pw_group.c revision 284149 
1/*-
2 * Copyright (C) 1996
3 *	David L. Nugent.  All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY DAVID L. NUGENT AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL DAVID L. NUGENT OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#ifndef lint
28static const char rcsid[] =
29  "$FreeBSD: head/usr.sbin/pw/pw_group.c 284149 2015-06-08 05:27:34Z bapt $";
30#endif /* not lint */
31
32#include <ctype.h>
33#include <err.h>
34#include <termios.h>
35#include <stdbool.h>
36#include <unistd.h>
37#include <grp.h>
38#include <libutil.h>
39
40#include "pw.h"
41#include "bitmap.h"
42
43
44static struct passwd *lookup_pwent(const char *user);
45static void	delete_members(char ***members, int *grmembers, int *i,
46    struct carg *arg, struct group *grp);
47static int	print_group(struct group * grp);
48static gid_t    gr_gidpolicy(struct userconf * cnf, long id);
49
50int
51pw_group(int mode, char *name, long id, struct cargs * args)
52{
53	int		rc;
54	struct carg    *arg;
55	struct group   *grp = NULL;
56	int	        grmembers = 0;
57	char           **members = NULL;
58	struct userconf	*cnf = conf.userconf;
59
60	static struct group fakegroup =
61	{
62		"nogroup",
63		"*",
64		-1,
65		NULL
66	};
67
68	if (mode == M_LOCK || mode == M_UNLOCK)
69		errx(EX_USAGE, "'lock' command is not available for groups");
70
71	/*
72	 * With M_NEXT, we only need to return the
73	 * next gid to stdout
74	 */
75	if (mode == M_NEXT) {
76		gid_t next = gr_gidpolicy(cnf, id);
77		if (getarg(args, 'q'))
78			return next;
79		printf("%u\n", next);
80		return EXIT_SUCCESS;
81	}
82
83	if (mode == M_PRINT && getarg(args, 'a')) {
84		SETGRENT();
85		while ((grp = GETGRENT()) != NULL)
86			print_group(grp);
87		ENDGRENT();
88		return EXIT_SUCCESS;
89	}
90	if (id < 0 && name == NULL)
91		errx(EX_DATAERR, "group name or id required");
92
93	grp = (name != NULL) ? GETGRNAM(name) : GETGRGID(id);
94
95	if (mode == M_UPDATE || mode == M_DELETE || mode == M_PRINT) {
96		if (name == NULL && grp == NULL)	/* Try harder */
97			grp = GETGRGID(id);
98
99		if (grp == NULL) {
100			if (mode == M_PRINT && getarg(args, 'F')) {
101				char	*fmems[1];
102				fmems[0] = NULL;
103				fakegroup.gr_name = name ? name : "nogroup";
104				fakegroup.gr_gid = (gid_t) id;
105				fakegroup.gr_mem = fmems;
106				return print_group(&fakegroup);
107			}
108			if (name == NULL)
109				errx(EX_DATAERR, "unknown group `%s'", name);
110			else
111				errx(EX_DATAERR, "unknown group `%ld'", id);
112		}
113		if (name == NULL)	/* Needed later */
114			name = grp->gr_name;
115
116		/*
117		 * Handle deletions now
118		 */
119		if (mode == M_DELETE) {
120			rc = delgrent(grp);
121			if (rc == -1)
122				err(EX_IOERR, "group '%s' not available (NIS?)",
123				    name);
124			else if (rc != 0) {
125				err(EX_IOERR, "group update");
126			}
127			pw_log(cnf, mode, W_GROUP, "%s(%ld) removed", name, id);
128			return EXIT_SUCCESS;
129		} else if (mode == M_PRINT)
130			return print_group(grp);
131
132		if (id > 0)
133			grp->gr_gid = (gid_t) id;
134
135		if (conf.newname != NULL)
136			grp->gr_name = pw_checkname(conf.newname, 0);
137	} else {
138		if (name == NULL)	/* Required */
139			errx(EX_DATAERR, "group name required");
140		else if (grp != NULL)	/* Exists */
141			errx(EX_DATAERR, "group name `%s' already exists", name);
142
143		extendarray(&members, &grmembers, 200);
144		members[0] = NULL;
145		grp = &fakegroup;
146		grp->gr_name = pw_checkname(name, 0);
147		grp->gr_passwd = "*";
148		grp->gr_gid = gr_gidpolicy(cnf, id);
149		grp->gr_mem = members;
150	}
151
152	/*
153	 * This allows us to set a group password Group passwords is an
154	 * antique idea, rarely used and insecure (no secure database) Should
155	 * be discouraged, but it is apparently still supported by some
156	 * software.
157	 */
158
159	if ((arg = getarg(args, 'h')) != NULL ||
160	    (arg = getarg(args, 'H')) != NULL) {
161		if (strcmp(arg->val, "-") == 0)
162			grp->gr_passwd = "*";	/* No access */
163		else {
164			int             fd = atoi(arg->val);
165			int		precrypt = (arg->ch == 'H');
166			int             b;
167			int             istty = isatty(fd);
168			struct termios  t;
169			char           *p, line[256];
170
171			if (istty) {
172				if (tcgetattr(fd, &t) == -1)
173					istty = 0;
174				else {
175					struct termios  n = t;
176
177					/* Disable echo */
178					n.c_lflag &= ~(ECHO);
179					tcsetattr(fd, TCSANOW, &n);
180					printf("%sassword for group %s:", (mode == M_UPDATE) ? "New p" : "P", grp->gr_name);
181					fflush(stdout);
182				}
183			}
184			b = read(fd, line, sizeof(line) - 1);
185			if (istty) {	/* Restore state */
186				tcsetattr(fd, TCSANOW, &t);
187				fputc('\n', stdout);
188				fflush(stdout);
189			}
190			if (b < 0)
191				err(EX_OSERR, "-h file descriptor");
192			line[b] = '\0';
193			if ((p = strpbrk(line, " \t\r\n")) != NULL)
194				*p = '\0';
195			if (!*line)
196				errx(EX_DATAERR, "empty password read on file descriptor %d", fd);
197			if (precrypt) {
198				if (strchr(line, ':') != NULL)
199					return EX_DATAERR;
200				grp->gr_passwd = line;
201			} else
202				grp->gr_passwd = pw_pwcrypt(line);
203		}
204	}
205
206	if (((arg = getarg(args, 'M')) != NULL ||
207	    (arg = getarg(args, 'd')) != NULL ||
208	    (arg = getarg(args, 'm')) != NULL) && arg->val) {
209		int	i = 0;
210		char   *p;
211		struct passwd	*pwd;
212
213		/* Make sure this is not stay NULL with -M "" */
214		extendarray(&members, &grmembers, 200);
215		if (arg->ch == 'd')
216			delete_members(&members, &grmembers, &i, arg, grp);
217		else if (arg->ch == 'm') {
218			int	k = 0;
219
220			if (grp->gr_mem != NULL) {
221				while (grp->gr_mem[k] != NULL) {
222					if (extendarray(&members, &grmembers, i + 2) != -1)
223						members[i++] = grp->gr_mem[k];
224					k++;
225				}
226			}
227		}
228
229		if (arg->ch != 'd')
230			for (p = strtok(arg->val, ", \t"); p != NULL; p = strtok(NULL, ", \t")) {
231				int	j;
232
233				/*
234				 * Check for duplicates
235				 */
236				pwd = lookup_pwent(p);
237				for (j = 0; j < i && strcmp(members[j], pwd->pw_name) != 0; j++)
238					;
239				if (j == i && extendarray(&members, &grmembers, i + 2) != -1)
240					members[i++] = newstr(pwd->pw_name);
241			}
242		while (i < grmembers)
243			members[i++] = NULL;
244		grp->gr_mem = members;
245	}
246
247	if (conf.dryrun)
248		return print_group(grp);
249
250	if (mode == M_ADD && (rc = addgrent(grp)) != 0) {
251		if (rc == -1)
252			errx(EX_IOERR, "group '%s' already exists",
253			    grp->gr_name);
254		else
255			err(EX_IOERR, "group update");
256	} else if (mode == M_UPDATE && (rc = chggrent(name, grp)) != 0) {
257		if (rc == -1)
258			errx(EX_IOERR, "group '%s' not available (NIS?)",
259			    grp->gr_name);
260		else
261			err(EX_IOERR, "group update");
262	}
263
264	if (conf.newname != NULL)
265		name = conf.newname;
266	/* grp may have been invalidated */
267	if ((grp = GETGRNAM(name)) == NULL)
268		errx(EX_SOFTWARE, "group disappeared during update");
269
270	pw_log(cnf, mode, W_GROUP, "%s(%u)", grp->gr_name, grp->gr_gid);
271
272	free(members);
273
274	return EXIT_SUCCESS;
275}
276
277
278/*
279 * Lookup a passwd entry using a name or UID.
280 */
281static struct passwd *
282lookup_pwent(const char *user)
283{
284	struct passwd *pwd;
285
286	if ((pwd = GETPWNAM(user)) == NULL &&
287	    (!isdigit((unsigned char)*user) ||
288	    (pwd = getpwuid((uid_t) atoi(user))) == NULL))
289		errx(EX_NOUSER, "user `%s' does not exist", user);
290
291	return (pwd);
292}
293
294
295/*
296 * Delete requested members from a group.
297 */
298static void
299delete_members(char ***members, int *grmembers, int *i, struct carg *arg,
300    struct group *grp)
301{
302	bool matchFound;
303	char *user;
304	char *valueCopy;
305	char *valuePtr;
306	int k;
307	struct passwd *pwd;
308
309	if (grp->gr_mem == NULL)
310		return;
311
312	k = 0;
313	while (grp->gr_mem[k] != NULL) {
314		matchFound = false;
315		if ((valueCopy = strdup(arg->val)) == NULL)
316			errx(EX_UNAVAILABLE, "out of memory");
317		valuePtr = valueCopy;
318		while ((user = strsep(&valuePtr, ", \t")) != NULL) {
319			pwd = lookup_pwent(user);
320			if (strcmp(grp->gr_mem[k], pwd->pw_name) == 0) {
321				matchFound = true;
322				break;
323			}
324		}
325		free(valueCopy);
326
327		if (!matchFound &&
328		    extendarray(members, grmembers, *i + 2) != -1)
329			(*members)[(*i)++] = grp->gr_mem[k];
330
331		k++;
332	}
333
334	return;
335}
336
337
338static          gid_t
339gr_gidpolicy(struct userconf * cnf, long id)
340{
341	struct group   *grp;
342	gid_t           gid = (gid_t) - 1;
343
344	/*
345	 * Check the given gid, if any
346	 */
347	if (id > 0) {
348		gid = (gid_t) id;
349
350		if ((grp = GETGRGID(gid)) != NULL && conf.checkduplicate)
351			errx(EX_DATAERR, "gid `%u' has already been allocated", grp->gr_gid);
352	} else {
353		struct bitmap   bm;
354
355		/*
356		 * We need to allocate the next available gid under one of
357		 * two policies a) Grab the first unused gid b) Grab the
358		 * highest possible unused gid
359		 */
360		if (cnf->min_gid >= cnf->max_gid) {	/* Sanity claus^H^H^H^Hheck */
361			cnf->min_gid = 1000;
362			cnf->max_gid = 32000;
363		}
364		bm = bm_alloc(cnf->max_gid - cnf->min_gid + 1);
365
366		/*
367		 * Now, let's fill the bitmap from the password file
368		 */
369		SETGRENT();
370		while ((grp = GETGRENT()) != NULL)
371			if ((gid_t)grp->gr_gid >= (gid_t)cnf->min_gid &&
372                            (gid_t)grp->gr_gid <= (gid_t)cnf->max_gid)
373				bm_setbit(&bm, grp->gr_gid - cnf->min_gid);
374		ENDGRENT();
375
376		/*
377		 * Then apply the policy, with fallback to reuse if necessary
378		 */
379		if (cnf->reuse_gids)
380			gid = (gid_t) (bm_firstunset(&bm) + cnf->min_gid);
381		else {
382			gid = (gid_t) (bm_lastset(&bm) + 1);
383			if (!bm_isset(&bm, gid))
384				gid += cnf->min_gid;
385			else
386				gid = (gid_t) (bm_firstunset(&bm) + cnf->min_gid);
387		}
388
389		/*
390		 * Another sanity check
391		 */
392		if (gid < cnf->min_gid || gid > cnf->max_gid)
393			errx(EX_SOFTWARE, "unable to allocate a new gid - range fully used");
394		bm_dealloc(&bm);
395	}
396	return gid;
397}
398
399
400static int
401print_group(struct group * grp)
402{
403	if (!conf.pretty) {
404		char           *buf = NULL;
405
406		buf = gr_make(grp);
407		printf("%s\n", buf);
408		free(buf);
409	} else {
410		int             i;
411
412		printf("Group Name: %-15s   #%lu\n"
413		       "   Members: ",
414		       grp->gr_name, (long) grp->gr_gid);
415		if (grp->gr_mem != NULL) {
416			for (i = 0; grp->gr_mem[i]; i++)
417				printf("%s%s", i ? "," : "", grp->gr_mem[i]);
418		}
419		fputs("\n\n", stdout);
420	}
421	return EXIT_SUCCESS;
422}
423