[Pkg-shadow-commits] r2242 - in upstream/trunk: . src
nekral-guest at alioth.debian.org
nekral-guest at alioth.debian.org
Wed Aug 6 15:56:52 UTC 2008
Author: nekral-guest
Date: 2008-08-06 15:56:51 +0000 (Wed, 06 Aug 2008)
New Revision: 2242
Modified:
upstream/trunk/ChangeLog
upstream/trunk/src/groupadd.c
upstream/trunk/src/groupdel.c
upstream/trunk/src/groupmod.c
Log:
* src/groupadd.c: Only call gr_unlock() and sgr_unlock() in the
group or gshadow files were previously locked.
* src/groupadd.c: Make sure failures are reported to syslog/audit
after the change is mentioned.
* src/groupmod.c: Add logging to syslog & audit on lock/unlock
failures.
* src/groupmod.c: Make sure issues are reported to syslog or audit
after the change is mentioned.
* src/groupdel.c: Only call gr_unlock() and sgr_unlock() in the
group or gshadow files were previously locked.
* src/groupdel.c: Simplify the handling of PAM errors.
Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog 2008-08-06 15:55:57 UTC (rev 2241)
+++ upstream/trunk/ChangeLog 2008-08-06 15:56:51 UTC (rev 2242)
@@ -1,11 +1,23 @@
-2008-08-01 Nicolas François <nicolas.francois at centraliens.net>
+2008-08-02 Nicolas François <nicolas.francois at centraliens.net>
* src/groupadd.c: Harmonize error & syslog messages.
- * src/groupadd.c: Add logging to syslog in some error cases.
+ * src/groupadd.c: Add logging to syslog & audit on lock/unlock
+ failures.
+ * src/groupadd.c: Only call gr_unlock() and sgr_unlock() in the
+ group or gshadow files were previously locked.
+ * src/groupadd.c: Make sure failures are reported to syslog/audit
+ after the change is mentioned.
* src/groupmod.c: Harmonize error & syslog messages.
+ * src/groupmod.c: Add logging to syslog & audit on lock/unlock
+ failures.
+ * src/groupmod.c: Make sure issues are reported to syslog or audit
+ after the change is mentioned.
* src/groupdel.c: Harmonize error & syslog messages.
* src/groupdel.c: Add logging to syslog & audit on lock/unlock
failures.
+ * src/groupdel.c: Only call gr_unlock() and sgr_unlock() in the
+ group or gshadow files were previously locked.
+ * src/groupdel.c: Simplify the handling of PAM errors.
2008-08-01 Nicolas François <nicolas.francois at centraliens.net>
Modified: upstream/trunk/src/groupadd.c
===================================================================
--- upstream/trunk/src/groupadd.c 2008-08-06 15:55:57 UTC (rev 2241)
+++ upstream/trunk/src/groupadd.c 2008-08-06 15:56:51 UTC (rev 2242)
@@ -53,7 +53,6 @@
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
-static bool is_shadow_grp;
#endif
/*
@@ -82,6 +81,13 @@
static bool rflg = false; /* create a system account */
static bool pflg = false; /* new encrypted password */
+#ifdef SHADOWGRP
+static bool is_shadow_grp;
+static bool gshadow_locked = false;
+#endif
+static bool group_locked = false;
+
+
#ifdef USE_PAM
static pam_handle_t *pamh = NULL;
#endif
@@ -250,16 +256,36 @@
SYSLOG ((LOG_WARN, "cannot rewrite the group file"));
fail_exit (E_GRP_UPDATE);
}
- gr_unlock ();
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
+ group_locked = false;
#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_close () == 0)) {
- fprintf (stderr,
- _("%s: cannot rewrite the shadow group file\n"), Prog);
- SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
- fail_exit (E_GRP_UPDATE);
- }
if (is_shadow_grp) {
- sgr_unlock ();
+ if (sgr_close () == 0) {
+ fprintf (stderr,
+ _("%s: cannot rewrite the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
+ fail_exit (E_GRP_UPDATE);
+ }
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
+ gshadow_locked = false;
}
#endif /* SHADOWGRP */
}
@@ -279,8 +305,9 @@
"locking group file",
group_name, AUDIT_NO_ID, 0);
#endif
- exit (E_GRP_UPDATE);
+ fail_exit (E_GRP_UPDATE);
}
+ group_locked = true;
if (gr_open (O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot open the group file"));
@@ -292,18 +319,31 @@
fail_exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_lock () == 0)) {
- fprintf (stderr,
- _("%s: cannot lock the shadow group file\n"), Prog);
- SYSLOG ((LOG_WARN, "cannot lock the shadow group file"));
- fail_exit (E_GRP_UPDATE);
+ if (is_shadow_grp) {
+ if (sgr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot lock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "locking gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ fail_exit (E_GRP_UPDATE);
+ }
+ gshadow_locked = true;
+ if (sgr_open (O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot open the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "opening gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ fail_exit (E_GRP_UPDATE);
+ }
}
- if (is_shadow_grp && (sgr_open (O_RDWR) == 0)) {
- fprintf (stderr,
- _("%s: cannot open the shadow group file\n"), Prog);
- SYSLOG ((LOG_WARN, "cannot open the shadow group file"));
- fail_exit (E_GRP_UPDATE);
- }
#endif /* SHADOWGRP */
}
@@ -312,10 +352,30 @@
*/
static void fail_exit (int code)
{
- (void) gr_unlock ();
+ if (group_locked) {
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
+ }
#ifdef SHADOWGRP
- if (is_shadow_grp) {
- sgr_unlock ();
+ if (gshadow_locked) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
}
#endif
@@ -470,7 +530,7 @@
/* OK, no need to do anything */
fail_exit (E_SUCCESS);
}
- fprintf (stderr, _("%s: group %s exists\n"), Prog, group_name);
+ fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name);
fail_exit (E_NAME_IN_USE);
}
@@ -487,7 +547,7 @@
/* Turn off -g, we can use any GID */
gflg = false;
} else {
- fprintf (stderr, _("%s: GID %u is not unique\n"),
+ fprintf (stderr, _("%s: GID '%u' already exists\n"),
Prog, (unsigned int) group_id);
fail_exit (E_GID_IN_USE);
}
Modified: upstream/trunk/src/groupdel.c
===================================================================
--- upstream/trunk/src/groupdel.c 2008-08-06 15:55:57 UTC (rev 2241)
+++ upstream/trunk/src/groupdel.c 2008-08-06 15:56:51 UTC (rev 2242)
@@ -94,17 +94,20 @@
*/
static void fail_exit (int code)
{
- if (gr_unlock () == 0) {
- fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
- SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+ if (group_locked) {
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "unlocking group file",
- group_name, AUDIT_NO_ID, 0);
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
#endif
+ /* continue */
+ }
}
#ifdef SHADOWGRP
- if (is_shadow_grp) {
+ if (gshadow_locked) {
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
@@ -113,6 +116,7 @@
"unlocking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
+ /* continue */
}
}
#endif
@@ -170,6 +174,7 @@
if (gr_close () == 0) {
fprintf (stderr, _("%s: cannot rewrite the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the group file"));
fail_exit (E_GRP_UPDATE);
}
if (gr_unlock () == 0) {
@@ -180,12 +185,15 @@
"unlocking group file",
group_name, AUDIT_NO_ID, 0);
#endif
+ /* continue */
}
+ group_locked = false;
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_close () == 0)) {
fprintf (stderr,
_("%s: cannot rewrite the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
if (sgr_unlock () == 0) {
@@ -196,7 +204,9 @@
"unlocking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
+ /* continue */
}
+ gshadow_locked = false;
}
#endif /* SHADOWGRP */
}
@@ -331,19 +341,14 @@
if (PAM_SUCCESS == retval) {
retval = pam_authenticate (pamh, 0);
- if (PAM_SUCCESS != retval) {
- (void) pam_end (pamh, retval);
- }
}
if (PAM_SUCCESS == retval) {
retval = pam_acct_mgmt (pamh, 0);
- if (PAM_SUCCESS != retval) {
- (void) pam_end (pamh, retval);
- }
}
if (PAM_SUCCESS != retval) {
+ (void) pam_end (pamh, retval);
fprintf (stderr, _("%s: PAM authentication failed\n"), Prog);
exit (1);
}
@@ -416,9 +421,7 @@
nscd_flush_cache ("group");
#ifdef USE_PAM
- if (PAM_SUCCESS == retval) {
- (void) pam_end (pamh, PAM_SUCCESS);
- }
+ (void) pam_end (pamh, PAM_SUCCESS);
#endif /* USE_PAM */
return E_SUCCESS;
Modified: upstream/trunk/src/groupmod.c
===================================================================
--- upstream/trunk/src/groupmod.c 2008-08-06 15:55:57 UTC (rev 2241)
+++ upstream/trunk/src/groupmod.c 2008-08-06 15:56:51 UTC (rev 2242)
@@ -124,15 +124,42 @@
static void fail_exit (int status)
{
if (group_locked) {
- gr_unlock ();
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
}
#ifdef SHADOWGRP
if (gshadow_locked) {
- sgr_unlock ();
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
}
#endif /* SHADOWGRP */
if (passwd_locked) {
- pw_unlock();
+ if (pw_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the passwd file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the passwd file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking passwd file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
}
exit (status);
}
@@ -145,14 +172,17 @@
*/
static void new_grent (struct group *grent)
{
- if (nflg)
+ if (nflg) {
grent->gr_name = xstrdup (group_newname);
+ }
- if (gflg)
+ if (gflg) {
grent->gr_gid = group_newid;
+ }
- if (pflg)
+ if (pflg) {
grent->gr_passwd = group_passwd;
+ }
}
#ifdef SHADOWGRP
@@ -164,11 +194,13 @@
*/
static void new_sgent (struct sgrp *sgent)
{
- if (nflg)
+ if (nflg) {
sgent->sg_name = xstrdup (group_newname);
+ }
- if (pflg)
+ if (pflg) {
sgent->sg_passwd = group_passwd;
+ }
}
#endif /* SHADOWGRP */
@@ -468,28 +500,73 @@
{
if (gr_close () == 0) {
fprintf (stderr, _("%s: cannot rewrite group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "rewrite group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
fail_exit (E_GRP_UPDATE);
}
- gr_unlock ();
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking group file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
group_locked = false;
#ifdef SHADOWGRP
- if (is_shadow_grp && (sgr_close () == 0)) {
- fprintf (stderr,
- _("%s: cannot rewrite shadow group file\n"), Prog);
- fail_exit (E_GRP_UPDATE);
- }
if (is_shadow_grp) {
- sgr_unlock ();
+ if (sgr_close () == 0)) {
+ fprintf (stderr,
+ _("%s: cannot rewrite the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "rewrite gshadow file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ fail_exit (E_GRP_UPDATE);
+ }
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking gshadow file",
+ group, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
gshadow_locked = false;
}
#endif /* SHADOWGRP */
if (gflg) {
if (pw_close () == 0) {
fprintf (stderr,
- _("%s: cannot rewrite passwd file\n"), Prog);
+ _("%s: cannot rewrite the passwd file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot rewrite the passwd file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "rewrite passwd file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
fail_exit (E_GRP_UPDATE);
}
- pw_unlock();
+ if (pw_unlock () == 0) {
+ fprintf (stderr, _("%s: cannot unlock the passwd file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot unlock the passwd file"));
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "unlocking passwd file",
+ group_name, AUDIT_NO_ID, 0);
+#endif
+ /* continue */
+ }
passwd_locked = false;
}
}
@@ -503,11 +580,13 @@
{
if (gr_lock () == 0) {
fprintf (stderr, _("%s: cannot lock the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot lock the group file"));
fail_exit (E_GRP_UPDATE);
}
group_locked = true;
if (gr_open (O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open the group file\n"), Prog);
+ SYSLOG ((LOG_WARN, "cannot open the group file"));
fail_exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
@@ -516,6 +595,7 @@
fprintf (stderr,
_("%s: cannot lock the shadow group file\n"),
Prog);
+ SYSLOG ((LOG_WARN, "cannot lock the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
gshadow_locked = true;
@@ -523,6 +603,7 @@
fprintf (stderr,
_("%s: cannot open the shadow group file\n"),
Prog);
+ SYSLOG ((LOG_WARN, "cannot open the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
}
@@ -532,6 +613,7 @@
fprintf (stderr,
_("%s: cannot lock the passwd file\n"),
Prog);
+ SYSLOG ((LOG_WARN, "cannot lock the passwd file"));
fail_exit (E_GRP_UPDATE);
}
passwd_locked = true;
@@ -539,6 +621,7 @@
fprintf (stderr,
_("%s: cannot open the passwd file\n"),
Prog);
+ SYSLOG ((LOG_WARN, "cannot open the passwd file"));
fail_exit (E_GRP_UPDATE);
}
}
@@ -632,19 +715,14 @@
if (PAM_SUCCESS == retval) {
retval = pam_authenticate (pamh, 0);
- if (PAM_SUCCESS != retval) {
- (void) pam_end (pamh, retval);
- }
}
if (PAM_SUCCESS == retval) {
retval = pam_acct_mgmt (pamh, 0);
- if (PAM_SUCCESS != retval) {
- (void) pam_end (pamh, retval);
- }
}
if (PAM_SUCCESS != retval) {
+ (void) pam_end (pamh, retval);
fprintf (stderr, _("%s: PAM authentication failed\n"), Prog);
fail_exit (1);
}
@@ -729,9 +807,7 @@
nscd_flush_cache ("group");
#ifdef USE_PAM
- if (PAM_SUCCESS == retval) {
- (void) pam_end (pamh, PAM_SUCCESS);
- }
+ (void) pam_end (pamh, PAM_SUCCESS);
#endif /* USE_PAM */
exit (E_SUCCESS);
/* NOT REACHED */
More information about the Pkg-shadow-commits
mailing list