summaryrefslogtreecommitdiffstats
path: root/src/pwck.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/pwck.c897
1 files changed, 897 insertions, 0 deletions
diff --git a/src/pwck.c b/src/pwck.c
new file mode 100644
index 0000000..eaa4163
--- /dev/null
+++ b/src/pwck.c
@@ -0,0 +1,897 @@
+/*
+ * SPDX-FileCopyrightText: 1992 - 1994, Julianne Frances Haugh
+ * SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz
+ * SPDX-FileCopyrightText: 2001 , Michał Moskal
+ * SPDX-FileCopyrightText: 2001 - 2006, Tomasz Kłoczko
+ * SPDX-FileCopyrightText: 2007 - 2011, Nicolas François
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <config.h>
+
+#ident "$Id$"
+
+#include <fcntl.h>
+#include <grp.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <getopt.h>
+#include "chkname.h"
+#include "commonio.h"
+#include "defines.h"
+#include "prototypes.h"
+#include "pwio.h"
+#include "shadowio.h"
+#include "getdef.h"
+#include "nscd.h"
+#include "sssd.h"
+#ifdef WITH_TCB
+#include "tcbfuncs.h"
+#endif /* WITH_TCB */
+#include "shadowlog.h"
+
+/*
+ * Exit codes
+ */
+/*@-exitarg@*/
+#define E_OKAY 0
+#define E_SUCCESS 0
+#define E_USAGE 1
+#define E_BADENTRY 2
+#define E_CANTOPEN 3
+#define E_CANTLOCK 4
+#define E_CANTUPDATE 5
+#define E_CANTSORT 6
+
+/*
+ * Global variables
+ */
+const char *Prog;
+
+static bool use_system_pw_file = true;
+static bool use_system_spw_file = true;
+
+static bool is_shadow = false;
+
+static bool spw_opened = false;
+
+static bool pw_locked = false;
+static bool spw_locked = false;
+
+/* Options */
+static bool read_only = false;
+static bool sort_mode = false;
+static bool quiet = false; /* don't report warnings, only errors */
+
+/* local function prototypes */
+static void fail_exit (int code);
+static /*@noreturn@*/void usage (int status);
+static void process_flags (int argc, char **argv);
+static void open_files (void);
+static void close_files (bool changed);
+static void check_pw_file (int *errors, bool *changed);
+static void check_spw_file (int *errors, bool *changed);
+
+extern int allow_bad_names;
+
+/*
+ * fail_exit - do some cleanup and exit with the given error code
+ */
+static void fail_exit (int code)
+{
+ if (spw_locked) {
+ if (spw_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
+ if (use_system_spw_file) {
+ SYSLOG ((LOG_ERR, "failed to unlock %s",
+ spw_dbname ()));
+ }
+ /* continue */
+ }
+ }
+
+ if (pw_locked) {
+ if (pw_unlock () == 0) {
+ fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ());
+ if (use_system_pw_file) {
+ SYSLOG ((LOG_ERR, "failed to unlock %s",
+ pw_dbname ()));
+ }
+ /* continue */
+ }
+ }
+
+ closelog ();
+
+ exit (code);
+}
+/*
+ * usage - print syntax message and exit
+ */
+static /*@noreturn@*/void usage (int status)
+{
+ FILE *usageout = (E_SUCCESS != status) ? stderr : stdout;
+#ifdef WITH_TCB
+ if (getdef_bool ("USE_TCB")) {
+ (void) fprintf (usageout,
+ _("Usage: %s [options] [passwd]\n"
+ "\n"
+ "Options:\n"),
+ Prog);
+ } else
+#endif /* WITH_TCB */
+ {
+ (void) fprintf (usageout,
+ _("Usage: %s [options] [passwd [shadow]]\n"
+ "\n"
+ "Options:\n"),
+ Prog);
+ }
+ (void) fputs (_(" -b, --badname allow bad names\n"), usageout);
+ (void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
+ (void) fputs (_(" -q, --quiet report errors only\n"), usageout);
+ (void) fputs (_(" -r, --read-only display errors and warnings\n"
+ " but do not change files\n"), usageout);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+#ifdef WITH_TCB
+ if (!getdef_bool ("USE_TCB"))
+#endif /* !WITH_TCB */
+ {
+ (void) fputs (_(" -s, --sort sort entries by UID\n"), usageout);
+ }
+ (void) fputs ("\n", usageout);
+ exit (status);
+}
+
+/*
+ * process_flags - parse the command line options
+ *
+ * It will not return if an error is encountered.
+ */
+static void process_flags (int argc, char **argv)
+{
+ int c;
+ static struct option long_options[] = {
+ {"badname", no_argument, NULL, 'b'},
+ {"help", no_argument, NULL, 'h'},
+ {"quiet", no_argument, NULL, 'q'},
+ {"read-only", no_argument, NULL, 'r'},
+ {"root", required_argument, NULL, 'R'},
+ {"sort", no_argument, NULL, 's'},
+ {NULL, 0, NULL, '\0'}
+ };
+
+ /*
+ * Parse the command line arguments
+ */
+ while ((c = getopt_long (argc, argv, "behqrR:s",
+ long_options, NULL)) != -1) {
+ switch (c) {
+ case 'b':
+ allow_bad_names = true;
+ break;
+ case 'h':
+ usage (E_SUCCESS);
+ /*@notreached@*/break;
+ case 'e': /* added for Debian shadow-961025-2 compatibility */
+ case 'q':
+ quiet = true;
+ break;
+ case 'r':
+ read_only = true;
+ break;
+ case 'R': /* no-op, handled in process_root_flag () */
+ break;
+ case 's':
+ sort_mode = true;
+ break;
+ default:
+ usage (E_USAGE);
+ }
+ }
+
+ if (sort_mode && read_only) {
+ fprintf (stderr, _("%s: -s and -r are incompatible\n"), Prog);
+ exit (E_USAGE);
+ }
+
+ /*
+ * Make certain we have the right number of arguments
+ */
+ if (argc > (optind + 2)) {
+ usage (E_USAGE);
+ }
+
+ /*
+ * If there are two left over filenames, use those as the password
+ * and shadow password filenames.
+ */
+ if (optind != argc) {
+ pw_setdbname (argv[optind]);
+ use_system_pw_file = false;
+ }
+ if ((optind + 2) == argc) {
+#ifdef WITH_TCB
+ if (getdef_bool ("USE_TCB")) {
+ fprintf (stderr,
+ _("%s: no alternative shadow file allowed when USE_TCB is enabled.\n"),
+ Prog);
+ usage (E_USAGE);
+ }
+#endif /* WITH_TCB */
+ spw_setdbname (argv[optind + 1]);
+ is_shadow = true;
+ use_system_spw_file = false;
+ } else if (optind == argc) {
+ is_shadow = spw_file_present ();
+ }
+}
+
+/*
+ * open_files - open the shadow database
+ *
+ * In read-only mode, the databases are not locked and are opened
+ * only for reading.
+ */
+static void open_files (void)
+{
+ bool use_tcb = false;
+#ifdef WITH_TCB
+ use_tcb = getdef_bool ("USE_TCB");
+#endif /* WITH_TCB */
+
+ /*
+ * Lock the files if we aren't in "read-only" mode
+ */
+ if (!read_only) {
+ if (pw_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, pw_dbname ());
+ fail_exit (E_CANTLOCK);
+ }
+ pw_locked = true;
+ if (is_shadow && !use_tcb) {
+ if (spw_lock () == 0) {
+ fprintf (stderr,
+ _("%s: cannot lock %s; try again later.\n"),
+ Prog, spw_dbname ());
+ fail_exit (E_CANTLOCK);
+ }
+ spw_locked = true;
+ }
+ }
+
+ /*
+ * Open the files. Use O_RDONLY if we are in read_only mode, O_RDWR
+ * otherwise.
+ */
+ if (pw_open (read_only ? O_RDONLY : O_RDWR) == 0) {
+ fprintf (stderr, _("%s: cannot open %s\n"),
+ Prog, pw_dbname ());
+ if (use_system_pw_file) {
+ SYSLOG ((LOG_WARN, "cannot open %s", pw_dbname ()));
+ }
+ fail_exit (E_CANTOPEN);
+ }
+ if (is_shadow && !use_tcb) {
+ if (spw_open (read_only ? O_RDONLY : O_RDWR) == 0) {
+ fprintf (stderr, _("%s: cannot open %s\n"),
+ Prog, spw_dbname ());
+ if (use_system_spw_file) {
+ SYSLOG ((LOG_WARN, "cannot open %s",
+ spw_dbname ()));
+ }
+ fail_exit (E_CANTOPEN);
+ }
+ spw_opened = true;
+ }
+}
+
+/*
+ * close_files - close and unlock the password/shadow databases
+ *
+ * If changed is not set, the databases are not closed, and no
+ * changes are committed in the databases. The databases are
+ * unlocked anyway.
+ */
+static void close_files (bool changed)
+{
+ /*
+ * All done. If there were no change we can just abandon any
+ * changes to the files.
+ */
+ if (changed) {
+ if (pw_close () == 0) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, pw_dbname ());
+ if (use_system_pw_file) {
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ pw_dbname ()));
+ }
+ fail_exit (E_CANTUPDATE);
+ }
+ if (spw_opened && (spw_close () == 0)) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, spw_dbname ());
+ if (use_system_spw_file) {
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ spw_dbname ()));
+ }
+ fail_exit (E_CANTUPDATE);
+ }
+ spw_opened = false;
+ }
+
+ /*
+ * Don't be anti-social - unlock the files when you're done.
+ */
+ if (spw_locked) {
+ if (spw_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, spw_dbname ());
+ if (use_system_spw_file) {
+ SYSLOG ((LOG_ERR, "failed to unlock %s",
+ spw_dbname ()));
+ }
+ /* continue */
+ }
+ }
+ spw_locked = false;
+ if (pw_locked) {
+ if (pw_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, pw_dbname ());
+ if (use_system_pw_file) {
+ SYSLOG ((LOG_ERR, "failed to unlock %s",
+ pw_dbname ()));
+ }
+ /* continue */
+ }
+ }
+ pw_locked = false;
+}
+
+/*
+ * check_pw_file - check the content of the passwd file
+ */
+static void check_pw_file (int *errors, bool *changed)
+{
+ struct commonio_entry *pfe, *tpfe;
+ struct passwd *pwd;
+ const struct spwd *spw;
+ uid_t min_sys_id = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
+ uid_t max_sys_id = (uid_t) getdef_ulong ("SYS_UID_MAX", 999UL);
+
+ /*
+ * Loop through the entire password file.
+ */
+ for (pfe = __pw_get_head (); NULL != pfe; pfe = pfe->next) {
+ /*
+ * If this is a NIS line, skip it. You can't "know" what NIS
+ * is going to do without directly asking NIS ...
+ */
+ if (('+' == pfe->line[0]) || ('-' == pfe->line[0])) {
+ continue;
+ }
+
+ /*
+ * Start with the entries that are completely corrupt. They
+ * have no (struct passwd) entry because they couldn't be
+ * parsed properly.
+ */
+ if (NULL == pfe->eptr) {
+ /*
+ * Tell the user this entire line is bogus and ask
+ * them to delete it.
+ */
+ puts (_("invalid password file entry"));
+ printf (_("delete line '%s'? "), pfe->line);
+ *errors += 1;
+
+ /*
+ * prompt the user to delete the entry or not
+ */
+ if (!yes_or_no (read_only)) {
+ continue;
+ }
+
+ /*
+ * All password file deletions wind up here. This
+ * code removes the current entry from the linked
+ * list. When done, it skips back to the top of the
+ * loop to try out the next list element.
+ */
+ delete_pw:
+ if (use_system_pw_file) {
+ SYSLOG ((LOG_INFO, "delete passwd line '%s'",
+ pfe->line));
+ }
+ *changed = true;
+
+ __pw_del_entry (pfe);
+ continue;
+ }
+
+ /*
+ * Password structure is good, start using it.
+ */
+ pwd = pfe->eptr;
+
+ /*
+ * Make sure this entry has a unique name.
+ */
+ for (tpfe = __pw_get_head (); NULL != tpfe; tpfe = tpfe->next) {
+ const struct passwd *ent = tpfe->eptr;
+
+ /*
+ * Don't check this entry
+ */
+ if (tpfe == pfe) {
+ continue;
+ }
+
+ /*
+ * Don't check invalid entries.
+ */
+ if (NULL == ent) {
+ continue;
+ }
+
+ if (strcmp (pwd->pw_name, ent->pw_name) != 0) {
+ continue;
+ }
+
+ /*
+ * Tell the user this entry is a duplicate of
+ * another and ask them to delete it.
+ */
+ puts (_("duplicate password entry"));
+ printf (_("delete line '%s'? "), pfe->line);
+ *errors += 1;
+
+ /*
+ * prompt the user to delete the entry or not
+ */
+ if (yes_or_no (read_only)) {
+ goto delete_pw;
+ }
+ }
+
+ /*
+ * Check for invalid usernames. --marekm
+ */
+
+ if (!is_valid_user_name (pwd->pw_name)) {
+ printf (_("invalid user name '%s': use --badname to ignore\n"),
+ pwd->pw_name);
+ *errors += 1;
+ }
+
+ /*
+ * Check for invalid user ID.
+ */
+ if (pwd->pw_uid == (uid_t)-1) {
+ printf (_("invalid user ID '%lu'\n"), (long unsigned int)pwd->pw_uid);
+ *errors += 1;
+ }
+
+ /*
+ * Make sure the primary group exists
+ */
+ /* local, no need for xgetgrgid */
+ if (!quiet && (NULL == getgrgid (pwd->pw_gid))) {
+
+ /*
+ * No primary group, just give a warning
+ */
+
+ printf (_("user '%s': no group %lu\n"),
+ pwd->pw_name, (unsigned long) pwd->pw_gid);
+ *errors += 1;
+ }
+
+ /*
+ * If uid is not system and has a home directory, then check
+ */
+ if (!(pwd->pw_uid >= min_sys_id && pwd->pw_uid <= max_sys_id ) && pwd->pw_dir && pwd->pw_dir[0]) {
+ /*
+ * Make sure the home directory exists
+ */
+ if (!quiet && (access (pwd->pw_dir, F_OK) != 0)) {
+ const char *nonexistent = getdef_str("NONEXISTENT");
+
+ /*
+ * Home directory does not exist, give a warning (unless intentional)
+ */
+ if (NULL == nonexistent || strcmp (pwd->pw_dir, nonexistent) != 0) {
+ printf (_("user '%s': directory '%s' does not exist\n"),
+ pwd->pw_name, pwd->pw_dir);
+ *errors += 1;
+ }
+ }
+ }
+
+ /*
+ * Make sure the login shell is executable
+ */
+ if ( !quiet
+ && ('\0' != pwd->pw_shell[0])
+ && (access (pwd->pw_shell, F_OK) != 0)) {
+
+ /*
+ * Login shell doesn't exist, give a warning
+ */
+ printf (_("user '%s': program '%s' does not exist\n"),
+ pwd->pw_name, pwd->pw_shell);
+ *errors += 1;
+ }
+
+ /*
+ * Make sure this entry exists in the /etc/shadow file.
+ */
+
+ if (is_shadow) {
+#ifdef WITH_TCB
+ if (getdef_bool ("USE_TCB")) {
+ if (shadowtcb_set_user (pwd->pw_name) == SHADOWTCB_FAILURE) {
+ printf (_("no tcb directory for %s\n"),
+ pwd->pw_name);
+ printf (_("create tcb directory for %s?"),
+ pwd->pw_name);
+ *errors += 1;
+ if (yes_or_no (read_only)) {
+ if (shadowtcb_create (pwd->pw_name, pwd->pw_uid) == SHADOWTCB_FAILURE) {
+ *errors += 1;
+ printf (_("failed to create tcb directory for %s\n"), pwd->pw_name);
+ continue;
+ }
+ } else {
+ continue;
+ }
+ }
+ if (spw_lock () == 0) {
+ *errors += 1;
+ fprintf (stderr,
+ _("%s: cannot lock %s.\n"),
+ Prog, spw_dbname ());
+ continue;
+ }
+ spw_locked = true;
+ if (spw_open (read_only ? O_RDONLY : O_RDWR) == 0) {
+ fprintf (stderr,
+ _("%s: cannot open %s\n"),
+ Prog, spw_dbname ());
+ *errors += 1;
+ if (spw_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, spw_dbname ());
+ if (use_system_spw_file) {
+ SYSLOG ((LOG_ERR,
+ "failed to unlock %s",
+ spw_dbname ()));
+ }
+ }
+ continue;
+ }
+ spw_opened = true;
+ }
+#endif /* WITH_TCB */
+ spw = spw_locate (pwd->pw_name);
+ if (NULL == spw) {
+ printf (_("no matching password file entry in %s\n"),
+ spw_dbname ());
+ printf (_("add user '%s' in %s? "),
+ pwd->pw_name, spw_dbname ());
+ *errors += 1;
+ if (yes_or_no (read_only)) {
+ struct spwd sp;
+ struct passwd pw;
+
+ sp.sp_namp = pwd->pw_name;
+ sp.sp_pwdp = pwd->pw_passwd;
+ sp.sp_min =
+ getdef_num ("PASS_MIN_DAYS", -1);
+ sp.sp_max =
+ getdef_num ("PASS_MAX_DAYS", -1);
+ sp.sp_warn =
+ getdef_num ("PASS_WARN_AGE", -1);
+ sp.sp_inact = -1;
+ sp.sp_expire = -1;
+ sp.sp_flag = SHADOW_SP_FLAG_UNSET;
+ sp.sp_lstchg = (long) gettime () / SCALE;
+ if (0 == sp.sp_lstchg) {
+ /* Better disable aging than
+ * requiring a password change
+ */
+ sp.sp_lstchg = -1;
+ }
+ *changed = true;
+
+ if (spw_update (&sp) == 0) {
+ fprintf (stderr,
+ _("%s: failed to prepare the new %s entry '%s'\n"),
+ Prog, spw_dbname (), sp.sp_namp);
+ fail_exit (E_CANTUPDATE);
+ }
+ /* remove password from /etc/passwd */
+ pw = *pwd;
+ pw.pw_passwd = SHADOW_PASSWD_STRING; /* XXX warning: const */
+ if (pw_update (&pw) == 0) {
+ fprintf (stderr,
+ _("%s: failed to prepare the new %s entry '%s'\n"),
+ Prog, pw_dbname (), pw.pw_name);
+ fail_exit (E_CANTUPDATE);
+ }
+ }
+ } else {
+ /* The passwd entry has a shadow counterpart.
+ * Make sure no passwords are in passwd.
+ */
+ if ( !quiet
+ && (strcmp (pwd->pw_passwd,
+ SHADOW_PASSWD_STRING) != 0)) {
+ printf (_("user %s has an entry in %s, but its password field in %s is not set to 'x'\n"),
+ pwd->pw_name, spw_dbname (), pw_dbname ());
+ *errors += 1;
+ }
+ }
+ }
+#ifdef WITH_TCB
+ if (getdef_bool ("USE_TCB") && spw_locked) {
+ if (spw_opened && (spw_close () == 0)) {
+ fprintf (stderr,
+ _("%s: failure while writing changes to %s\n"),
+ Prog, spw_dbname ());
+ if (use_system_spw_file) {
+ SYSLOG ((LOG_ERR,
+ "failure while writing changes to %s",
+ spw_dbname ()));
+ }
+ } else {
+ spw_opened = false;
+ }
+ if (spw_unlock () == 0) {
+ fprintf (stderr,
+ _("%s: failed to unlock %s\n"),
+ Prog, spw_dbname ());
+ if (use_system_spw_file) {
+ SYSLOG ((LOG_ERR, "failed to unlock %s",
+ spw_dbname ()));
+ }
+ } else {
+ spw_locked = false;
+ }
+ }
+#endif /* WITH_TCB */
+ }
+}
+
+/*
+ * check_spw_file - check the content of the shadowed password file (shadow)
+ */
+static void check_spw_file (int *errors, bool *changed)
+{
+ struct commonio_entry *spe, *tspe;
+ struct spwd *spw;
+
+ /*
+ * Loop through the entire shadow password file.
+ */
+ for (spe = __spw_get_head (); NULL != spe; spe = spe->next) {
+ /*
+ * Do not treat lines which were missing in shadow
+ * and were added earlier.
+ */
+ if (NULL == spe->line) {
+ continue;
+ }
+
+ /*
+ * If this is a NIS line, skip it. You can't "know" what NIS
+ * is going to do without directly asking NIS ...
+ */
+ if (('+' == spe->line[0]) || ('-' == spe->line[0])) {
+ continue;
+ }
+
+ /*
+ * Start with the entries that are completely corrupt. They
+ * have no (struct spwd) entry because they couldn't be
+ * parsed properly.
+ */
+ if (NULL == spe->eptr) {
+ /*
+ * Tell the user this entire line is bogus and ask
+ * them to delete it.
+ */
+ puts (_("invalid shadow password file entry"));
+ printf (_("delete line '%s'? "), spe->line);
+ *errors += 1;
+
+ /*
+ * prompt the user to delete the entry or not
+ */
+ if (!yes_or_no (read_only)) {
+ continue;
+ }
+
+ /*
+ * All shadow file deletions wind up here. This code
+ * removes the current entry from the linked list.
+ * When done, it skips back to the top of the loop
+ * to try out the next list element.
+ */
+ delete_spw:
+ if (use_system_spw_file) {
+ SYSLOG ((LOG_INFO, "delete shadow line '%s'",
+ spe->line));
+ }
+ *changed = true;
+
+ __spw_del_entry (spe);
+ continue;
+ }
+
+ /*
+ * Shadow password structure is good, start using it.
+ */
+ spw = spe->eptr;
+
+ /*
+ * Make sure this entry has a unique name.
+ */
+ for (tspe = __spw_get_head (); NULL != tspe; tspe = tspe->next) {
+ const struct spwd *ent = tspe->eptr;
+
+ /*
+ * Don't check this entry
+ */
+ if (tspe == spe) {
+ continue;
+ }
+
+ /*
+ * Don't check invalid entries.
+ */
+ if (NULL == ent) {
+ continue;
+ }
+
+ if (strcmp (spw->sp_namp, ent->sp_namp) != 0) {
+ continue;
+ }
+
+ /*
+ * Tell the user this entry is a duplicate of
+ * another and ask them to delete it.
+ */
+ puts (_("duplicate shadow password entry"));
+ printf (_("delete line '%s'? "), spe->line);
+ *errors += 1;
+
+ /*
+ * prompt the user to delete the entry or not
+ */
+ if (yes_or_no (read_only)) {
+ goto delete_spw;
+ }
+ }
+
+ /*
+ * Make sure this entry exists in the /etc/passwd
+ * file.
+ */
+ if (pw_locate (spw->sp_namp) == NULL) {
+ /*
+ * Tell the user this entry has no matching
+ * /etc/passwd entry and ask them to delete it.
+ */
+ printf (_("no matching password file entry in %s\n"),
+ pw_dbname ());
+ printf (_("delete line '%s'? "), spe->line);
+ *errors += 1;
+
+ /*
+ * prompt the user to delete the entry or not
+ */
+ if (yes_or_no (read_only)) {
+ goto delete_spw;
+ }
+ }
+
+ /*
+ * Warn if last password change in the future. --marekm
+ */
+ if (!quiet) {
+ time_t t = time ((time_t *) 0);
+ if ( (t != 0)
+ && (spw->sp_lstchg > (long) t / SCALE)) {
+ printf (_("user %s: last password change in the future\n"),
+ spw->sp_namp);
+ *errors += 1;
+ }
+ }
+ }
+}
+
+/*
+ * pwck - verify password file integrity
+ */
+int main (int argc, char **argv)
+{
+ int errors = 0;
+ bool changed = false;
+
+ /*
+ * Get my name so that I can use it to report errors.
+ */
+ Prog = Basename (argv[0]);
+ log_set_progname(Prog);
+ log_set_logfd(stderr);
+
+ (void) setlocale (LC_ALL, "");
+ (void) bindtextdomain (PACKAGE, LOCALEDIR);
+ (void) textdomain (PACKAGE);
+
+ process_root_flag ("-R", argc, argv);
+
+ OPENLOG ("pwck");
+
+ /* Parse the command line arguments */
+ process_flags (argc, argv);
+
+ open_files ();
+
+ if (sort_mode) {
+ if (pw_sort () != 0) {
+ fprintf (stderr,
+ _("%s: cannot sort entries in %s\n"),
+ Prog, pw_dbname ());
+ fail_exit (E_CANTSORT);
+ }
+ if (is_shadow) {
+ if (spw_sort () != 0) {
+ fprintf (stderr,
+ _("%s: cannot sort entries in %s\n"),
+ Prog, spw_dbname ());
+ fail_exit (E_CANTSORT);
+ }
+ }
+ changed = true;
+ } else {
+ check_pw_file (&errors, &changed);
+
+ if (is_shadow) {
+ check_spw_file (&errors, &changed);
+ }
+ }
+
+ close_files (changed);
+
+ if (!read_only) {
+ nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
+ }
+
+ /*
+ * Tell the user what we did and exit.
+ */
+ if (0 != errors) {
+ printf (changed ?
+ _("%s: the files have been updated\n") :
+ _("%s: no changes\n"), Prog);
+ }
+
+ closelog ();
+ return ((0 != errors) ? E_BADENTRY : E_OKAY);
+}
+