUBIDS
+EXTRA_DIST += $(man_subids)
+endif
+
include ../generate_translations.mak
SHA_CRYPT_COND=no_sha_crypt
endif
+if ENABLE_SUBIDS
+SUBIDS_COND=subids
+else
+SUBIDS_COND=no_subids
+endif
+
if ENABLE_REGENERATE_MAN
%.xml-config: %.xml
if grep -q SHADOW-CONFIG-HERE $<; then \
fi
man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml
- $(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND)" \
+ $(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND);$(SUBIDS_COND)" \
--param "man.authors.section.enabled" "0" \
--stringparam "man.output.base.dir" "" \
--param "man.output.in.separate.dir" "1" \
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
-<varlistentry>
+<varlistentry condition="subids">
<term><option>SUB_GID_MIN</option> (number)</term>
<term><option>SUB_GID_MAX</option> (number)</term>
<term><option>SUB_GID_COUNT</option> (number)</term>
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
-<varlistentry>
+<varlistentry condition="subids">
<term><option>SUB_UID_MIN</option> (number)</term>
<term><option>SUB_UID_MAX</option> (number)</term>
<term><option>SUB_UID_COUNT</option> (number)</term>
</para>
</listitem>
</varlistentry>
- <varlistentry>
+ <varlistentry condition="subids">
<term>
<option>-v</option>, <option>--add-sub-uids</option>
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
</para>
</listitem>
</varlistentry>
- <varlistentry>
+ <varlistentry condition="subids">
<term>
<option>-V</option>, <option>--del-sub-uids</option>
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
</para>
</listitem>
</varlistentry>
- <varlistentry>
+ <varlistentry condition="subids">
<term>
<option>-w</option>, <option>--add-sub-gids</option>
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
</para>
</listitem>
</varlistentry>
- <varlistentry>
+ <varlistentry condition="subids">
<term>
<option>-W</option>, <option>--del-sub-gids</option>
<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
<citerefentry>
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
- <citerefentry>
- <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
+ <phrase condition="subids">
+ <citerefentry>
+ <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ </phrase>
<citerefentry>
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
bin_PROGRAMS = groups login su
sbin_PROGRAMS = nologin
-ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd \
- newgidmap newuidmap
+ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
+if ENABLE_SUBIDS
+ubin_PROGRAMS += newgidmap newuidmap
+endif
usbin_PROGRAMS = \
chgpasswd \
chpasswd \
#include "pwio.h"
#include "sgroupio.h"
#include "shadowio.h"
+#ifdef ENABLE_SUBIDS
#include "subordinateio.h"
+#endif /* ENABLE_SUBIDS */
#include "chkname.h"
/*
#endif /* USE_SHA_CRYPT */
#endif /* !USE_PAM */
-static bool is_sub_uid = false;
-static bool is_sub_gid = false;
static bool is_shadow;
#ifdef SHADOWGRP
static bool is_shadow_grp;
static bool pw_locked = false;
static bool gr_locked = false;
static bool spw_locked = false;
+#ifdef ENABLE_SUBIDS
+static bool is_sub_uid = false;
+static bool is_sub_gid = false;
static bool sub_uid_locked = false;
static bool sub_gid_locked = false;
+#endif /* ENABLE_SUBIDS */
/* local function prototypes */
static void usage (int status);
}
}
#endif
+#ifdef ENABLE_SUBIDS
if (sub_uid_locked) {
if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
/* continue */
}
}
+#endif /* ENABLE_SUBIDS */
exit (code);
}
sgr_locked = true;
}
#endif
+#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_lock () == 0) {
fprintf (stderr,
}
sub_gid_locked = true;
}
+#endif /* ENABLE_SUBIDS */
if (pw_open (O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ());
fail_exit (EXIT_FAILURE);
}
#endif
+#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_open (O_RDWR) == 0) {
fprintf (stderr,
fail_exit (EXIT_FAILURE);
}
}
+#endif /* ENABLE_SUBIDS */
}
/*
SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
fail_exit (EXIT_FAILURE);
}
+#ifdef ENABLE_SUBIDS
if (is_sub_uid && (sub_uid_close () == 0)) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
fail_exit (EXIT_FAILURE);
}
+#endif /* ENABLE_SUBIDS */
if (gr_unlock () == 0) {
fprintf (stderr,
sgr_locked = false;
}
#endif
+#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
}
sub_gid_locked = false;
}
+#endif /* ENABLE_SUBIDS */
}
int main (int argc, char **argv)
#ifdef SHADOWGRP
is_shadow_grp = sgr_file_present ();
#endif
+#ifdef ENABLE_SUBIDS
is_sub_uid = sub_uid_file_present ();
is_sub_gid = sub_gid_file_present ();
+#endif /* ENABLE_SUBIDS */
open_files ();
continue;
}
+#ifdef ENABLE_SUBIDS
/*
* Add subordinate uids if the user does not have them.
*/
errors++;
}
}
-
+
/*
* Add subordinate gids if the user does not have them.
*/
errors++;
}
}
+#endif /* ENABLE_SUBIDS */
}
/*
#include "sgroupio.h"
#endif
#include "shadowio.h"
+#ifdef ENABLE_SUBIDS
#include "subordinateio.h"
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_TCB
#include "tcbfuncs.h"
#endif
static bool is_shadow_grp;
static bool sgr_locked = false;
#endif
+#ifdef ENABLE_SUBIDS
static bool is_sub_uid = false;
static bool is_sub_gid = false;
-static bool pw_locked = false;
-static bool gr_locked = false;
-static bool spw_locked = false;
static bool sub_uid_locked = false;
static bool sub_gid_locked = false;
-static char **user_groups; /* NULL-terminated list */
-static long sys_ngroups;
-static bool do_grp_update = false; /* group files need to be updated */
static uid_t sub_uid_start; /* New subordinate uid range */
static unsigned long sub_uid_count;
static gid_t sub_gid_start; /* New subordinate gid range */
static unsigned long sub_gid_count;
+#endif /* ENABLE_SUBIDS */
+static bool pw_locked = false;
+static bool gr_locked = false;
+static bool spw_locked = false;
+static char **user_groups; /* NULL-terminated list */
+static long sys_ngroups;
+static bool do_grp_update = false; /* group files need to be updated */
static bool
bflg = false, /* new default root of home directory */
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
+#ifdef ENABLE_SUBIDS
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
+#endif /* ENABLE_SUBIDS */
#define DGROUP "GROUP="
#define DHOME "HOME="
}
}
#endif
+#ifdef ENABLE_SUBIDS
if (sub_uid_locked) {
if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
/* continue */
}
}
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog,
}
#endif
}
+#ifdef ENABLE_SUBIDS
if (is_sub_uid && (sub_uid_close () == 0)) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
fail_exit (E_SUB_GID_UPDATE);
}
+#endif /* ENABLE_SUBIDS */
if (is_shadow_pwd) {
if (spw_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
sgr_locked = false;
}
#endif
+#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
}
sub_gid_locked = false;
}
+#endif /* ENABLE_SUBIDS */
}
/*
}
}
#endif
+#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_lock () == 0) {
fprintf (stderr,
fail_exit (E_SUB_GID_UPDATE);
}
}
+#endif /* ENABLE_SUBIDS */
}
static void open_shadow (void)
#endif
fail_exit (E_PW_UPDATE);
}
+#ifdef ENABLE_SUBIDS
if (is_sub_uid &&
(sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
fprintf (stderr,
Prog, sub_uid_dbname ());
fail_exit (E_SUB_GID_UPDATE);
}
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog,
#ifdef SHADOWGRP
is_shadow_grp = sgr_file_present ();
#endif
+#ifdef ENABLE_SUBIDS
is_sub_uid = sub_uid_file_present ();
is_sub_gid = sub_gid_file_present ();
+#endif /* ENABLE_SUBIDS */
get_defaults ();
grp_add ();
}
+#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
fprintf (stderr,
fail_exit(E_SUB_GID_UPDATE);
}
}
+#endif /* ENABLE_SUBIDS */
+
usr_update ();
if (mflg) {
#endif /* WITH_TCB */
/*@-exitarg@*/
#include "exitcodes.h"
+#ifdef ENABLE_SUBIDS
#include "subordinateio.h"
+#endif /* ENABLE_SUBIDS */
/*
* exit status values
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't remove home directory */
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
+#ifdef ENABLE_SUBIDS
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
+#endif /* ENABLE_SUBIDS */
/*
* Global variables
static bool is_shadow_grp;
static bool sgr_locked = false;
#endif /* SHADOWGRP */
-static bool is_sub_uid;
-static bool is_sub_gid;
static bool pw_locked = false;
static bool gr_locked = false;
static bool spw_locked = false;
+#ifdef ENABLE_SUBIDS
+static bool is_sub_uid;
+static bool is_sub_gid;
static bool sub_uid_locked = false;
static bool sub_gid_locked = false;
+#endif /* ENABLE_SUBIDS */
/* local function prototypes */
static void usage (int status);
}
#endif /* SHADOWGRP */
+#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_close () == 0) {
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
}
sub_gid_locked = false;
}
+#endif /* ENABLE_SUBIDS */
}
/*
}
}
#endif /* SHADOWGRP */
+#ifdef ENABLE_SUBIDS
if (sub_uid_locked) {
if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
/* continue */
}
}
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
}
}
#endif /* SHADOWGRP */
+#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_lock () == 0) {
fprintf (stderr,
fail_exit (E_SUB_GID_UPDATE);
}
}
+#endif /* ENABLE_SUBIDS */
}
/*
Prog, user_name, spw_dbname ());
fail_exit (E_PW_UPDATE);
}
+#ifdef ENABLE_SUBIDS
if (is_sub_uid && sub_uid_remove(user_name, 0, ULONG_MAX) == 0) {
fprintf (stderr,
_("%s: cannot remove entry %lu from %s\n"),
Prog, (unsigned long)user_id, sub_gid_dbname ());
fail_exit (E_SUB_GID_UPDATE);
}
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"deleting user entries",
#ifdef SHADOWGRP
is_shadow_grp = sgr_file_present ();
#endif /* SHADOWGRP */
+#ifdef ENABLE_SUBIDS
is_sub_uid = sub_uid_file_present ();
is_sub_gid = sub_gid_file_present ();
+#endif /* ENABLE_SUBIDS */
/*
* Start with a quick check to see if the user exists.
#include "sgroupio.h"
#endif
#include "shadowio.h"
+#ifdef ENABLE_SUBIDS
#include "subordinateio.h"
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_TCB
#include "tcbfuncs.h"
#endif
/* #define E_NOSPACE 11 insufficient space to move home dir */
#define E_HOMEDIR 12 /* unable to complete home dir move */
#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
+#ifdef ENABLE_SUBIDS
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
+#endif /* ENABLE_SUBIDS */
+
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
+
/*
* Global variables
*/
#ifdef WITH_SELINUX
Zflg = false, /* new selinux user */
#endif
- uflg = false, /* specify new user ID */
- Uflg = false, /* unlock the password */
+#ifdef ENABLE_SUBIDS
vflg = false, /* add subordinate uids */
Vflg = false, /* delete subordinate uids */
wflg = false, /* add subordinate gids */
- Wflg = false; /* delete subordinate gids */
+ Wflg = false, /* delete subordinate gids */
+#endif /* ENABLE_SUBIDS */
+ uflg = false, /* specify new user ID */
+ Uflg = false; /* unlock the password */
static bool is_shadow_pwd;
static bool is_shadow_grp;
#endif
+#ifdef ENABLE_SUBIDS
static bool is_sub_uid = false;
static bool is_sub_gid = false;
+#endif /* ENABLE_SUBIDS */
static bool pw_locked = false;
static bool spw_locked = false;
#ifdef SHADOWGRP
static bool sgr_locked = false;
#endif
+#ifdef ENABLE_SUBIDS
static bool sub_uid_locked = false;
static bool sub_gid_locked = false;
+#endif /* ENABLE_SUBIDS */
/* local function prototypes */
return 0;
}
+#ifdef ENABLE_SUBIDS
struct ulong_range
{
unsigned long first;
*head = entry;
return 1;
}
+#endif /* ENABLE_SUBIDS */
/*
* usage - display usage message and exit
(void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout);
(void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout);
(void) fputs (_(" -U, --unlock unlock the user account\n"), usageout);
+#ifdef ENABLE_SUBIDS
(void) fputs (_(" -v, --add-subuids FIRST-LAST add range of subordinate uids\n"), usageout);
(void) fputs (_(" -V, --del-subuids FIRST-LAST remove range of subordinate uids\n"), usageout);
(void) fputs (_(" -w, --add-subgids FIRST-LAST add range of subordinate gids\n"), usageout);
(void) fputs (_(" -W, --del-subgids FIRST-LAST remove range of subordinate gids\n"), usageout);
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX
(void) fputs (_(" -Z, --selinux-user SEUSER new SELinux user mapping for the user account\n"), usageout);
#endif /* WITH_SELINUX */
/* continue */
}
}
+#ifdef ENABLE_SUBIDS
if (sub_uid_locked) {
if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
/* continue */
}
}
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
{"shell", required_argument, NULL, 's'},
{"uid", required_argument, NULL, 'u'},
{"unlock", no_argument, NULL, 'U'},
+#ifdef ENABLE_SUBIDS
{"add-subuids", required_argument, NULL, 'v'},
{"del-subuids", required_argument, NULL, 'V'},
{"add-subgids", required_argument, NULL, 'w'},
{"del-subgids", required_argument, NULL, 'W'},
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX
{"selinux-user", required_argument, NULL, 'Z'},
#endif /* WITH_SELINUX */
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
+ "ac:d:e:f:g:G:hl:Lmop:R:s:u:U"
+#ifdef ENABLE_SUBIDS
+ "v:w:V:W:"
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX
- "ac:d:e:f:g:G:hl:Lmop:R:s:u:UZ:v:w:V:W:",
-#else /* !WITH_SELINUX */
- "ac:d:e:f:g:G:hl:Lmop:R:s:u:Uv:w:V:W:",
-#endif /* !WITH_SELINUX */
- long_options, NULL)) != -1) {
+ "Z:"
+#endif /* WITH_SELINUX */
+ , long_options, NULL)) != -1) {
switch (c) {
case 'a':
aflg = true;
case 'U':
Uflg = true;
break;
+#ifdef ENABLE_SUBIDS
case 'v':
if (prepend_range (optarg, &add_sub_uids) == 0) {
fprintf (stderr,
}
Wflg = true;
break;
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX
case 'Z':
if (is_selinux_enabled () > 0) {
if (!(Uflg || uflg || sflg || pflg || mflg || Lflg ||
lflg || Gflg || gflg || fflg || eflg || dflg || cflg
+#ifdef ENABLE_SUBIDS
|| vflg || Vflg || wflg || Wflg
+#endif /* ENABLE_SUBIDS */
#ifdef WITH_SELINUX
|| Zflg
#endif /* WITH_SELINUX */
sgr_locked = false;
#endif
+#ifdef ENABLE_SUBIDS
if (vflg || Vflg) {
if (!is_sub_uid || (sub_uid_close () == 0)) {
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
}
sub_gid_locked = false;
}
+#endif /* ENABLE_SUBIDS */
/*
* Close the DBM and/or flat files
}
#endif
}
+#ifdef ENABLE_SUBIDS
if (vflg || Vflg) {
if (!is_sub_uid || (sub_uid_lock () == 0)) {
fprintf (stderr,
fail_exit (E_SUB_GID_UPDATE);
}
}
+#endif /* ENABLE_SUBIDS */
}
/*
fail_exit (E_PW_UPDATE);
}
}
+#ifdef ENABLE_SUBIDS
if (Vflg) {
struct ulong_range_list_entry *ptr;
for (ptr = del_sub_uids; ptr != NULL; ptr = ptr->next) {
}
}
}
+#endif /* ENABLE_SUBIDS */
}
/*
#ifdef SHADOWGRP
is_shadow_grp = sgr_file_present ();
#endif
+#ifdef ENABLE_SUBIDS
is_sub_uid = sub_uid_file_present ();
is_sub_gid = sub_gid_file_present ();
+#endif /* ENABLE_SUBIDS */
process_flags (argc, argv);
* The home directory, the username and the user's UID should not
* be changed while the user is logged in.
*/
- if ( (uflg || lflg || dflg || Vflg || Wflg)
+ if ( (uflg || lflg || dflg
+#ifdef ENABLE_SUBIDS
+ || Vflg || Wflg
+#endif /* ENABLE_SUBIDS */
+ )
&& (user_busy (user_name, user_id) != 0)) {
exit (E_USER_BUSY);
}
*/
open_files ();
if ( cflg || dflg || eflg || fflg || gflg || Lflg || lflg || pflg
- || sflg || uflg || Uflg || vflg || Vflg || wflg || Wflg) {
+ || sflg || uflg || Uflg
+#ifdef ENABLE_SUBIDS
+ || vflg || Vflg || wflg || Wflg
+#endif /* ENABLE_SUBIDS */
+ ) {
usr_update ();
}
if (Gflg || lflg) {
projects / shadow / commitdiff