[Pkg-shadow-commits] r1507 - in upstream/trunk: . src
nekral-guest at alioth.debian.org
nekral-guest at alioth.debian.org
Thu Dec 27 19:08:32 UTC 2007
Author: nekral-guest
Date: 2007-12-27 19:08:31 +0000 (Thu, 27 Dec 2007)
New Revision: 1507
Modified:
upstream/trunk/ChangeLog
upstream/trunk/src/gpasswd.c
Log:
Simplify gpasswd's main():
New function: check_perms(). Split out of main() to simplify main().
Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog 2007-12-27 18:52:40 UTC (rev 1506)
+++ upstream/trunk/ChangeLog 2007-12-27 19:08:31 UTC (rev 1507)
@@ -9,6 +9,8 @@
* src/gpasswd.c: New functions: open_files(), close_files(),
update_group(). Split out from main() to simplify this (too) big
function.
+ * src/gpasswd.c: New function: check_perms(). Split out of main() to
+ simplify main().
2007-12-27 Nicolas François <nicolas.francois at centraliens.net>
Modified: upstream/trunk/src/gpasswd.c
===================================================================
--- upstream/trunk/src/gpasswd.c 2007-12-27 18:52:40 UTC (rev 1506)
+++ upstream/trunk/src/gpasswd.c 2007-12-27 19:08:31 UTC (rev 1507)
@@ -91,8 +91,10 @@
static void open_files (void);
static void close_files (void);
#ifdef SHADOWGRP
+static void check_perms (const struct sgrp *sg);
static void update_group (struct group *gr, struct sgrp *sg);
#else
+static void check_perms (const struct group *gr);
static void update_group (struct group *gr);
#endif
@@ -353,7 +355,78 @@
}
}
+/*
+ * check_perms - check if the user is allowed to change the password of
+ * the specified group.
+ *
+ * It only returns if the user is allowed.
+ */
#ifdef SHADOWGRP
+static void check_perms (const struct sgrp *sg)
+#else
+static void check_perms (const struct group *gr)
+#endif
+{
+#ifdef SHADOWGRP
+ /*
+ * The policy here for changing a group is that 1) you must be root
+ * or 2). you must be listed as an administrative member.
+ * Administrative members can do anything to a group that the root
+ * user can.
+ */
+ if (!amroot && !is_on_list (sg->sg_adm, myname)) {
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modify group", group, -1, 0);
+#endif
+ failure ();
+ }
+#else /* ! SHADOWGRP */
+
+#ifdef FIRST_MEMBER_IS_ADMIN
+ /*
+ * The policy here for changing a group is that 1) you must bes root
+ * or 2) you must be the first listed member of the group. The
+ * first listed member of a group can do anything to that group that
+ * the root user can. The rationale for this hack is that the FIRST
+ * user is probably the most important user in this entire group.
+ */
+ if (!amroot) {
+ if (gr->gr_mem[0] == (char *) 0) {
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying group", group, -1, 0);
+#endif
+ failure ();
+ }
+
+ if (strcmp (gr->gr_mem[0], myname) != 0) {
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying group", myname, -1, 0);
+#endif
+ failure ();
+ }
+ }
+#else
+ /*
+ * This feature enabled by default could be a security problem when
+ * installed on existing systems where the first group member might
+ * be just a normal user. --marekm
+ */
+ if (!amroot) {
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying group", group, -1, 0);
+#endif
+ failure ();
+ }
+#endif
+#endif /* SHADOWGRP */
+}
+
+
+#ifdef SHADOWGRP
static void update_group (struct group *gr, struct sgrp *sg)
#else
static void update_group (struct group *gr)
@@ -546,62 +619,14 @@
}
/*
- * The policy here for changing a group is that 1) you must be root
- * or 2). you must be listed as an administrative member.
- * Administrative members can do anything to a group that the root
- * user can.
+ * Check if the user is allowed to change the password of this group.
*/
- if (!amroot && !is_on_list (sgent.sg_adm, myname)) {
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "modify group", group,
- -1, 0);
-#endif
- failure ();
- }
-#else /* ! SHADOWGRP */
-
-#ifdef FIRST_MEMBER_IS_ADMIN
- /*
- * The policy here for changing a group is that 1) you must bes root
- * or 2) you must be the first listed member of the group. The
- * first listed member of a group can do anything to that group that
- * the root user can. The rationale for this hack is that the FIRST
- * user is probably the most important user in this entire group.
- */
- if (!amroot) {
- if (grent.gr_mem[0] == (char *) 0) {
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "modifying group", group, -1, 0);
-#endif
- failure ();
- }
-
- if (strcmp (grent.gr_mem[0], myname) != 0) {
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "modifying group", myname, -1, 0);
-#endif
- failure ();
- }
- }
+#ifdef SHADOWGRP
+ check_perms (&sgent);
#else
- /*
- * This feature enabled by default could be a security problem when
- * installed on existing systems where the first group member might
- * be just a normal user. --marekm
- */
- if (!amroot) {
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "modifying group",
- group, -1, 0);
+ check_perms (&grent);
#endif
- failure ();
- }
-#endif
-#endif /* SHADOWGRP */
-
/*
* Removing a password is straight forward. Just set the password
* field to a "".
More information about the Pkg-shadow-commits
mailing list