summaryrefslogtreecommitdiffstats
path: root/src/grpck.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/grpck.c')
-rw-r--r--src/grpck.c875
1 files changed, 875 insertions, 0 deletions
diff --git a/src/grpck.c b/src/grpck.c
new file mode 100644
index 0000000..881fb4d
--- /dev/null
+++ b/src/grpck.c
@@ -0,0 +1,875 @@
+/*
+ * SPDX-FileCopyrightText: 1992 - 1994, Julianne Frances Haugh
+ * SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz
+ * SPDX-FileCopyrightText: 2001 , Michał Moskal
+ * SPDX-FileCopyrightText: 2001 - 2006, Tomasz Kłoczko
+ * SPDX-FileCopyrightText: 2007 - 2011, Nicolas François
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <config.h>
+
+#include <fcntl.h>
+#include <grp.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <getopt.h>
+#include "chkname.h"
+#include "commonio.h"
+#include "defines.h"
+#include "groupio.h"
+#include "nscd.h"
+#include "sssd.h"
+#include "prototypes.h"
+#include "shadowlog.h"
+
+#ifdef SHADOWGRP
+#include "sgroupio.h"
+#endif
+
+/*
+ * Exit codes
+ */
+/*@-exitarg@*/
+#define E_OKAY 0
+#define E_SUCCESS 0
+#define E_USAGE 1
+#define E_BAD_ENTRY 2
+#define E_CANT_OPEN 3
+#define E_CANT_LOCK 4
+#define E_CANT_UPDATE 5
+
+/*
+ * Global variables
+ */
+const char *Prog;
+
+static const char *grp_file = GROUP_FILE;
+static bool use_system_grp_file = true;
+
+#ifdef SHADOWGRP
+static const char *sgr_file = SGROUP_FILE;
+static bool use_system_sgr_file = true;
+static bool is_shadow = false;
+static bool sgr_locked = false;
+#endif
+static bool gr_locked = false;
+/* Options */
+static bool read_only = false;
+static bool sort_mode = false;
+static bool silence_warnings = false;
+
+/* local function prototypes */
+static void fail_exit (int status);
+static /*@noreturn@*/void usage (int status);
+static void delete_member (char **, const char *);
+static void process_flags (int argc, char **argv);
+static void open_files (void);
+static void close_files (bool changed);
+static int check_members (const char *groupname,
+ char **members,
+ const char *fmt_info,
+ const char *fmt_prompt,
+ const char *fmt_syslog,
+ int *errors);
+static void check_grp_file (int *errors, bool *changed);
+#ifdef SHADOWGRP
+static void compare_members_lists (const char *groupname,
+ char **members,
+ char **other_members,
+ const char *file,
+ const char *other_file);
+static void check_sgr_file (int *errors, bool *changed);
+#endif
+
+/*
+ * fail_exit - exit with an error code after unlocking files
+ */
+static void fail_exit (int status)
+{
+ if (gr_locked) {
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
+ /* continue */
+ }
+ }
+
+#ifdef SHADOWGRP
+ if (sgr_locked) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
+ /* continue */
+ }
+ }
+#endif
+
+ closelog ();
+
+ exit (status);
+}
+
+/*
+ * usage - print syntax message and exit
+ */
+static /*@noreturn@*/void usage (int status)
+{
+ FILE *usageout = (E_SUCCESS != status) ? stderr : stdout;
+#ifdef SHADOWGRP
+ (void) fprintf (usageout,
+ _("Usage: %s [options] [group [gshadow]]\n"
+ "\n"
+ "Options:\n"),
+ Prog);
+#else /* !SHADOWGRP */
+ (void) fprintf (usageout,
+ _("Usage: %s [options] [group]\n"
+ "\n"
+ "Options:\n"),
+ Prog);
+#endif /* !SHADOWGRP */
+ (void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
+ (void) fputs (_(" -r, --read-only display errors and warnings\n"
+ " but do not change files\n"), usageout);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+ (void) fputs (_(" -s, --sort sort entries by UID\n"), usageout);
+ (void) fputs (_(" -S, --silence-warnings silence controversial/paranoid warnings\n"), usageout);
+ (void) fputs ("\n", usageout);
+ exit (status);
+}
+
+/*
+ * delete_member - delete an entry in a list of members
+ *
+ * It only deletes the first entry with the given name.
+ * The member is defined by its address, no string comparison are
+ * performed.
+ */
+static void delete_member (char **list, const char *member)
+{
+ int i;
+
+ for (i = 0; NULL != list[i]; i++) {
+ if (list[i] == member) {
+ break;
+ }
+ }
+
+ for (; NULL != list[i]; i++) {
+ list[i] = list[i + 1];
+ }
+}
+
+/*
+ * process_flags - parse the command line options
+ *
+ * It will not return if an error is encountered.
+ */
+static void process_flags (int argc, char **argv)
+{
+ int c;
+ static struct option long_options[] = {
+ {"help", no_argument, NULL, 'h'},
+ {"quiet", no_argument, NULL, 'q'},
+ {"read-only", no_argument, NULL, 'r'},
+ {"root", required_argument, NULL, 'R'},
+ {"silence-warnings", no_argument, NULL, 'S'},
+ {"sort", no_argument, NULL, 's'},
+ {NULL, 0, NULL, '\0'}
+ };
+
+ /*
+ * Parse the command line arguments
+ */
+ while ((c = getopt_long (argc, argv, "hqrR:sS",
+ long_options, NULL)) != -1) {
+ switch (c) {
+ case 'h':
+ usage (E_SUCCESS);
+ /*@notreached@*/break;
+ case 'q':
+ /* quiet - ignored for now */
+ break;
+ case 'r':
+ read_only = true;
+ break;
+ case 'R': /* no-op, handled in process_root_flag () */
+ break;
+ case 's':
+ sort_mode = true;
+ break;
+ case 'S':
+ silence_warnings = true;
+ break;
+ default:
+ usage (E_USAGE);
+ }
+ }
+
+ if (sort_mode && read_only) {
+ fprintf (stderr, _("%s: -s and -r are incompatible\n"), Prog);
+ exit (E_USAGE);
+ }
+
+ /*
+ * Make certain we have the right number of arguments
+ */
+#ifdef SHADOWGRP
+ if (argc > (optind + 2))
+#else
+ if (argc > (optind + 1))
+#endif
+ {
+ usage (E_USAGE);
+ }
+
+ /*
+ * If there are two left over filenames, use those as the group and
+ * group password filenames.
+ */
+ if (optind != argc) {
+ grp_file = argv[optind];
+ gr_setdbname (grp_file);
+ use_system_grp_file = false;
+ }
+#ifdef SHADOWGRP
+ if ((optind + 2) == argc) {
+ sgr_file = argv[optind + 1];
+ sgr_setdbname (sgr_file);
+ is_shadow = true;
+ use_system_sgr_file = false;
+ } else if (optind == argc) {
+ is_shadow = sgr_file_present ();
+ }
+#endif
+}
+
+/*
+ * open_files - open the shadow database
+ *
+ * In read-only mode, the databases are not locked and are opened
+ * only for reading.
+ */
+static void open_files (void)
+{
+ /*
+ * Lock the files if we aren't in "read-only" mode
+ */
+ if (!read_only) {
+ if (gr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, grp_file);
+ fail_exit (E_CANT_LOCK);
+ }
+ gr_locked = true;
+#ifdef SHADOWGRP
+ if (is_shadow) {
+ if (sgr_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, sgr_file);
+ fail_exit (E_CANT_LOCK);
+ }
+ sgr_locked = true;
+ }
+#endif
+ }
+
+ /*
+ * Open the files. Use O_RDONLY if we are in read_only mode,
+ * O_RDWR otherwise.
+ */
+ if (gr_open (read_only ? O_RDONLY : O_CREAT | O_RDWR) == 0) {
+ fprintf (stderr, _("%s: cannot open %s\n"), Prog,
+ grp_file);
+ if (use_system_grp_file) {
+ SYSLOG ((LOG_WARN, "cannot open %s", grp_file));
+ }
+ fail_exit (E_CANT_OPEN);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow && (sgr_open (read_only ? O_RDONLY : O_CREAT | O_RDWR) == 0)) {
+ fprintf (stderr, _("%s: cannot open %s\n"), Prog,
+ sgr_file);
+ if (use_system_sgr_file) {
+ SYSLOG ((LOG_WARN, "cannot open %s", sgr_file));
+ }
+ fail_exit (E_CANT_OPEN);
+ }
+#endif
+}
+
+/*
+ * close_files - close and unlock the group/gshadow databases
+ *
+ * If changed is not set, the databases are not closed, and no
+ * changes are committed in the databases. The databases are
+ * unlocked anyway.
+ */
+static void close_files (bool changed)
+{
+ /*
+ * All done. If there were no change we can just abandon any
+ * changes to the files.
+ */
+ if (changed) {
+ if (gr_close () == 0) {
+ fprintf (stderr, _("%s: failure while writing changes to %s\n"),
+ Prog, grp_file);
+ fail_exit (E_CANT_UPDATE);
+ }
+#ifdef SHADOWGRP
+ if (is_shadow && (sgr_close () == 0)) {
+ fprintf (stderr, _("%s: failure while writing changes to %s\n"),
+ Prog, sgr_file);
+ fail_exit (E_CANT_UPDATE);
+ }
+#endif
+ }
+
+ /*
+ * Don't be anti-social - unlock the files when you're done.
+ */
+#ifdef SHADOWGRP
+ if (sgr_locked) {
+ if (sgr_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
+ SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
+ /* continue */
+ }
+ sgr_locked = false;
+ }
+#endif
+ if (gr_locked) {
+ if (gr_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
+ SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
+ /* continue */
+ }
+ gr_locked = false;
+ }
+}
+
+/*
+ * check_members - check that every members of a group exist
+ *
+ * If an error is detected, *errors is incremented.
+ *
+ * The user will be prompted for the removal of the non-existent
+ * user.
+ *
+ * If any changes are performed, the return value will be 1,
+ * otherwise check_members() returns 0.
+ *
+ * fmt_info, fmt_prompt, and fmt_syslog are used for logging.
+ * * fmt_info must contain two string flags (%s): for the group's
+ * name and the missing member.
+ * * fmt_prompt must contain one string flags (%s): the missing
+ * member.
+ * * fmt_syslog must contain two string flags (%s): for the
+ * group's name and the missing member.
+ */
+static int check_members (const char *groupname,
+ char **members,
+ const char *fmt_info,
+ const char *fmt_prompt,
+ const char *fmt_syslog,
+ int *errors)
+{
+ int i;
+ int members_changed = 0;
+
+ /*
+ * Make sure each member exists
+ */
+ for (i = 0; NULL != members[i]; i++) {
+ /* local, no need for xgetpwnam */
+ if (getpwnam (members[i]) != NULL) {
+ continue;
+ }
+ /*
+ * Can't find this user. Remove them
+ * from the list.
+ */
+ *errors += 1;
+ printf (fmt_info, groupname, members[i]);
+ printf (fmt_prompt, members[i]);
+
+ if (!yes_or_no (read_only)) {
+ continue;
+ }
+
+ SYSLOG ((LOG_INFO, fmt_syslog, members[i], groupname));
+ members_changed = 1;
+ delete_member (members, members[i]);
+
+ /* Rewind in case of removal */
+ i--;
+ }
+
+ return members_changed;
+}
+
+#ifdef SHADOWGRP
+/*
+ * compare_members_lists - make sure the list of members is contained in
+ * another list.
+ *
+ * compare_members_lists() checks that all the members of members are
+ * also in other_members.
+ * file and other_file are used for logging.
+ *
+ * TODO: No changes are performed on the lists.
+ */
+static void compare_members_lists (const char *groupname,
+ char **members,
+ char **other_members,
+ const char *file,
+ const char *other_file)
+{
+ char **pmem, **other_pmem;
+
+ for (pmem = members; NULL != *pmem; pmem++) {
+ for (other_pmem = other_members; NULL != *other_pmem; other_pmem++) {
+ if (strcmp (*pmem, *other_pmem) == 0) {
+ break;
+ }
+ }
+ if (!silence_warnings && *other_pmem == NULL) {
+ printf
+ ("'%s' is a member of the '%s' group in %s but not in %s\n",
+ *pmem, groupname, file, other_file);
+ }
+ }
+}
+#endif /* SHADOWGRP */
+
+/*
+ * check_grp_file - check the content of the group file
+ */
+static void check_grp_file (int *errors, bool *changed)
+{
+ struct commonio_entry *gre, *tgre;
+ struct group *grp;
+#ifdef SHADOWGRP
+ const struct sgrp *sgr;
+#endif
+
+ /*
+ * Loop through the entire group file.
+ */
+ for (gre = __gr_get_head (); NULL != gre; gre = gre->next) {
+ /*
+ * Skip all NIS entries.
+ */
+
+ if ((gre->line[0] == '+') || (gre->line[0] == '-')) {
+ continue;
+ }
+
+ /*
+ * Start with the entries that are completely corrupt. They
+ * have no (struct group) entry because they couldn't be
+ * parsed properly.
+ */
+ if (NULL == gre->eptr) {
+
+ /*
+ * Tell the user this entire line is bogus and ask
+ * them to delete it.
+ */
+ (void) puts (_("invalid group file entry"));
+ printf (_("delete line '%s'? "), gre->line);
+ *errors += 1;
+
+ /*
+ * prompt the user to delete the entry or not
+ */
+ if (!yes_or_no (read_only)) {
+ continue;
+ }
+
+ /*
+ * All group file deletions wind up here. This code
+ * removes the current entry from the linked list.
+ * When done, it skips back to the top of the loop
+ * to try out the next list element.
+ */
+ delete_gr:
+ SYSLOG ((LOG_INFO, "delete group line '%s'",
+ gre->line));
+ *changed = true;
+
+ __gr_del_entry (gre);
+ continue;
+ }
+
+ /*
+ * Group structure is good, start using it.
+ */
+ grp = gre->eptr;
+
+ /*
+ * Make sure this entry has a unique name.
+ */
+ for (tgre = __gr_get_head (); NULL != tgre; tgre = tgre->next) {
+
+ const struct group *ent = tgre->eptr;
+
+ /*
+ * Don't check this entry
+ */
+ if (tgre == gre) {
+ continue;
+ }
+
+ /*
+ * Don't check invalid entries.
+ */
+ if (NULL == ent) {
+ continue;
+ }
+
+ if (strcmp (grp->gr_name, ent->gr_name) != 0) {
+ continue;
+ }
+
+ /*
+ * Tell the user this entry is a duplicate of
+ * another and ask them to delete it.
+ */
+ (void) puts (_("duplicate group entry"));
+ printf (_("delete line '%s'? "), gre->line);
+ *errors += 1;
+
+ /*
+ * prompt the user to delete the entry or not
+ */
+ if (yes_or_no (read_only)) {
+ goto delete_gr;
+ }
+ }
+
+ /*
+ * Check for invalid group names. --marekm
+ */
+ if (!is_valid_group_name (grp->gr_name)) {
+ *errors += 1;
+ printf (_("invalid group name '%s'\n"), grp->gr_name);
+ }
+
+ /*
+ * Check for invalid group ID.
+ */
+ if (grp->gr_gid == (gid_t)-1) {
+ printf (_("invalid group ID '%lu'\n"), (long unsigned int)grp->gr_gid);
+ *errors += 1;
+ }
+
+ /*
+ * Workaround for a NYS libc 5.3.12 bug on RedHat 4.2 -
+ * groups with no members are returned as groups with one
+ * member "", causing grpck to fail. --marekm
+ */
+ if ( (NULL != grp->gr_mem[0])
+ && (NULL == grp->gr_mem[1])
+ && ('\0' == grp->gr_mem[0][0])) {
+ grp->gr_mem[0] = NULL;
+ }
+
+ if (check_members (grp->gr_name, grp->gr_mem,
+ _("group %s: no user %s\n"),
+ _("delete member '%s'? "),
+ "delete member '%s' from group '%s'",
+ errors) == 1) {
+ *changed = true;
+ gre->changed = true;
+ __gr_set_changed ();
+ }
+
+#ifdef SHADOWGRP
+ /*
+ * Make sure this entry exists in the /etc/gshadow file.
+ */
+
+ if (is_shadow) {
+ sgr = sgr_locate (grp->gr_name);
+ if (sgr == NULL) {
+ printf (_("no matching group file entry in %s\n"),
+ sgr_file);
+ printf (_("add group '%s' in %s? "),
+ grp->gr_name, sgr_file);
+ *errors += 1;
+ if (yes_or_no (read_only)) {
+ struct sgrp sg;
+ struct group gr;
+ static char *empty = NULL;
+
+ sg.sg_name = grp->gr_name;
+ sg.sg_passwd = grp->gr_passwd;
+ sg.sg_adm = &empty;
+ sg.sg_mem = grp->gr_mem;
+ SYSLOG ((LOG_INFO,
+ "add group '%s' to '%s'",
+ grp->gr_name, sgr_file));
+ *changed = true;
+
+ if (sgr_update (&sg) == 0) {
+ fprintf (stderr,
+ _("%s: failed to prepare the new %s entry '%s'\n"),
+ Prog, sgr_dbname (), sg.sg_name);
+ fail_exit (E_CANT_UPDATE);
+ }
+ /* remove password from /etc/group */
+ gr = *grp;
+ gr.gr_passwd = SHADOW_PASSWD_STRING; /* XXX warning: const */
+ if (gr_update (&gr) == 0) {
+ fprintf (stderr,
+ _("%s: failed to prepare the new %s entry '%s'\n"),
+ Prog, gr_dbname (), gr.gr_name);
+ fail_exit (E_CANT_UPDATE);
+ }
+ }
+ } else {
+ /**
+ * Verify that all the members defined in /etc/group are also
+ * present in /etc/gshadow.
+ */
+ compare_members_lists (grp->gr_name,
+ grp->gr_mem, sgr->sg_mem,
+ grp_file, sgr_file);
+
+ /* The group entry has a gshadow counterpart.
+ * Make sure no passwords are in group.
+ */
+ if (strcmp (grp->gr_passwd, SHADOW_PASSWD_STRING) != 0) {
+ printf (_("group %s has an entry in %s, but its password field in %s is not set to 'x'\n"),
+ grp->gr_name, sgr_file, grp_file);
+ *errors += 1;
+ }
+ }
+ }
+#endif
+
+ }
+}
+
+#ifdef SHADOWGRP
+/*
+ * check_sgr_file - check the content of the shadowed group file (gshadow)
+ */
+static void check_sgr_file (int *errors, bool *changed)
+{
+ const struct group *grp;
+ struct commonio_entry *sge, *tsge;
+ struct sgrp *sgr;
+
+ /*
+ * Loop through the entire shadow group file.
+ */
+ for (sge = __sgr_get_head (); NULL != sge; sge = sge->next) {
+
+ /*
+ * Start with the entries that are completely corrupt. They
+ * have no (struct sgrp) entry because they couldn't be
+ * parsed properly.
+ */
+ if (NULL == sge->eptr) {
+
+ /*
+ * Tell the user this entire line is bogus and ask
+ * them to delete it.
+ */
+ (void) puts (_("invalid shadow group file entry"));
+ printf (_("delete line '%s'? "), sge->line);
+ *errors += 1;
+
+ /*
+ * prompt the user to delete the entry or not
+ */
+ if (!yes_or_no (read_only)) {
+ continue;
+ }
+
+ /*
+ * All shadow group file deletions wind up here.
+ * This code removes the current entry from the
+ * linked list. When done, it skips back to the top
+ * of the loop to try out the next list element.
+ */
+ delete_sg:
+ SYSLOG ((LOG_INFO, "delete shadow line '%s'",
+ sge->line));
+ *changed = true;
+
+ __sgr_del_entry (sge);
+ continue;
+ }
+
+ /*
+ * Shadow group structure is good, start using it.
+ */
+ sgr = sge->eptr;
+
+ /*
+ * Make sure this entry has a unique name.
+ */
+ for (tsge = __sgr_get_head (); NULL != tsge; tsge = tsge->next) {
+
+ const struct sgrp *ent = tsge->eptr;
+
+ /*
+ * Don't check this entry
+ */
+ if (tsge == sge) {
+ continue;
+ }
+
+ /*
+ * Don't check invalid entries.
+ */
+ if (NULL == ent) {
+ continue;
+ }
+
+ if (strcmp (sgr->sg_name, ent->sg_name) != 0) {
+ continue;
+ }
+
+ /*
+ * Tell the user this entry is a duplicate of
+ * another and ask them to delete it.
+ */
+ (void) puts (_("duplicate shadow group entry"));
+ printf (_("delete line '%s'? "), sge->line);
+ *errors += 1;
+
+ /*
+ * prompt the user to delete the entry or not
+ */
+ if (yes_or_no (read_only)) {
+ goto delete_sg;
+ }
+ }
+
+ /*
+ * Make sure this entry exists in the /etc/group file.
+ */
+ grp = gr_locate (sgr->sg_name);
+ if (grp == NULL) {
+ printf (_("no matching group file entry in %s\n"),
+ grp_file);
+ printf (_("delete line '%s'? "), sge->line);
+ *errors += 1;
+ if (yes_or_no (read_only)) {
+ goto delete_sg;
+ }
+ } else {
+ /**
+ * Verify that the all members defined in /etc/gshadow are also
+ * present in /etc/group.
+ */
+ compare_members_lists (sgr->sg_name,
+ sgr->sg_mem, grp->gr_mem,
+ sgr_file, grp_file);
+ }
+
+ /*
+ * Make sure each administrator exists
+ */
+ if (check_members (sgr->sg_name, sgr->sg_adm,
+ _("shadow group %s: no administrative user %s\n"),
+ _("delete administrative member '%s'? "),
+ "delete admin '%s' from shadow group '%s'",
+ errors) == 1) {
+ *changed = true;
+ sge->changed = true;
+ __sgr_set_changed ();
+ }
+
+ /*
+ * Make sure each member exists
+ */
+ if (check_members (sgr->sg_name, sgr->sg_mem,
+ _("shadow group %s: no user %s\n"),
+ _("delete member '%s'? "),
+ "delete member '%s' from shadow group '%s'",
+ errors) == 1) {
+ *changed = true;
+ sge->changed = true;
+ __sgr_set_changed ();
+ }
+ }
+}
+#endif /* SHADOWGRP */
+
+/*
+ * grpck - verify group file integrity
+ */
+int main (int argc, char **argv)
+{
+ int errors = 0;
+ bool changed = false;
+
+ /*
+ * Get my name so that I can use it to report errors.
+ */
+ Prog = Basename (argv[0]);
+ log_set_progname(Prog);
+ log_set_logfd(stderr);
+
+ (void) setlocale (LC_ALL, "");
+ (void) bindtextdomain (PACKAGE, LOCALEDIR);
+ (void) textdomain (PACKAGE);
+
+ process_root_flag ("-R", argc, argv);
+
+ OPENLOG ("grpck");
+
+ /* Parse the command line arguments */
+ process_flags (argc, argv);
+
+ open_files ();
+
+ if (sort_mode) {
+ gr_sort ();
+#ifdef SHADOWGRP
+ if (is_shadow) {
+ sgr_sort ();
+ }
+ changed = true;
+#endif
+ } else {
+ check_grp_file (&errors, &changed);
+#ifdef SHADOWGRP
+ if (is_shadow) {
+ check_sgr_file (&errors, &changed);
+ }
+#endif
+ }
+
+ /* Commit the change in the database if needed */
+ close_files (changed);
+
+ if (!read_only) {
+ nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
+ }
+
+ /*
+ * Tell the user what we did and exit.
+ */
+ if (0 != errors) {
+ if (changed) {
+ printf (_("%s: the files have been updated\n"), Prog);
+ } else {
+ printf (_("%s: no changes\n"), Prog);
+ }
+ }
+
+ return ((0 != errors) ? E_BAD_ENTRY : E_OKAY);
+}
+