pw_group.c revision 284139 
151563Sgreen/*-
251563Sgreen * Copyright (C) 1996
370711Sobrien *	David L. Nugent.  All rights reserved.
470711Sobrien *
5152309Spjd * Redistribution and use in source and binary forms, with or without
6109167Sphk * modification, are permitted provided that the following conditions
751563Sgreen * are met:
860966Speter * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY DAVID L. NUGENT AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL DAVID L. NUGENT OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#ifndef lint
28static const char rcsid[] =
29  "$FreeBSD: head/usr.sbin/pw/pw_group.c 284139 2015-06-07 21:57:20Z bapt $";
30#endif /* not lint */
31
32#include <ctype.h>
33#include <err.h>
34#include <termios.h>
35#include <stdbool.h>
36#include <unistd.h>
37#include <grp.h>
38#include <libutil.h>
39
40#include "pw.h"
41#include "bitmap.h"
42
43
44static struct passwd *lookup_pwent(const char *user);
45static void	delete_members(char ***members, int *grmembers, int *i,
46    struct carg *arg, struct group *grp);
47static int	print_group(struct group * grp);
48static gid_t    gr_gidpolicy(struct userconf * cnf, long id);
49
50int
51pw_group(int mode, char *name, long id, struct cargs * args)
52{
53	int		rc;
54	struct carg    *arg;
55	struct group   *grp = NULL;
56	int	        grmembers = 0;
57	char           **members = NULL;
58	struct userconf	*cnf = conf.userconf;
59
60	static struct group fakegroup =
61	{
62		"nogroup",
63		"*",
64		-1,
65		NULL
66	};
67
68	if (mode == M_LOCK || mode == M_UNLOCK)
69		errx(EX_USAGE, "'lock' command is not available for groups");
70
71	/*
72	 * With M_NEXT, we only need to return the
73	 * next gid to stdout
74	 */
75	if (mode == M_NEXT) {
76		printf("%u\n", gr_gidpolicy(cnd, id));
77		return (EXIT_SUCCESS);
78	}
79
80	if (mode == M_PRINT && getarg(args, 'a')) {
81		SETGRENT();
82		while ((grp = GETGRENT()) != NULL)
83			print_group(grp);
84		ENDGRENT();
85		return EXIT_SUCCESS;
86	}
87	if (id < 0 && name == NULL)
88		errx(EX_DATAERR, "group name or id required");
89
90	grp = (name != NULL) ? GETGRNAM(name) : GETGRGID(id);
91
92	if (mode == M_UPDATE || mode == M_DELETE || mode == M_PRINT) {
93		if (name == NULL && grp == NULL)	/* Try harder */
94			grp = GETGRGID(id);
95
96		if (grp == NULL) {
97			if (mode == M_PRINT && getarg(args, 'F')) {
98				char	*fmems[1];
99				fmems[0] = NULL;
100				fakegroup.gr_name = name ? name : "nogroup";
101				fakegroup.gr_gid = (gid_t) id;
102				fakegroup.gr_mem = fmems;
103				return print_group(&fakegroup);
104			}
105			if (name == NULL)
106				errx(EX_DATAERR, "unknown group `%s'", name);
107			else
108				errx(EX_DATAERR, "unknown group `%ld'", id);
109		}
110		if (name == NULL)	/* Needed later */
111			name = grp->gr_name;
112
113		/*
114		 * Handle deletions now
115		 */
116		if (mode == M_DELETE) {
117			rc = delgrent(grp);
118			if (rc == -1)
119				err(EX_IOERR, "group '%s' not available (NIS?)",
120				    name);
121			else if (rc != 0) {
122				err(EX_IOERR, "group update");
123			}
124			pw_log(cnf, mode, W_GROUP, "%s(%ld) removed", name, id);
125			return EXIT_SUCCESS;
126		} else if (mode == M_PRINT)
127			return print_group(grp);
128
129		if (id > 0)
130			grp->gr_gid = (gid_t) id;
131
132		if (conf.newname != NULL)
133			grp->gr_name = pw_checkname(conf.newname, 0);
134	} else {
135		if (name == NULL)	/* Required */
136			errx(EX_DATAERR, "group name required");
137		else if (grp != NULL)	/* Exists */
138			errx(EX_DATAERR, "group name `%s' already exists", name);
139
140		extendarray(&members, &grmembers, 200);
141		members[0] = NULL;
142		grp = &fakegroup;
143		grp->gr_name = pw_checkname(name, 0);
144		grp->gr_passwd = "*";
145		grp->gr_gid = gr_gidpolicy(cnf, id);
146		grp->gr_mem = members;
147	}
148
149	/*
150	 * This allows us to set a group password Group passwords is an
151	 * antique idea, rarely used and insecure (no secure database) Should
152	 * be discouraged, but it is apparently still supported by some
153	 * software.
154	 */
155
156	if ((arg = getarg(args, 'h')) != NULL ||
157	    (arg = getarg(args, 'H')) != NULL) {
158		if (strcmp(arg->val, "-") == 0)
159			grp->gr_passwd = "*";	/* No access */
160		else {
161			int             fd = atoi(arg->val);
162			int		precrypt = (arg->ch == 'H');
163			int             b;
164			int             istty = isatty(fd);
165			struct termios  t;
166			char           *p, line[256];
167
168			if (istty) {
169				if (tcgetattr(fd, &t) == -1)
170					istty = 0;
171				else {
172					struct termios  n = t;
173
174					/* Disable echo */
175					n.c_lflag &= ~(ECHO);
176					tcsetattr(fd, TCSANOW, &n);
177					printf("%sassword for group %s:", (mode == M_UPDATE) ? "New p" : "P", grp->gr_name);
178					fflush(stdout);
179				}
180			}
181			b = read(fd, line, sizeof(line) - 1);
182			if (istty) {	/* Restore state */
183				tcsetattr(fd, TCSANOW, &t);
184				fputc('\n', stdout);
185				fflush(stdout);
186			}
187			if (b < 0)
188				err(EX_OSERR, "-h file descriptor");
189			line[b] = '\0';
190			if ((p = strpbrk(line, " \t\r\n")) != NULL)
191				*p = '\0';
192			if (!*line)
193				errx(EX_DATAERR, "empty password read on file descriptor %d", fd);
194			if (precrypt) {
195				if (strchr(line, ':') != NULL)
196					return EX_DATAERR;
197				grp->gr_passwd = line;
198			} else
199				grp->gr_passwd = pw_pwcrypt(line);
200		}
201	}
202
203	if (((arg = getarg(args, 'M')) != NULL ||
204	    (arg = getarg(args, 'd')) != NULL ||
205	    (arg = getarg(args, 'm')) != NULL) && arg->val) {
206		int	i = 0;
207		char   *p;
208		struct passwd	*pwd;
209
210		/* Make sure this is not stay NULL with -M "" */
211		extendarray(&members, &grmembers, 200);
212		if (arg->ch == 'd')
213			delete_members(&members, &grmembers, &i, arg, grp);
214		else if (arg->ch == 'm') {
215			int	k = 0;
216
217			if (grp->gr_mem != NULL) {
218				while (grp->gr_mem[k] != NULL) {
219					if (extendarray(&members, &grmembers, i + 2) != -1)
220						members[i++] = grp->gr_mem[k];
221					k++;
222				}
223			}
224		}
225
226		if (arg->ch != 'd')
227			for (p = strtok(arg->val, ", \t"); p != NULL; p = strtok(NULL, ", \t")) {
228				int	j;
229
230				/*
231				 * Check for duplicates
232				 */
233				pwd = lookup_pwent(p);
234				for (j = 0; j < i && strcmp(members[j], pwd->pw_name) != 0; j++)
235					;
236				if (j == i && extendarray(&members, &grmembers, i + 2) != -1)
237					members[i++] = newstr(pwd->pw_name);
238			}
239		while (i < grmembers)
240			members[i++] = NULL;
241		grp->gr_mem = members;
242	}
243
244	if (conf.dryrun)
245		return print_group(grp);
246
247	if (mode == M_ADD && (rc = addgrent(grp)) != 0) {
248		if (rc == -1)
249			errx(EX_IOERR, "group '%s' already exists",
250			    grp->gr_name);
251		else
252			err(EX_IOERR, "group update");
253	} else if (mode == M_UPDATE && (rc = chggrent(name, grp)) != 0) {
254		if (rc == -1)
255			errx(EX_IOERR, "group '%s' not available (NIS?)",
256			    grp->gr_name);
257		else
258			err(EX_IOERR, "group update");
259	}
260
261	if (conf.newname != NULL)
262		name = conf.newname;
263	/* grp may have been invalidated */
264	if ((grp = GETGRNAM(name)) == NULL)
265		errx(EX_SOFTWARE, "group disappeared during update");
266
267	pw_log(cnf, mode, W_GROUP, "%s(%u)", grp->gr_name, grp->gr_gid);
268
269	free(members);
270
271	return EXIT_SUCCESS;
272}
273
274
275/*
276 * Lookup a passwd entry using a name or UID.
277 */
278static struct passwd *
279lookup_pwent(const char *user)
280{
281	struct passwd *pwd;
282
283	if ((pwd = GETPWNAM(user)) == NULL &&
284	    (!isdigit((unsigned char)*user) ||
285	    (pwd = getpwuid((uid_t) atoi(user))) == NULL))
286		errx(EX_NOUSER, "user `%s' does not exist", user);
287
288	return (pwd);
289}
290
291
292/*
293 * Delete requested members from a group.
294 */
295static void
296delete_members(char ***members, int *grmembers, int *i, struct carg *arg,
297    struct group *grp)
298{
299	bool matchFound;
300	char *user;
301	char *valueCopy;
302	char *valuePtr;
303	int k;
304	struct passwd *pwd;
305
306	if (grp->gr_mem == NULL)
307		return;
308
309	k = 0;
310	while (grp->gr_mem[k] != NULL) {
311		matchFound = false;
312		if ((valueCopy = strdup(arg->val)) == NULL)
313			errx(EX_UNAVAILABLE, "out of memory");
314		valuePtr = valueCopy;
315		while ((user = strsep(&valuePtr, ", \t")) != NULL) {
316			pwd = lookup_pwent(user);
317			if (strcmp(grp->gr_mem[k], pwd->pw_name) == 0) {
318				matchFound = true;
319				break;
320			}
321		}
322		free(valueCopy);
323
324		if (!matchFound &&
325		    extendarray(members, grmembers, *i + 2) != -1)
326			(*members)[(*i)++] = grp->gr_mem[k];
327
328		k++;
329	}
330
331	return;
332}
333
334
335static          gid_t
336gr_gidpolicy(struct userconf * cnf, long id)
337{
338	struct group   *grp;
339	gid_t           gid = (gid_t) - 1;
340
341	/*
342	 * Check the given gid, if any
343	 */
344	if (id > 0) {
345		gid = (gid_t) id;
346
347		if ((grp = GETGRGID(gid)) != NULL && conf.checkduplicate)
348			errx(EX_DATAERR, "gid `%u' has already been allocated", grp->gr_gid);
349	} else {
350		struct bitmap   bm;
351
352		/*
353		 * We need to allocate the next available gid under one of
354		 * two policies a) Grab the first unused gid b) Grab the
355		 * highest possible unused gid
356		 */
357		if (cnf->min_gid >= cnf->max_gid) {	/* Sanity claus^H^H^H^Hheck */
358			cnf->min_gid = 1000;
359			cnf->max_gid = 32000;
360		}
361		bm = bm_alloc(cnf->max_gid - cnf->min_gid + 1);
362
363		/*
364		 * Now, let's fill the bitmap from the password file
365		 */
366		SETGRENT();
367		while ((grp = GETGRENT()) != NULL)
368			if ((gid_t)grp->gr_gid >= (gid_t)cnf->min_gid &&
369                            (gid_t)grp->gr_gid <= (gid_t)cnf->max_gid)
370				bm_setbit(&bm, grp->gr_gid - cnf->min_gid);
371		ENDGRENT();
372
373		/*
374		 * Then apply the policy, with fallback to reuse if necessary
375		 */
376		if (cnf->reuse_gids)
377			gid = (gid_t) (bm_firstunset(&bm) + cnf->min_gid);
378		else {
379			gid = (gid_t) (bm_lastset(&bm) + 1);
380			if (!bm_isset(&bm, gid))
381				gid += cnf->min_gid;
382			else
383				gid = (gid_t) (bm_firstunset(&bm) + cnf->min_gid);
384		}
385
386		/*
387		 * Another sanity check
388		 */
389		if (gid < cnf->min_gid || gid > cnf->max_gid)
390			errx(EX_SOFTWARE, "unable to allocate a new gid - range fully used");
391		bm_dealloc(&bm);
392	}
393	return gid;
394}
395
396
397static int
398print_group(struct group * grp)
399{
400	if (!conf.pretty) {
401		char           *buf = NULL;
402
403		buf = gr_make(grp);
404		printf("%s\n", buf);
405		free(buf);
406	} else {
407		int             i;
408
409		printf("Group Name: %-15s   #%lu\n"
410		       "   Members: ",
411		       grp->gr_name, (long) grp->gr_gid);
412		if (grp->gr_mem != NULL) {
413			for (i = 0; grp->gr_mem[i]; i++)
414				printf("%s%s", i ? "," : "", grp->gr_mem[i]);
415		}
416		fputs("\n\n", stdout);
417	}
418	return EXIT_SUCCESS;
419}
420