From 97c26c1924b076ef23ebe4381558e8aa025712b2 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:54:37 +0200 Subject: Adding upstream version 1:4.13+dfsg1. Signed-off-by: Daniel Baumann --- src/groupdel.c | 481 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 481 insertions(+) create mode 100644 src/groupdel.c (limited to 'src/groupdel.c') diff --git a/src/groupdel.c b/src/groupdel.c new file mode 100644 index 0000000..c84faa7 --- /dev/null +++ b/src/groupdel.c @@ -0,0 +1,481 @@ +/* + * SPDX-FileCopyrightText: 1991 - 1994, Julianne Frances Haugh + * SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz + * SPDX-FileCopyrightText: 2000 - 2006, Tomasz Kłoczko + * SPDX-FileCopyrightText: 2007 - 2011, Nicolas François + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include + +#ident "$Id$" + +#include +#include +#include +#include +#ifdef ACCT_TOOLS_SETUID +#ifdef USE_PAM +#include "pam_defs.h" +#endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ +#include +#include +#include +#include "defines.h" +#include "groupio.h" +#include "nscd.h" +#include "sssd.h" +#include "prototypes.h" +#ifdef SHADOWGRP +#include "sgroupio.h" +#endif +#include "shadowlog.h" +/* + * Global variables + */ +const char *Prog; + +static char *group_name; +static gid_t group_id = -1; +static bool check_group_busy = true; + +static const char* prefix = ""; + +#ifdef SHADOWGRP +static bool is_shadow_grp; +#endif + +/* + * exit status values + */ +/*@-exitarg@*/ +#define E_SUCCESS 0 /* success */ +#define E_USAGE 2 /* invalid command syntax */ +#define E_NOTFOUND 6 /* specified group doesn't exist */ +#define E_GROUP_BUSY 8 /* can't remove user's primary group */ +#define E_GRP_UPDATE 10 /* can't update group file */ + +/* local function prototypes */ +static /*@noreturn@*/void usage (int status); +static void grp_update (void); +static void close_files (void); +static void open_files (void); +static void group_busy (gid_t gid); +static void process_flags (int argc, char **argv); + +/* + * usage - display usage message and exit + */ +static /*@noreturn@*/void usage (int status) +{ + FILE *usageout = (E_SUCCESS != status) ? stderr : stdout; + (void) fprintf (usageout, + _("Usage: %s [options] GROUP\n" + "\n" + "Options:\n"), + Prog); + (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); + (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); + (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); + (void) fputs (_(" -f, --force delete group even if it is the primary group of a user\n"), usageout); + (void) fputs ("\n", usageout); + exit (status); +} + +/* + * grp_update - update group file entries + * + * grp_update() writes the new records to the group files. + */ +static void grp_update (void) +{ + /* + * To add the group, we need to update /etc/group. + * Make sure failures will be reported. + */ + add_cleanup (cleanup_report_del_group_group, group_name); +#ifdef SHADOWGRP + if (is_shadow_grp) { + /* We also need to update /etc/gshadow */ + add_cleanup (cleanup_report_del_group_gshadow, group_name); + } +#endif + + /* + * Delete the group entry. + */ + if (gr_remove (group_name) == 0) { + fprintf (stderr, + _("%s: cannot remove entry '%s' from %s\n"), + Prog, group_name, gr_dbname ()); + exit (E_GRP_UPDATE); + } + +#ifdef SHADOWGRP + /* + * Delete the shadow group entries as well. + */ + if (is_shadow_grp && (sgr_locate (group_name) != NULL)) { + if (sgr_remove (group_name) == 0) { + fprintf (stderr, + _("%s: cannot remove entry '%s' from %s\n"), + Prog, group_name, sgr_dbname ()); + exit (E_GRP_UPDATE); + } + } +#endif /* SHADOWGRP */ +} + +/* + * close_files - close all of the files that were opened + * + * close_files() closes all of the files that were opened for this + * new group. This causes any modified entries to be written out. + */ +static void close_files (void) +{ + /* First, write the changes in the regular group database */ + if (gr_close () == 0) { + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, gr_dbname ()); + exit (E_GRP_UPDATE); + } + +#ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_GROUP, Prog, + "removing group from /etc/group", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); +#endif + SYSLOG ((LOG_INFO, + "group '%s' removed from %s", + group_name, gr_dbname ())); + del_cleanup (cleanup_report_del_group_group); + + cleanup_unlock_group (NULL); + del_cleanup (cleanup_unlock_group); + + + /* Then, write the changes in the shadow database */ +#ifdef SHADOWGRP + if (is_shadow_grp) { + if (sgr_close () == 0) { + fprintf (stderr, + _("%s: failure while writing changes to %s\n"), + Prog, sgr_dbname ()); + exit (E_GRP_UPDATE); + } + +#ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_GROUP, Prog, + "removing group from /etc/gshadow", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); +#endif + SYSLOG ((LOG_INFO, + "group '%s' removed from %s", + group_name, sgr_dbname ())); + del_cleanup (cleanup_report_del_group_gshadow); + + cleanup_unlock_gshadow (NULL); + del_cleanup (cleanup_unlock_gshadow); + } +#endif /* SHADOWGRP */ + + /* Report success at the system level */ +#ifdef WITH_AUDIT + audit_logger (AUDIT_DEL_GROUP, Prog, + "", + group_name, (unsigned int) group_id, + SHADOW_AUDIT_SUCCESS); +#endif + SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name)); + del_cleanup (cleanup_report_del_group); +} + +/* + * open_files - lock and open the group files + * + * open_files() opens the two group files. + */ +static void open_files (void) +{ + /* First, lock the databases */ + if (gr_lock () == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, gr_dbname ()); + exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_group, NULL); +#ifdef SHADOWGRP + if (is_shadow_grp) { + if (sgr_lock () == 0) { + fprintf (stderr, + _("%s: cannot lock %s; try again later.\n"), + Prog, sgr_dbname ()); + exit (E_GRP_UPDATE); + } + add_cleanup (cleanup_unlock_gshadow, NULL); + } +#endif + + /* + * Now, if the group is not removed, it's our fault. + * Make sure failures will be reported. + */ + add_cleanup (cleanup_report_del_group, group_name); + + /* An now open the databases */ + if (gr_open (O_CREAT | O_RDWR) == 0) { + fprintf (stderr, + _("%s: cannot open %s\n"), + Prog, gr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); + exit (E_GRP_UPDATE); + } +#ifdef SHADOWGRP + if (is_shadow_grp) { + if (sgr_open (O_CREAT | O_RDWR) == 0) { + fprintf (stderr, + _("%s: cannot open %s\n"), + Prog, sgr_dbname ()); + SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); + exit (E_GRP_UPDATE); + } + } +#endif /* SHADOWGRP */ +} + +/* + * group_busy - check if this is any user's primary group + * + * group_busy verifies that this group is not the primary group + * for any user. You must remove all users before you remove + * the group. + */ +static void group_busy (gid_t gid) +{ + struct passwd *pwd; + + /* + * Nice slow linear search. + */ + + prefix_setpwent (); + + while ( ((pwd = prefix_getpwent ()) != NULL) && (pwd->pw_gid != gid) ); + + prefix_endpwent (); + + /* + * If pwd isn't NULL, it stopped because the gid's matched. + */ + + if (pwd == (struct passwd *) 0) { + return; + } + + /* + * Can't remove the group. + */ + fprintf (stderr, + _("%s: cannot remove the primary group of user '%s'\n"), + Prog, pwd->pw_name); + exit (E_GROUP_BUSY); +} + +/* + * process_flags - parse the command line options + * + * It will not return if an error is encountered. + */ +static void process_flags (int argc, char **argv) +{ + /* + * Parse the command line options. + */ + int c; + static struct option long_options[] = { + {"help", no_argument, NULL, 'h'}, + {"force", no_argument, NULL, 'f'}, + {"root", required_argument, NULL, 'R'}, + {"prefix", required_argument, NULL, 'P'}, + {NULL, 0, NULL, '\0'} + }; + + while ((c = getopt_long (argc, argv, "hfR:P:", + long_options, NULL)) != -1) { + switch (c) { + case 'h': + usage (E_SUCCESS); + /*@notreached@*/break; + case 'R': /* no-op, handled in process_root_flag () */ + break; + case 'P': /* no-op, handled in process_prefix_flag () */ + break; + case 'f': + check_group_busy = false; + break; + default: + usage (E_USAGE); + } + } + + if (optind != argc - 1) { + usage (E_USAGE); + } + group_name = argv[optind]; +} + +/* + * main - groupdel command + * + * The syntax of the groupdel command is + * + * groupdel group + * + * The named group will be deleted. + */ + +int main (int argc, char **argv) +{ +#ifdef ACCT_TOOLS_SETUID +#ifdef USE_PAM + pam_handle_t *pamh = NULL; + int retval; +#endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ + + /* + * Get my name so that I can use it to report errors. + */ + Prog = Basename (argv[0]); + log_set_progname(Prog); + log_set_logfd(stderr); + + (void) setlocale (LC_ALL, ""); + (void) bindtextdomain (PACKAGE, LOCALEDIR); + (void) textdomain (PACKAGE); + + process_root_flag ("-R", argc, argv); + prefix = process_prefix_flag ("-P", argc, argv); + + OPENLOG ("groupdel"); +#ifdef WITH_AUDIT + audit_help_open (); +#endif + + if (atexit (do_cleanups) != 0) { + fprintf (stderr, + _("%s: Cannot setup cleanup service.\n"), + Prog); + exit (1); + } + + process_flags (argc, argv); + +#ifdef ACCT_TOOLS_SETUID +#ifdef USE_PAM + { + struct passwd *pampw; + pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */ + if (pampw == NULL) { + fprintf (stderr, + _("%s: Cannot determine your user name.\n"), + Prog); + exit (1); + } + + retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh); + } + + if (PAM_SUCCESS == retval) { + retval = pam_authenticate (pamh, 0); + } + + if (PAM_SUCCESS == retval) { + retval = pam_acct_mgmt (pamh, 0); + } + + if (PAM_SUCCESS != retval) { + fprintf (stderr, _("%s: PAM: %s\n"), + Prog, pam_strerror (pamh, retval)); + SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval))); + if (NULL != pamh) { + (void) pam_end (pamh, retval); + } + exit (1); + } + (void) pam_end (pamh, retval); +#endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ + +#ifdef SHADOWGRP + is_shadow_grp = sgr_file_present (); +#endif + + { + struct group *grp; + /* + * Start with a quick check to see if the group exists. + */ + grp = prefix_getgrnam (group_name); /* local, no need for xgetgrnam */ + if (NULL == grp) { + fprintf (stderr, + _("%s: group '%s' does not exist\n"), + Prog, group_name); + exit (E_NOTFOUND); + } + + group_id = grp->gr_gid; + } + +#ifdef USE_NIS + /* + * Make sure this isn't a NIS group + */ + if (__isgrNIS ()) { + char *nis_domain; + char *nis_master; + + fprintf (stderr, + _("%s: group '%s' is a NIS group\n"), + Prog, group_name); + + if (!yp_get_default_domain (&nis_domain) && + !yp_master (nis_domain, "group.byname", &nis_master)) { + fprintf (stderr, + _("%s: %s is the NIS master\n"), + Prog, nis_master); + } + exit (E_NOTFOUND); + } +#endif + + /* + * Make sure this isn't the primary group of anyone. + */ + if (check_group_busy) { + group_busy (group_id); + } + + /* + * Do the hard stuff - open the files, delete the group entries, + * then close and update the files. + */ + open_files (); + + grp_update (); + + close_files (); + + nscd_flush_cache ("group"); + sssd_flush_cache (SSSD_DB_GROUP); + + return E_SUCCESS; +} + -- cgit v1.2.3