From ed30d2606957c09266869e0c267c8b7ae9a0ac5f Mon Sep 17 00:00:00 2001 From: Chris Hofstaedtler Date: Sun, 7 Jul 2024 12:49:44 +0200 Subject: [PATCH] Remove "incomplete" TCB support WITH_TCB was always documented as incomplete. Signed-off-by: Chris Hofstaedtler --- configure.ac | 26 -- lib/Makefile.am | 4 - lib/commonio.c | 10 - lib/getdef.c | 5 - lib/shadowio.c | 83 +--- lib/tcbfuncs.c | 605 ---------------------------- lib/tcbfuncs.h | 19 - libsubid/Makefile.am | 1 - man/Makefile.am | 3 - man/chage.1.xml | 13 - man/generate_mans.mak | 7 +- man/login.defs.5.xml | 33 -- man/login.defs.d/TCB_AUTH_GROUP.xml | 13 - man/login.defs.d/TCB_SYMLINKS.xml | 29 -- man/login.defs.d/USE_TCB.xml | 14 - man/pwck.8.xml | 21 +- man/pwconv.8.xml | 27 +- man/useradd.8.xml | 6 - man/userdel.8.xml | 4 - man/usermod.8.xml | 4 - man/vipw.8.xml | 25 -- po/POTFILES.in | 1 - src/Makefile.am | 21 +- src/chage.c | 9 - src/pwck.c | 121 +----- src/pwconv.c | 7 - src/pwunconv.c | 7 - src/useradd.c | 13 - src/userdel.c | 58 --- src/usermod.c | 16 - src/vipw.c | 115 +----- 31 files changed, 21 insertions(+), 1299 deletions(-) delete mode 100644 lib/tcbfuncs.c delete mode 100644 lib/tcbfuncs.h delete mode 100644 man/login.defs.d/TCB_AUTH_GROUP.xml delete mode 100644 man/login.defs.d/TCB_SYMLINKS.xml delete mode 100644 man/login.defs.d/USE_TCB.xml diff --git a/configure.ac b/configure.ac index bc89a44f3..8be047622 100644 --- a/configure.ac +++ b/configure.ac @@ -230,9 +230,6 @@ AC_ARG_WITH(attr, AC_ARG_WITH(skey, [AS_HELP_STRING([--with-skey], [use S/Key support @<:@default=no@:>@])], [with_skey=$withval], [with_skey=no]) -AC_ARG_WITH(tcb, - [AS_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])], - [with_tcb=$withval], [with_tcb=maybe]) AC_ARG_WITH(sha-crypt, [AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])], [with_sha_crypt=$withval], [with_sha_crypt=yes]) @@ -565,28 +562,6 @@ if test "$with_selinux" != "no"; then fi fi -AC_SUBST(LIBTCB) -if test "$with_tcb" != "no"; then - AC_CHECK_HEADERS(tcb.h, [tcb_header="yes"], [tcb_header="no"]) - if test "$tcb_header$with_tcb" = "noyes" ; then - AC_MSG_ERROR([tcb.h is missing]) - elif test "$tcb_header" = "yes" ; then - AC_CHECK_LIB(tcb, tcb_is_suspect, [tcb_lib="yes"], [tcb_lib="no"]) - if test "$tcb_lib$with_tcb" = "noyes" ; then - AC_MSG_ERROR([libtcb not found]) - elif test "$tcb_lib" = "no" ; then - with_tcb="no" - else - AC_DEFINE(WITH_TCB, 1, [Build shadow with tcb support (incomplete)]) - LIBTCB="-ltcb" - with_tcb="yes" - fi - else - with_tcb="no" - fi -fi -AM_CONDITIONAL(WITH_TCB, test x$with_tcb = xyes) - AC_SUBST(LIBPAM) if test "$with_libpam" != "no"; then AC_CHECK_LIB(pam, pam_start, @@ -757,7 +732,6 @@ echo " SELinux support: $with_selinux" echo " BtrFS support: $with_btrfs" echo " ACL support: $with_acl" echo " Extended Attributes support: $with_attr" -echo " tcb support (incomplete): $with_tcb" echo " shadow group support: $enable_shadowgrp" echo " S/Key support: $with_skey" echo " SHA passwords encryption: $with_sha_crypt" diff --git a/lib/Makefile.am b/lib/Makefile.am index 8cbb6dfdb..faf239e5c 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -208,10 +208,6 @@ libshadow_la_SOURCES = \ xgetspnam.c \ yesno.c -if WITH_TCB -libshadow_la_SOURCES += tcbfuncs.c tcbfuncs.h -endif - if WITH_BTRFS libshadow_la_SOURCES += btrfs.c endif diff --git a/lib/commonio.c b/lib/commonio.c index 6a9b77525..d5129daba 100644 --- a/lib/commonio.c +++ b/lib/commonio.c @@ -29,9 +29,6 @@ #include "defines.h" #include "memzero.h" #include "nscd.h" -#ifdef WITH_TCB -#include -#endif /* WITH_TCB */ #include "prototypes.h" #include "shadowlog_internal.h" #include "sssd.h" @@ -608,13 +605,6 @@ int commonio_open (struct commonio_db *db, int mode) saved_errno = errno; db->fp = NULL; if (fd >= 0) { -#ifdef WITH_TCB - if (tcb_is_suspect (fd) != 0) { - (void) close (fd); - errno = EINVAL; - return 0; - } -#endif /* WITH_TCB */ db->fp = fdopen (fd, db->readonly ? "r" : "r+"); saved_errno = errno; if (NULL == db->fp) { diff --git a/lib/getdef.c b/lib/getdef.c index d33f45b14..67188bb66 100644 --- a/lib/getdef.c +++ b/lib/getdef.c @@ -145,11 +145,6 @@ static struct itemdef def_table[] = { #endif {"SYSLOG_SG_ENAB", NULL}, {"SYSLOG_SU_ENAB", NULL}, -#ifdef WITH_TCB - {"TCB_AUTH_GROUP", NULL}, - {"TCB_SYMLINKS", NULL}, - {"USE_TCB", NULL}, -#endif {"FORCE_SHADOW", NULL}, {"GRANT_AUX_GROUP_SUBIDS", NULL}, {"PREVENT_NO_AUTH", NULL}, diff --git a/lib/shadowio.c b/lib/shadowio.c index d2c3b4730..a643fdd0b 100644 --- a/lib/shadowio.c +++ b/lib/shadowio.c @@ -19,10 +19,6 @@ #include "commonio.h" #include "getdef.h" #include "shadowio.h" -#ifdef WITH_TCB -#include -#include "tcbfuncs.h" -#endif /* WITH_TCB */ static /*@null@*/ /*@only@*/void *shadow_dup (const void *ent) { @@ -117,45 +113,12 @@ bool spw_file_present (void) int spw_lock (void) { -#ifdef WITH_TCB - int retval = 0; - - if (!getdef_bool ("USE_TCB")) { -#endif /* WITH_TCB */ - return commonio_lock (&shadow_db); -#ifdef WITH_TCB - } - if (shadowtcb_drop_priv () == SHADOWTCB_FAILURE) { - return 0; - } - if (lckpwdf_tcb (shadow_db.filename) == 0) { - shadow_db.locked = 1; - retval = 1; - } - if (shadowtcb_gain_priv () == SHADOWTCB_FAILURE) { - return 0; - } - return retval; -#endif /* WITH_TCB */ + return commonio_lock (&shadow_db); } int spw_open (int mode) { - int retval = 0; -#ifdef WITH_TCB - bool use_tcb = getdef_bool ("USE_TCB"); - - if (use_tcb && (shadowtcb_drop_priv () == SHADOWTCB_FAILURE)) { - return 0; - } -#endif /* WITH_TCB */ - retval = commonio_open (&shadow_db, mode); -#ifdef WITH_TCB - if (use_tcb && (shadowtcb_gain_priv () == SHADOWTCB_FAILURE)) { - return 0; - } -#endif /* WITH_TCB */ - return retval; + return commonio_open (&shadow_db, mode); } /*@observer@*/ /*@null@*/const struct spwd *spw_locate (const char *name) @@ -185,45 +148,12 @@ int spw_rewind (void) int spw_close (void) { - int retval = 0; -#ifdef WITH_TCB - bool use_tcb = getdef_bool ("USE_TCB"); - - if (use_tcb && (shadowtcb_drop_priv () == SHADOWTCB_FAILURE)) { - return 0; - } -#endif /* WITH_TCB */ - retval = commonio_close (&shadow_db); -#ifdef WITH_TCB - if (use_tcb && (shadowtcb_gain_priv () == SHADOWTCB_FAILURE)) { - return 0; - } -#endif /* WITH_TCB */ - return retval; + return commonio_close (&shadow_db); } int spw_unlock (void) { -#ifdef WITH_TCB - int retval = 0; - - if (!getdef_bool ("USE_TCB")) { -#endif /* WITH_TCB */ - return commonio_unlock (&shadow_db); -#ifdef WITH_TCB - } - if (shadowtcb_drop_priv () == SHADOWTCB_FAILURE) { - return 0; - } - if (ulckpwdf_tcb () == 0) { - shadow_db.locked = 0; - retval = 1; - } - if (shadowtcb_gain_priv () == SHADOWTCB_FAILURE) { - return 0; - } - return retval; -#endif /* WITH_TCB */ + return commonio_unlock (&shadow_db); } struct commonio_entry *__spw_get_head (void) @@ -239,10 +169,5 @@ void __spw_del_entry (const struct commonio_entry *ent) /* Sort with respect to passwd ordering. */ int spw_sort () { -#ifdef WITH_TCB - if (getdef_bool ("USE_TCB")) { - return 0; - } -#endif /* WITH_TCB */ return commonio_sort_wrt (&shadow_db, __pw_get_db ()); } diff --git a/lib/tcbfuncs.c b/lib/tcbfuncs.c deleted file mode 100644 index 3dc2abd70..000000000 --- a/lib/tcbfuncs.c +++ /dev/null @@ -1,605 +0,0 @@ -/* - * SPDX-FileCopyrightText: 2001 Rafal Wojtczuk, Solar Designer - * SPDX-License-Identifier: 0BSD - */ - -#define _GNU_SOURCE - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "config.h" - -#include "defines.h" -#include "prototypes.h" -#include "getdef.h" -#include "shadowio.h" -#include "tcbfuncs.h" - -#include "shadowlog_internal.h" - -#define SHADOWTCB_HASH_BY 1000 -#define SHADOWTCB_LOCK_SUFFIX ".lock" - -static /*@null@*//*@only@*/char *stored_tcb_user = NULL; - -shadowtcb_status shadowtcb_drop_priv (void) -{ - if (!getdef_bool ("USE_TCB")) { - return SHADOWTCB_SUCCESS; - } - - if (NULL != stored_tcb_user) { - if (tcb_drop_priv (stored_tcb_user) == 0) { - return SHADOWTCB_SUCCESS; - } - } - - return SHADOWTCB_FAILURE; -} - -shadowtcb_status shadowtcb_gain_priv (void) -{ - if (!getdef_bool ("USE_TCB")) { - return SHADOWTCB_SUCCESS; - } - - return (tcb_gain_priv () == 0) ? SHADOWTCB_SUCCESS : SHADOWTCB_FAILURE; -} - -/* In case something goes wrong, we return immediately, not polluting the - * code with free(). All errors are fatal, so the application is expected - * to exit soon. - */ -#define OUT_OF_MEMORY do { \ - fprintf (shadow_logfd, _("%s: out of memory\n"), shadow_progname); \ - (void) fflush (shadow_logfd); \ -} while (false) - -/* Returns user's tcb directory path relative to TCB_DIR. */ -static /*@null@*/ char *shadowtcb_path_rel (const char *name, uid_t uid) -{ - char *ret; - - if (!getdef_bool ("TCB_SYMLINKS") || uid < SHADOWTCB_HASH_BY) { - if (asprintf (&ret, "%s", name) == -1) { - OUT_OF_MEMORY; - return NULL; - } - } else if (uid < SHADOWTCB_HASH_BY * SHADOWTCB_HASH_BY) { - if (asprintf (&ret, ":%dK/%s", - uid / SHADOWTCB_HASH_BY, name) == -1) { - OUT_OF_MEMORY; - return NULL; - } - } else { - if (asprintf (&ret, ":%dM/:%dK/%s", - uid / (SHADOWTCB_HASH_BY * SHADOWTCB_HASH_BY), - (uid % (SHADOWTCB_HASH_BY * SHADOWTCB_HASH_BY)) / SHADOWTCB_HASH_BY, - name) == -1) { - OUT_OF_MEMORY; - return NULL; - } - } - return ret; -} - -static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name) -{ - char *path, *rval; - struct stat st; - char link[8192]; - ssize_t ret; - - if (asprintf (&path, TCB_DIR "/%s", name) == -1) { - OUT_OF_MEMORY; - return NULL; - } - if (lstat (path, &st) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot stat %s: %s\n"), - shadow_progname, path, strerror (errno)); - free (path); - return NULL; - } - if (S_ISDIR (st.st_mode)) { - free (path); - rval = strdup (name); - if (NULL == rval) { - OUT_OF_MEMORY; - return NULL; - } - return rval; - } - if (!S_ISLNK (st.st_mode)) { - fprintf (shadow_logfd, - _("%s: %s is neither a directory, nor a symlink.\n"), - shadow_progname, path); - free (path); - return NULL; - } - ret = readlink (path, link, sizeof (link) - 1); - if (-1 == ret) { - fprintf (shadow_logfd, - _("%s: Cannot read symbolic link %s: %s\n"), - shadow_progname, path, strerror (errno)); - free (path); - return NULL; - } - free (path); - if ((size_t)ret >= sizeof(link) - 1) { - stpcpy(&link[sizeof(link) - 1], ""); - fprintf (shadow_logfd, - _("%s: Suspiciously long symlink: %s\n"), - shadow_progname, link); - return NULL; - } - stpcpy(&link[ret], ""); - rval = strdup (link); - if (NULL == rval) { - OUT_OF_MEMORY; - return NULL; - } - return rval; -} - -static /*@null@*/ char *shadowtcb_path (const char *name, uid_t uid) -{ - char *ret, *rel; - - rel = shadowtcb_path_rel (name, uid); - if (NULL == rel) { - return NULL; - } - if (asprintf (&ret, TCB_DIR "/%s", rel) == -1) { - OUT_OF_MEMORY; - free (rel); - return NULL; - } - free (rel); - return ret; -} - -static /*@null@*/ char *shadowtcb_path_existing (const char *name) -{ - char *ret, *rel; - - rel = shadowtcb_path_rel_existing (name); - if (NULL == rel) { - return NULL; - } - if (asprintf (&ret, TCB_DIR "/%s", rel) == -1) { - OUT_OF_MEMORY; - free (rel); - return NULL; - } - free (rel); - return ret; -} - -static shadowtcb_status mkdir_leading (const char *name, uid_t uid) -{ - char *ind, *dir, *ptr, *path = shadowtcb_path_rel (name, uid); - struct stat st; - - if (NULL == path) { - return SHADOWTCB_FAILURE; - } - ptr = path; - if (stat (TCB_DIR, &st) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot stat %s: %s\n"), - shadow_progname, TCB_DIR, strerror (errno)); - goto out_free_path; - } - while ((ind = strchr (ptr, '/'))) { - stpcpy(ind, ""); - if (asprintf (&dir, TCB_DIR "/%s", path) == -1) { - OUT_OF_MEMORY; - return SHADOWTCB_FAILURE; - } - if ((mkdir (dir, 0700) != 0) && (errno != EEXIST)) { - fprintf (shadow_logfd, - _("%s: Cannot create directory %s: %s\n"), - shadow_progname, dir, strerror (errno)); - goto out_free_dir; - } - if (chown (dir, 0, st.st_gid) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change owner of %s: %s\n"), - shadow_progname, dir, strerror (errno)); - goto out_free_dir; - } - if (chmod (dir, 0711) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change mode of %s: %s\n"), - shadow_progname, dir, strerror (errno)); - goto out_free_dir; - } - free (dir); - *ind = '/'; - ptr = ind + 1; - } - free (path); - return SHADOWTCB_SUCCESS; -out_free_dir: - free (dir); -out_free_path: - free (path); - return SHADOWTCB_FAILURE; -} - -static shadowtcb_status unlink_suffs (const char *user) -{ - static char *suffs[] = { "+", "-", SHADOWTCB_LOCK_SUFFIX }; - char *tmp; - int i; - - for (i = 0; i < 3; i++) { - if (asprintf (&tmp, TCB_FMT "%s", user, suffs[i]) == -1) { - OUT_OF_MEMORY; - return SHADOWTCB_FAILURE; - } - if ((unlink (tmp) != 0) && (errno != ENOENT)) { - fprintf (shadow_logfd, - _("%s: unlink: %s: %s\n"), - shadow_progname, tmp, strerror (errno)); - free (tmp); - return SHADOWTCB_FAILURE; - } - free (tmp); - } - - return SHADOWTCB_SUCCESS; -} - -/* path should be a relative existing tcb directory */ -static shadowtcb_status rmdir_leading (char *path) -{ - char *ind, *dir; - shadowtcb_status ret = SHADOWTCB_SUCCESS; - while ((ind = strrchr (path, '/'))) { - stpcpy(ind, ""); - if (asprintf (&dir, TCB_DIR "/%s", path) == -1) { - OUT_OF_MEMORY; - return SHADOWTCB_FAILURE; - } - if (rmdir (dir) != 0) { - if (errno != ENOTEMPTY) { - fprintf (shadow_logfd, - _("%s: Cannot remove directory %s: %s\n"), - shadow_progname, dir, strerror (errno)); - ret = SHADOWTCB_FAILURE; - } - free (dir); - break; - } - free (dir); - } - return ret; -} - -static shadowtcb_status move_dir (const char *user_newname, uid_t user_newid) -{ - char *olddir = NULL, *newdir = NULL; - char *real_old_dir = NULL, *real_new_dir = NULL; - char *real_old_dir_rel = NULL, *real_new_dir_rel = NULL; - uid_t old_uid, the_newid; - struct stat oldmode; - shadowtcb_status ret = SHADOWTCB_FAILURE; - - if (NULL == stored_tcb_user) { - return SHADOWTCB_FAILURE; - } - if (asprintf (&olddir, TCB_DIR "/%s", stored_tcb_user) == -1) { - goto out_free_nomem; - } - if (stat (olddir, &oldmode) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot stat %s: %s\n"), - shadow_progname, olddir, strerror (errno)); - goto out_free; - } - old_uid = oldmode.st_uid; - the_newid = (user_newid == -1) ? old_uid : user_newid; - real_old_dir = shadowtcb_path_existing (stored_tcb_user); - if (NULL == real_old_dir) { - goto out_free; - } - real_new_dir = shadowtcb_path (user_newname, the_newid); - if (NULL == real_new_dir) { - goto out_free; - } - if (strcmp (real_old_dir, real_new_dir) == 0) { - ret = SHADOWTCB_SUCCESS; - goto out_free; - } - real_old_dir_rel = shadowtcb_path_rel_existing (stored_tcb_user); - if (NULL == real_old_dir_rel) { - goto out_free; - } - if (mkdir_leading (user_newname, the_newid) == SHADOWTCB_FAILURE) { - goto out_free; - } - if (rename (real_old_dir, real_new_dir) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot rename %s to %s: %s\n"), - shadow_progname, real_old_dir, real_new_dir, strerror (errno)); - goto out_free; - } - if (rmdir_leading (real_old_dir_rel) == SHADOWTCB_FAILURE) { - goto out_free; - } - if ((unlink (olddir) != 0) && (errno != ENOENT)) { - fprintf (shadow_logfd, - _("%s: Cannot remove %s: %s\n"), - shadow_progname, olddir, strerror (errno)); - goto out_free; - } - if (asprintf (&newdir, TCB_DIR "/%s", user_newname) == -1) { - goto out_free_nomem; - } - real_new_dir_rel = shadowtcb_path_rel (user_newname, the_newid); - if (NULL == real_new_dir_rel) { - goto out_free; - } - if ( (strcmp (real_new_dir, newdir) != 0) - && (symlink (real_new_dir_rel, newdir) != 0)) { - fprintf (shadow_logfd, - _("%s: Cannot create symbolic link %s: %s\n"), - shadow_progname, real_new_dir_rel, strerror (errno)); - goto out_free; - } - ret = SHADOWTCB_SUCCESS; - goto out_free; -out_free_nomem: - OUT_OF_MEMORY; -out_free: - free (olddir); - free (newdir); - free (real_old_dir); - free (real_new_dir); - free (real_old_dir_rel); - free (real_new_dir_rel); - return ret; -} - -shadowtcb_status shadowtcb_set_user (const char* name) -{ - char *buf; - shadowtcb_status retval; - - if (!getdef_bool ("USE_TCB")) { - return SHADOWTCB_SUCCESS; - } - - free (stored_tcb_user); - - stored_tcb_user = strdup (name); - if (NULL == stored_tcb_user) { - OUT_OF_MEMORY; - return SHADOWTCB_FAILURE; - } - if (asprintf (&buf, TCB_FMT, name) == -1) { - OUT_OF_MEMORY; - return SHADOWTCB_FAILURE; - } - - retval = (spw_setdbname (buf) != 0) ? SHADOWTCB_SUCCESS : SHADOWTCB_FAILURE; - free (buf); - return retval; -} - -/* tcb directory must be empty before shadowtcb_remove is called. */ -shadowtcb_status shadowtcb_remove (const char *name) -{ - shadowtcb_status ret = SHADOWTCB_SUCCESS; - char *path = shadowtcb_path_existing (name); - char *rel = shadowtcb_path_rel_existing (name); - if ((NULL == path) || (NULL == rel) || (rmdir (path) != 0)) { - return SHADOWTCB_FAILURE; - } - if (rmdir_leading (rel) == SHADOWTCB_FAILURE) { - return SHADOWTCB_FAILURE; - } - free (path); - free (rel); - if (asprintf (&path, TCB_DIR "/%s", name) == -1) { - OUT_OF_MEMORY; - return SHADOWTCB_FAILURE; - } - if ((unlink (path) != 0) && (errno != ENOENT)) { - ret = SHADOWTCB_FAILURE; - } - free (path); - return ret; -} - -shadowtcb_status shadowtcb_move (/*@NULL@*/const char *user_newname, uid_t user_newid) -{ - struct stat dirmode, filemode; - char *tcbdir, *shadow; - shadowtcb_status ret = SHADOWTCB_FAILURE; - - if (!getdef_bool ("USE_TCB")) { - return SHADOWTCB_SUCCESS; - } - if (NULL == stored_tcb_user) { - return SHADOWTCB_FAILURE; - } - if (NULL == user_newname) { - user_newname = stored_tcb_user; - } - if (move_dir (user_newname, user_newid) == SHADOWTCB_FAILURE) { - return SHADOWTCB_FAILURE; - } - if (-1 == user_newid) { - return SHADOWTCB_SUCCESS; - } - if ( (asprintf (&tcbdir, TCB_DIR "/%s", user_newname) == -1) - || (asprintf (&shadow, TCB_FMT, user_newname) == -1)) { - OUT_OF_MEMORY; - return SHADOWTCB_FAILURE; - } - if (stat (tcbdir, &dirmode) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot stat %s: %s\n"), - shadow_progname, tcbdir, strerror (errno)); - goto out_free; - } - if (chown (tcbdir, 0, 0) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change owners of %s: %s\n"), - shadow_progname, tcbdir, strerror (errno)); - goto out_free; - } - if (chmod (tcbdir, 0700) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change mode of %s: %s\n"), - shadow_progname, tcbdir, strerror (errno)); - goto out_free; - } - if (lstat (shadow, &filemode) != 0) { - if (errno != ENOENT) { - fprintf (shadow_logfd, - _("%s: Cannot lstat %s: %s\n"), - shadow_progname, shadow, strerror (errno)); - goto out_free; - } - fprintf (shadow_logfd, - _("%s: Warning, user %s has no tcb shadow file.\n"), - shadow_progname, user_newname); - } else { - if (!S_ISREG (filemode.st_mode) || - filemode.st_nlink != 1) { - fprintf (shadow_logfd, - _("%s: Emergency: %s's tcb shadow is not a " - "regular file with st_nlink=1.\n" - "The account is left locked.\n"), - shadow_progname, user_newname); - goto out_free; - } - if (chown (shadow, user_newid, filemode.st_gid) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change owner of %s: %s\n"), - shadow_progname, shadow, strerror (errno)); - goto out_free; - } - if (chmod (shadow, filemode.st_mode & 07777) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change mode of %s: %s\n"), - shadow_progname, shadow, strerror (errno)); - goto out_free; - } - } - if (unlink_suffs (user_newname) == SHADOWTCB_FAILURE) { - goto out_free; - } - if (chown (tcbdir, user_newid, dirmode.st_gid) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change owner of %s: %s\n"), - shadow_progname, tcbdir, strerror (errno)); - goto out_free; - } - if (chmod (tcbdir, dirmode.st_mode & 07777) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change mode of %s: %s\n"), - shadow_progname, tcbdir, strerror (errno)); - goto out_free; - } - ret = SHADOWTCB_SUCCESS; -out_free: - free (tcbdir); - free (shadow); - return ret; -} - -shadowtcb_status shadowtcb_create (const char *name, uid_t uid) -{ - char *dir, *shadow; - struct stat tcbdir_stat; - gid_t shadowgid, authgid; - struct group *gr; - int fd = -1; - shadowtcb_status ret = SHADOWTCB_FAILURE; - - if (!getdef_bool ("USE_TCB")) { - return SHADOWTCB_SUCCESS; - } - if (stat (TCB_DIR, &tcbdir_stat) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot stat %s: %s\n"), - shadow_progname, TCB_DIR, strerror (errno)); - return SHADOWTCB_FAILURE; - } - shadowgid = tcbdir_stat.st_gid; - authgid = shadowgid; - if (getdef_bool ("TCB_AUTH_GROUP")) { - gr = getgrnam ("auth"); - if (NULL != gr) { - authgid = gr->gr_gid; - } - } - - if ( (asprintf (&dir, TCB_DIR "/%s", name) == -1) - || (asprintf (&shadow, TCB_FMT, name) == -1)) { - OUT_OF_MEMORY; - return SHADOWTCB_FAILURE; - } - if (mkdir (dir, 0700) != 0) { - fprintf (shadow_logfd, - _("%s: mkdir: %s: %s\n"), - shadow_progname, dir, strerror (errno)); - goto out_free; - } - fd = open (shadow, O_RDWR | O_CREAT | O_TRUNC, 0600); - if (fd < 0) { - fprintf (shadow_logfd, - _("%s: Cannot open %s: %s\n"), - shadow_progname, shadow, strerror (errno)); - goto out_free; - } - if (fchown (fd, 0, authgid) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change owner of %s: %s\n"), - shadow_progname, shadow, strerror (errno)); - goto out_free; - } - if (fchmod (fd, (mode_t) ((authgid == shadowgid) ? 0600 : 0640)) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change mode of %s: %s\n"), - shadow_progname, shadow, strerror (errno)); - goto out_free; - } - if (chown (dir, 0, authgid) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change owner of %s: %s\n"), - shadow_progname, dir, strerror (errno)); - goto out_free; - } - if (chmod (dir, (mode_t) ((authgid == shadowgid) ? 02700 : 02710)) != 0) { - fprintf (shadow_logfd, - _("%s: Cannot change mode of %s: %s\n"), - shadow_progname, dir, strerror (errno)); - goto out_free; - } - if ( (shadowtcb_set_user (name) == SHADOWTCB_FAILURE) - || (shadowtcb_move (NULL, uid) == SHADOWTCB_FAILURE)) { - goto out_free; - } - ret = SHADOWTCB_SUCCESS; -out_free: - if (fd != -1) - close(fd); - free (dir); - free (shadow); - return ret; -} - diff --git a/lib/tcbfuncs.h b/lib/tcbfuncs.h deleted file mode 100644 index 6324bc1c7..000000000 --- a/lib/tcbfuncs.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _TCBFUNCS_H -#define _TCBFUNCS_H - -#include - -typedef enum { - SHADOWTCB_FAILURE = 0, - SHADOWTCB_SUCCESS = 1 -} shadowtcb_status; - -extern shadowtcb_status shadowtcb_drop_priv (void); -extern shadowtcb_status shadowtcb_gain_priv (void); -extern shadowtcb_status shadowtcb_set_user (const char *name); -extern shadowtcb_status shadowtcb_remove (const char *name); -extern shadowtcb_status shadowtcb_move (/*@null@*/const char *user_newname, - uid_t user_newid); -extern shadowtcb_status shadowtcb_create (const char *name, uid_t uid); - -#endif diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am index b6488e779..d89b02164 100644 --- a/libsubid/Makefile.am +++ b/libsubid/Makefile.am @@ -15,7 +15,6 @@ MISCLIBS = \ $(LIBCRYPT) \ $(LIBACL) \ $(LIBATTR) \ - $(LIBTCB) \ $(LIBPAM) libsubid_la_LIBADD = \ diff --git a/man/Makefile.am b/man/Makefile.am index 14055097c..6c191a719 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -177,8 +177,6 @@ login_defs_v = \ SU_WHEEL_ONLY.xml \ SYSLOG_SG_ENAB.xml \ SYSLOG_SU_ENAB.xml \ - TCB_AUTH_GROUP.xml \ - TCB_SYMLINKS.xml \ TTYGROUP.xml \ TTYTYPE_FILE.xml \ UID_MAX.xml \ @@ -186,7 +184,6 @@ login_defs_v = \ UMASK.xml \ USERDEL_CMD.xml \ USERGROUPS_ENAB.xml \ - USE_TCB.xml \ SUB_GID_COUNT.xml \ SUB_UID_COUNT.xml \ SYS_GID_MAX.xml \ diff --git a/man/chage.1.xml b/man/chage.1.xml index 060409b83..f20f2cc6e 100644 --- a/man/chage.1.xml +++ b/man/chage.1.xml @@ -6,7 +6,6 @@ --> ]> @@ -260,18 +259,6 @@ - - CONFIGURATION - - The following configuration variables in - /etc/login.defs change the behavior of this - tool: - - - &USE_TCB; - - - FILES diff --git a/man/generate_mans.mak b/man/generate_mans.mak index 47f906fea..1e34d82b9 100644 --- a/man/generate_mans.mak +++ b/man/generate_mans.mak @@ -13,11 +13,6 @@ SHADOWGRP_COND=gshadow else SHADOWGRP_COND=no_gshadow endif -if WITH_TCB -TCB_COND=tcb -else -TCB_COND=no_tcb -endif if USE_SHA_CRYPT SHA_CRYPT_COND=sha_crypt @@ -62,7 +57,7 @@ if ENABLE_REGENERATE_MAN fi man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml - $(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND);$(BCRYPT_COND);$(YESCRYPT_COND);$(SUBIDS_COND);$(VENDORDIR_COND);$(LASTLOG_COND)" \ + $(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(SHA_CRYPT_COND);$(BCRYPT_COND);$(YESCRYPT_COND);$(SUBIDS_COND);$(VENDORDIR_COND);$(LASTLOG_COND)" \ --param "man.authors.section.enabled" "0" \ --stringparam "man.output.base.dir" "" \ --stringparam vendordir "$(VENDORDIR)" \ diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml index 7263395cf..a49c0d808 100644 --- a/man/login.defs.5.xml +++ b/man/login.defs.5.xml @@ -65,8 +65,6 @@ - - @@ -74,7 +72,6 @@ - ]> @@ -211,8 +208,6 @@ &SYS_UID_MAX; &SYSLOG_SG_ENAB; &SYSLOG_SU_ENAB; - &TCB_AUTH_GROUP; - &TCB_SYMLINKS; &TTYGROUP; &TTYTYPE_FILE; &UID_MAX; @@ -220,7 +215,6 @@ &UMASK; &USERDEL_CMD; &USERGROUPS_ENAB; - &USE_TCB; &YESCRYPT_COST_FACTOR; @@ -233,12 +227,6 @@ - - chage - - USE_TCB - - chfn @@ -429,7 +417,6 @@ PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE - TCB_AUTH_GROUP TCB_SYMLINKS USE_TCB @@ -438,15 +425,6 @@ PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE - USE_TCB - - - - - pwunconv - - - USE_TCB @@ -490,7 +468,6 @@ SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK - TCB_AUTH_GROUP TCB_SYMLINK USE_TCB @@ -500,7 +477,6 @@ MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP USERDEL_CMD USERGROUPS_ENAB - TCB_SYMLINKS USE_TCB @@ -510,15 +486,6 @@ LASTLOG_UID_MAX MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP - TCB_SYMLINKS USE_TCB - - - - - vipw - - - USE_TCB diff --git a/man/login.defs.d/TCB_AUTH_GROUP.xml b/man/login.defs.d/TCB_AUTH_GROUP.xml deleted file mode 100644 index fabcb036e..000000000 --- a/man/login.defs.d/TCB_AUTH_GROUP.xml +++ /dev/null @@ -1,13 +0,0 @@ - - - (boolean) - - - If yes, newly created tcb shadow files - will be group owned by the auth group. - - - diff --git a/man/login.defs.d/TCB_SYMLINKS.xml b/man/login.defs.d/TCB_SYMLINKS.xml deleted file mode 100644 index 7e52c3420..000000000 --- a/man/login.defs.d/TCB_SYMLINKS.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - (boolean) - - - If yes, the location of the user tcb - directory to be created will not be automatically set to /etc/tcb/user, - but will be computed depending on the UID of the user, according to - the following algorithm: - -if ( UID is less than 1000) { - use /etc/tcb/user -} else if ( UID is less than 1000000) { - kilos = UID / 1000 - use /etc/tcb/:kilos/user - make symlink /etc/tcb/user to the above directory -} else { - megas = UID / 1000000 - kilos = ( UID / megas * 1000000 ) / 1000 - use /etc/tcb/:megas/:kilos/user - make symlink /etc/tcb/user to the above directory -} - - - - diff --git a/man/login.defs.d/USE_TCB.xml b/man/login.defs.d/USE_TCB.xml deleted file mode 100644 index a89bf239e..000000000 --- a/man/login.defs.d/USE_TCB.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - (boolean) - - - If yes, the - tcb5 - password shadowing scheme will be used. - - - diff --git a/man/pwck.8.xml b/man/pwck.8.xml index 4eb820d66..de3540df2 100644 --- a/man/pwck.8.xml +++ b/man/pwck.8.xml @@ -10,9 +10,6 @@ - - - ]> @@ -71,9 +68,6 @@ The pwck command verifies the integrity of the users and authentication information. It checks that all entries in /etc/passwd and /etc/shadow - (or the files in - /etc/tcb, when is - enabled) have the proper format and contain valid data. The user is prompted to delete entries that are improperly formatted or which have other uncorrectable errors. @@ -212,9 +206,6 @@ Sort entries in /etc/passwd and /etc/shadow by UID. - - This option has no effect when is enabled. - @@ -222,18 +213,11 @@ By default, pwck operates on the files /etc/passwd and - /etc/shadow (or the - files in /etc/tcb). + /etc/shadow. The user may select alternate files with the passwd and shadow parameters. - - Note that when is enabled, you cannot - specify an alternative shadow file. In - future releases, this parameter could be replaced by an alternate - TCB directory. - @@ -248,9 +232,6 @@ &PASS_MAX_DAYS; &PASS_MIN_DAYS; &PASS_WARN_AGE; - &TCB_AUTH_GROUP; - &TCB_SYMLINKS; - &USE_TCB; diff --git a/man/pwconv.8.xml b/man/pwconv.8.xml index cb712fb6a..9cd03a821 100644 --- a/man/pwconv.8.xml +++ b/man/pwconv.8.xml @@ -11,7 +11,6 @@ - ]> @@ -84,15 +83,6 @@ remap='I'>shadow from passwd and an optionally existing shadow. - - pwconv does not work with - enabled. To convert to tcb passwords, you - should first use pwconv to convert to shadowed - passwords by disabling in - login.defs and then convert to tcb password - using tcb_convert (and re-enable - in login.defs.) - The pwunconv command creates shadow and then removes shadow. - - pwunconv does not work with - enabled. You should first switch back from - tcb to shadowed passwords using tcb_unconvert, - and then disable in - login.defs before using - pwunconv. - The grpconv command creates @@ -246,13 +227,7 @@ , pwck8 - , - - tcb_convert8 - , - - tcb_unconvert8 - . + . diff --git a/man/useradd.8.xml b/man/useradd.8.xml index 001e7d14c..1dd8a2bd8 100644 --- a/man/useradd.8.xml +++ b/man/useradd.8.xml @@ -21,9 +21,6 @@ - - - ]> @@ -752,11 +749,8 @@ &SUB_UID_COUNT; &SYS_GID_MAX; &SYS_UID_MAX; - &TCB_AUTH_GROUP; - &TCB_SYMLINKS; &UID_MAX; &UMASK; - &USE_TCB; &USERGROUPS_ENAB; diff --git a/man/userdel.8.xml b/man/userdel.8.xml index 5bd2981a3..f7afae6c3 100644 --- a/man/userdel.8.xml +++ b/man/userdel.8.xml @@ -8,8 +8,6 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - - @@ -171,8 +169,6 @@ &MAIL_DIR; &MAX_MEMBERS_PER_GROUP; - &TCB_SYMLINKS; - &USE_TCB; &USERDEL_CMD; &USERGROUPS_ENAB; diff --git a/man/usermod.8.xml b/man/usermod.8.xml index 349248b6b..30f4c9edf 100644 --- a/man/usermod.8.xml +++ b/man/usermod.8.xml @@ -11,8 +11,6 @@ - - ]> @@ -562,8 +560,6 @@ &MAX_MEMBERS_PER_GROUP; &SUB_GID_COUNT; &SUB_UID_COUNT; - &TCB_SYMLINKS; - &USE_TCB; diff --git a/man/vipw.8.xml b/man/vipw.8.xml index fb80582bc..3aa89a221 100644 --- a/man/vipw.8.xml +++ b/man/vipw.8.xml @@ -7,7 +7,6 @@ --> ]> @@ -129,24 +128,6 @@ Edit shadow or gshadow database. - - , - - Indicates which user's tcb shadow file to edit. - - - - - - - CONFIGURATION - - The following configuration variables in - /etc/login.defs change the behavior of this - tool: - - - &USE_TCB; @@ -209,16 +190,10 @@ , gshadow5 - - - login.defs5 , passwd5 , - - tcb5 - , shadow5 . diff --git a/po/POTFILES.in b/po/POTFILES.in index 3aff87b2d..0bf31c7eb 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -69,7 +69,6 @@ lib/spawn.c lib/strtoday.c lib/sub.c lib/sulog.c -lib/tcbfuncs.c lib/ttytype.c lib/tz.c lib/ulimit.c diff --git a/src/Makefile.am b/src/Makefile.am index d4e6f3ab7..77f6ceb39 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -63,13 +63,10 @@ noinst_PROGRAMS = sulogin suidusbins = suidbins = -suidubins = chage chfn chsh expiry gpasswd newgrp +suidubins = chage chfn chsh expiry gpasswd newgrp passwd if WITH_SU suidbins += su endif -if !WITH_TCB -suidubins += passwd -endif if ACCT_TOOLS_SETUID suidusbins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod endif @@ -79,13 +76,8 @@ suidubins += newgidmap newuidmap endif endif -if WITH_TCB -shadowsgidubins = passwd -endif - LDADD = $(INTLLIBS) \ - $(top_builddir)/lib/libshadow.la \ - $(LIBTCB) + $(top_builddir)/lib/libshadow.la if ACCT_TOOLS_SETUID LIBPAM_SUID = $(LIBPAM) @@ -150,12 +142,6 @@ install-am: all-am set -e; for i in $(suidusbins); do \ chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \ done -if WITH_TCB - set -e; for i in $(shadowsgidubins); do \ - chown root:shadow $(DESTDIR)$(ubindir)/$$i; \ - chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \ - done -endif if ENABLE_SUBIDS if FCAPS setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap @@ -176,8 +162,7 @@ MISCLIBS = \ $(LIBSKEY) \ $(LIBMD) \ $(LIBECONF) \ - $(LIBCRYPT) \ - $(LIBTCB) + $(LIBCRYPT) getsubids_LDADD = \ $(top_builddir)/lib/libshadow.la \ diff --git a/src/chage.c b/src/chage.c index 4b482be7a..63e8eb9a9 100644 --- a/src/chage.c +++ b/src/chage.c @@ -41,10 +41,6 @@ /*@-exitarg@*/ #include "exitcodes.h" -#ifdef WITH_TCB -#include "tcbfuncs.h" -#endif - /* * Global variables @@ -816,11 +812,6 @@ int main (int argc, char **argv) } STRTCPY(user_name, pw->pw_name); -#ifdef WITH_TCB - if (shadowtcb_set_user (pw->pw_name) == SHADOWTCB_FAILURE) { - fail_exit (E_NOPERM); - } -#endif user_uid = pw->pw_uid; sp = spw_locate (argv[optind]); diff --git a/src/pwck.c b/src/pwck.c index 70ff5e68c..42318b42a 100644 --- a/src/pwck.c +++ b/src/pwck.c @@ -26,9 +26,6 @@ #include "getdef.h" #include "nscd.h" #include "sssd.h" -#ifdef WITH_TCB -#include "tcbfuncs.h" -#endif /* WITH_TCB */ #include "shadowlog.h" /* @@ -114,34 +111,18 @@ static void usage (int status) { FILE *usageout = (E_SUCCESS != status) ? stderr : stdout; -#ifdef WITH_TCB - if (getdef_bool ("USE_TCB")) { - (void) fprintf (usageout, - _("Usage: %s [options] [passwd]\n" - "\n" - "Options:\n"), - Prog); - } else -#endif /* WITH_TCB */ - { - (void) fprintf (usageout, - _("Usage: %s [options] [passwd [shadow]]\n" - "\n" - "Options:\n"), - Prog); - } + (void) fprintf (usageout, + _("Usage: %s [options] [passwd [shadow]]\n" + "\n" + "Options:\n"), + Prog); (void) fputs (_(" -b, --badname allow bad names\n"), usageout); (void) fputs (_(" -h, --help display this help message and exit\n"), usageout); (void) fputs (_(" -q, --quiet report errors only\n"), usageout); (void) fputs (_(" -r, --read-only display errors and warnings\n" " but do not change files\n"), usageout); (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -#ifdef WITH_TCB - if (!getdef_bool ("USE_TCB")) -#endif /* !WITH_TCB */ - { - (void) fputs (_(" -s, --sort sort entries by UID\n"), usageout); - } + (void) fputs (_(" -s, --sort sort entries by UID\n"), usageout); (void) fputs ("\n", usageout); exit (status); } @@ -214,14 +195,6 @@ static void process_flags (int argc, char **argv) use_system_pw_file = false; } if ((optind + 2) == argc) { -#ifdef WITH_TCB - if (getdef_bool ("USE_TCB")) { - fprintf (stderr, - _("%s: no alternative shadow file allowed when USE_TCB is enabled.\n"), - Prog); - usage (E_USAGE); - } -#endif /* WITH_TCB */ spw_setdbname (argv[optind + 1]); is_shadow = true; use_system_spw_file = false; @@ -238,11 +211,6 @@ static void process_flags (int argc, char **argv) */ static void open_files (void) { - bool use_tcb = false; -#ifdef WITH_TCB - use_tcb = getdef_bool ("USE_TCB"); -#endif /* WITH_TCB */ - /* * Lock the files if we aren't in "read-only" mode */ @@ -254,7 +222,7 @@ static void open_files (void) fail_exit (E_CANTLOCK); } pw_locked = true; - if (is_shadow && !use_tcb) { + if (is_shadow) { if (spw_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), @@ -277,7 +245,7 @@ static void open_files (void) } fail_exit (E_CANTOPEN); } - if (is_shadow && !use_tcb) { + if (is_shadow) { if (spw_open (read_only ? O_RDONLY : O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); @@ -541,52 +509,6 @@ static void check_pw_file (int *errors, bool *changed) */ if (is_shadow) { -#ifdef WITH_TCB - if (getdef_bool ("USE_TCB")) { - if (shadowtcb_set_user (pwd->pw_name) == SHADOWTCB_FAILURE) { - printf (_("no tcb directory for %s\n"), - pwd->pw_name); - printf (_("create tcb directory for %s?"), - pwd->pw_name); - *errors += 1; - if (yes_or_no (read_only)) { - if (shadowtcb_create (pwd->pw_name, pwd->pw_uid) == SHADOWTCB_FAILURE) { - *errors += 1; - printf (_("failed to create tcb directory for %s\n"), pwd->pw_name); - continue; - } - } else { - continue; - } - } - if (spw_lock () == 0) { - *errors += 1; - fprintf (stderr, - _("%s: cannot lock %s.\n"), - Prog, spw_dbname ()); - continue; - } - spw_locked = true; - if (spw_open (read_only ? O_RDONLY : O_RDWR) == 0) { - fprintf (stderr, - _("%s: cannot open %s\n"), - Prog, spw_dbname ()); - *errors += 1; - if (spw_unlock () == 0) { - fprintf (stderr, - _("%s: failed to unlock %s\n"), - Prog, spw_dbname ()); - if (use_system_spw_file) { - SYSLOG ((LOG_ERR, - "failed to unlock %s", - spw_dbname ())); - } - } - continue; - } - spw_opened = true; - } -#endif /* WITH_TCB */ spw = spw_locate (pwd->pw_name); if (NULL == spw) { printf (_("no matching password file entry in %s\n"), @@ -647,33 +569,6 @@ static void check_pw_file (int *errors, bool *changed) } } } -#ifdef WITH_TCB - if (getdef_bool ("USE_TCB") && spw_locked) { - if (spw_opened && (spw_close () == 0)) { - fprintf (stderr, - _("%s: failure while writing changes to %s\n"), - Prog, spw_dbname ()); - if (use_system_spw_file) { - SYSLOG ((LOG_ERR, - "failure while writing changes to %s", - spw_dbname ())); - } - } else { - spw_opened = false; - } - if (spw_unlock () == 0) { - fprintf (stderr, - _("%s: failed to unlock %s\n"), - Prog, spw_dbname ()); - if (use_system_spw_file) { - SYSLOG ((LOG_ERR, "failed to unlock %s", - spw_dbname ())); - } - } else { - spw_locked = false; - } - } -#endif /* WITH_TCB */ } } diff --git a/src/pwconv.c b/src/pwconv.c index 7dd327ae0..5e659186c 100644 --- a/src/pwconv.c +++ b/src/pwconv.c @@ -168,13 +168,6 @@ int main (int argc, char **argv) process_flags (argc, argv); -#ifdef WITH_TCB - if (getdef_bool("USE_TCB")) { - fprintf (stderr, _("%s: can't work with tcb enabled\n"), Prog); - exit (E_FAILURE); - } -#endif /* WITH_TCB */ - if (pw_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), diff --git a/src/pwunconv.c b/src/pwunconv.c index fe18113a6..0872afcc2 100644 --- a/src/pwunconv.c +++ b/src/pwunconv.c @@ -128,13 +128,6 @@ int main (int argc, char **argv) process_flags (argc, argv); -#ifdef WITH_TCB - if (getdef_bool("USE_TCB")) { - fprintf (stderr, _("%s: can't work with tcb enabled\n"), Prog); - exit (1); - } -#endif /* WITH_TCB */ - if (!spw_file_present ()) { /* shadow not installed, do nothing */ exit (0); diff --git a/src/useradd.c b/src/useradd.c index bb907bab6..c67ce4fcc 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -61,9 +61,6 @@ #ifdef ENABLE_SUBIDS #include "subordinateio.h" #endif /* ENABLE_SUBIDS */ -#ifdef WITH_TCB -#include "tcbfuncs.h" -#endif #include "shadowlog.h" #include "string/sprintf/snprintf.h" #include "string/sprintf/xasprintf.h" @@ -2627,16 +2624,6 @@ int main (int argc, char **argv) if (uflg) check_uid_range(rflg,user_id); -#ifdef WITH_TCB - if (getdef_bool ("USE_TCB")) { - if (shadowtcb_create (user_name, user_id) == SHADOWTCB_FAILURE) { - fprintf (stderr, - _("%s: Failed to create tcb directory for %s\n"), - Prog, user_name); - fail_exit (E_UID_IN_USE); - } - } -#endif open_shadow (); /* do we have to add a group for that user? This is why we need to diff --git a/src/userdel.c b/src/userdel.c index ead696041..048ddf4c3 100644 --- a/src/userdel.c +++ b/src/userdel.c @@ -40,10 +40,6 @@ #ifdef WITH_SELINUX #include #endif /* WITH_SELINUX */ -#ifdef WITH_TCB -#include -#include "tcbfuncs.h" -#endif /* WITH_TCB */ #include "run_part.h" /*@-exitarg@*/ #include "exitcodes.h" @@ -119,9 +115,6 @@ static bool path_prefix (const char *, const char *); #endif /* EXTRA_CHECK_HOME_DIR */ static int is_owner (uid_t, const char *); static int remove_mailbox (void); -#ifdef WITH_TCB -static int remove_tcbdir (const char *user_name, uid_t user_id); -#endif /* WITH_TCB */ /* * usage - display usage message and exit @@ -901,49 +894,6 @@ static int remove_mailbox (void) return errors; } -#ifdef WITH_TCB -static int remove_tcbdir (const char *user_name, uid_t user_id) -{ - int ret = 0; - char *buf; - - if (!getdef_bool ("USE_TCB")) { - return 0; - } - - if (asprintf(&buf, TCB_DIR "/%s", user_name) == -1) { - fprintf(stderr, - _("%s: Can't allocate memory, tcb entry for %s not removed.\n"), - Prog, user_name); - return 1; - } - if (shadowtcb_drop_priv () == SHADOWTCB_FAILURE) { - fprintf (stderr, _("%s: Cannot drop privileges: %s\n"), - Prog, strerror (errno)); - shadowtcb_gain_priv (); - free (buf); - return 1; - } - /* Only remove directory contents with dropped privileges. - * We will regain them and remove the user's tcb directory afterwards. - */ - if (remove_tree (buf, false) != 0) { - fprintf (stderr, _("%s: Cannot remove the content of %s: %s\n"), - Prog, buf, strerror (errno)); - shadowtcb_gain_priv (); - free (buf); - return 1; - } - shadowtcb_gain_priv (); - free (buf); - if (shadowtcb_remove (user_name) == SHADOWTCB_FAILURE) { - fprintf (stderr, _("%s: Cannot remove tcb files for %s: %s\n"), - Prog, user_name, strerror (errno)); - ret = 1; - } - return ret; -} -#endif /* WITH_TCB */ /* * main - userdel command @@ -1120,11 +1070,6 @@ int main (int argc, char **argv) } pw_close(); } -#ifdef WITH_TCB - if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { - exit (E_NOTFOUND); - } -#endif /* WITH_TCB */ /* * Check to make certain the user isn't logged in. * Note: This is a best effort basis. The user may log in between, @@ -1271,9 +1216,6 @@ int main (int argc, char **argv) exit(1); } -#ifdef WITH_TCB - errors += remove_tcbdir (user_name, user_id); -#endif /* WITH_TCB */ nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); diff --git a/src/usermod.c b/src/usermod.c index 321ab383b..68b7739f8 100644 --- a/src/usermod.c +++ b/src/usermod.c @@ -57,9 +57,6 @@ #ifdef WITH_SELINUX #include #endif /* WITH_SELINUX */ -#ifdef WITH_TCB -#include "tcbfuncs.h" -#endif #include "shadowlog.h" #include "string/sprintf/xasprintf.h" #include "string/strdup/xstrdup.h" @@ -2211,12 +2208,6 @@ int main (int argc, char **argv) #endif /* USE_PAM */ #endif /* ACCT_TOOLS_SETUID */ -#ifdef WITH_TCB - if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { - exit (E_PW_UPDATE); - } -#endif - /* * Do the hard stuff - open the files, change the user entries, * change the home directory, then close and update the files. @@ -2285,13 +2276,6 @@ int main (int argc, char **argv) #endif /* ENABLE_SUBIDS */ close_files (); -#ifdef WITH_TCB - if ( (lflg || uflg) - && (shadowtcb_move (user_newname, user_newid) == SHADOWTCB_FAILURE) ) { - exit (E_PW_UPDATE); - } -#endif - nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); diff --git a/src/vipw.c b/src/vipw.c index 31c3b7795..aa9df459f 100644 --- a/src/vipw.c +++ b/src/vipw.c @@ -38,10 +38,6 @@ #include "shadowio.h" /*@-exitarg@*/ #include "exitcodes.h" -#ifdef WITH_TCB -#include -#include "tcbfuncs.h" -#endif /* WITH_TCB */ #include "shadowlog.h" #include "string/sprintf/snprintf.h" #include "string/sprintf/xasprintf.h" @@ -62,11 +58,6 @@ static bool filelocked = false; static bool createedit = false; static int (*unlock) (void); static bool quiet = false; -#ifdef WITH_TCB -static const char *user = NULL; -static bool tcb_mode = false; -#define SHADOWTCB_SCRATCHDIR ":tmp" -#endif /* WITH_TCB */ /* local function prototypes */ static void usage (int status); @@ -91,9 +82,6 @@ static void usage (int status) (void) fputs (_(" -q, --quiet quiet mode\n"), usageout); (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); (void) fputs (_(" -s, --shadow edit shadow or gshadow database\n"), usageout); -#ifdef WITH_TCB - (void) fputs (_(" -u, --user which user's tcb shadow file to edit\n"), usageout); -#endif /* WITH_TCB */ (void) fputs (_("\n"), usageout); exit (status); } @@ -206,24 +194,7 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void)) char filebackup[1024], fileedit[1024]; SNPRINTF(filebackup, "%s-", file); -#ifdef WITH_TCB - if (tcb_mode) { - if ( (mkdir (TCB_DIR "/" SHADOWTCB_SCRATCHDIR, 0700) != 0) - && (errno != EEXIST)) { - vipwexit (_("failed to create scratch directory"), errno, 1); - } - if (shadowtcb_drop_priv () == SHADOWTCB_FAILURE) { - vipwexit (_("failed to drop privileges"), errno, 1); - } - SNPRINTF(fileedit, - TCB_DIR "/" SHADOWTCB_SCRATCHDIR "/.vipw.shadow.%s", - user); - } else { -#endif /* WITH_TCB */ - SNPRINTF(fileedit, "%s.edit", file); -#ifdef WITH_TCB - } -#endif /* WITH_TCB */ + SNPRINTF(fileedit, "%s.edit", file); unlock = file_unlock; filename = file; fileeditname = fileedit; @@ -247,20 +218,10 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void)) } } #endif /* WITH_SELINUX */ -#ifdef WITH_TCB - if (tcb_mode && (shadowtcb_gain_priv () == SHADOWTCB_FAILURE)) { - vipwexit (_("failed to gain privileges"), errno, 1); - } -#endif /* WITH_TCB */ if (file_lock () == 0) { vipwexit (_("Couldn't lock file"), errno, 5); } filelocked = true; -#ifdef WITH_TCB - if (tcb_mode && (shadowtcb_drop_priv () == SHADOWTCB_FAILURE)) { - vipwexit (_("failed to drop privileges"), errno, 1); - } -#endif /* WITH_TCB */ /* edited copy has same owners, perm */ if (stat (file, &st1) != 0) { @@ -270,10 +231,6 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void)) if (NULL == f) { vipwexit (file, 1, 1); } -#ifdef WITH_TCB - if (tcb_mode && (shadowtcb_gain_priv () == SHADOWTCB_FAILURE)) - vipwexit (_("failed to gain privileges"), errno, 1); -#endif /* WITH_TCB */ if (create_backup_file (f, fileedit, &st1) != 0) { vipwexit (_("Couldn't make backup"), errno, 1); } @@ -406,57 +363,16 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void)) * without saving). Use pwck or grpck to do the check. --marekm */ createedit = false; -#ifdef WITH_TCB - if (tcb_mode) { - f = fopen (fileedit, "r"); - if (NULL == f) { - vipwexit (_("failed to open scratch file"), errno, 1); - } - if (unlink (fileedit) != 0) { - vipwexit (_("failed to unlink scratch file"), errno, 1); - } - if (shadowtcb_drop_priv () == SHADOWTCB_FAILURE) { - vipwexit (_("failed to drop privileges"), errno, 1); - } - if (stat (file, &st1) != 0) { - vipwexit (_("failed to stat edited file"), errno, 1); - } - if (asprintf(&to_rename, "%s+", file) == -1) - vipwexit (_("asprintf(3) failed"), errno, 1); - - if (create_backup_file (f, to_rename, &st1) != 0) { - free(to_rename); - vipwexit (_("failed to create backup file"), errno, 1); - } - (void) fclose (f); - } else { -#endif /* WITH_TCB */ - to_rename = fileedit; -#ifdef WITH_TCB - } -#endif /* WITH_TCB */ + to_rename = fileedit; unlink (filebackup); link (file, filebackup); if (rename (to_rename, file) == -1) { fprintf (stderr, _("%s: can't restore %s: %s (your changes are in %s)\n"), Prog, file, strerror (errno), to_rename); -#ifdef WITH_TCB - if (tcb_mode) { - free(to_rename); - } -#endif /* WITH_TCB */ vipwexit (0, 0, 1); } -#ifdef WITH_TCB - if (tcb_mode) { - free(to_rename); - if (shadowtcb_gain_priv () == SHADOWTCB_FAILURE) { - vipwexit (_("failed to gain privileges"), errno, 1); - } - } -#endif /* WITH_TCB */ if ((*file_unlock) () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, fileeditname); @@ -497,18 +413,9 @@ int main (int argc, char **argv) {"quiet", no_argument, NULL, 'q'}, {"root", required_argument, NULL, 'R'}, {"shadow", no_argument, NULL, 's'}, -#ifdef WITH_TCB - {"user", required_argument, NULL, 'u'}, -#endif /* WITH_TCB */ {NULL, 0, NULL, '\0'} }; - while ((c = getopt_long (argc, argv, -#ifdef WITH_TCB - "ghpqR:su:", -#else /* !WITH_TCB */ - "ghpqR:s", -#endif /* !WITH_TCB */ - long_options, NULL)) != -1) { + while ((c = getopt_long (argc, argv, "ghpqR:s", long_options, NULL)) != -1) { switch (c) { case 'g': do_vigr = true; @@ -527,11 +434,6 @@ int main (int argc, char **argv) case 's': editshadow = true; break; -#ifdef WITH_TCB - case 'u': - user = optarg; - break; -#endif /* WITH_TCB */ default: usage (E_USAGE); } @@ -564,17 +466,6 @@ int main (int argc, char **argv) #endif /* SHADOWGRP */ } else { if (editshadow) { -#ifdef WITH_TCB - if (getdef_bool ("USE_TCB") && (NULL != user)) { - if (shadowtcb_set_user (user) == SHADOWTCB_FAILURE) { - fprintf (stderr, - _("%s: failed to find tcb directory for %s\n"), - Prog, user); - return E_SHADOW_NOTFOUND; - } - tcb_mode = true; - } -#endif /* WITH_TCB */ vipwedit (spw_dbname (), spw_lock, spw_unlock); printf (MSG_WARN_EDIT_OTHER_FILE, spw_dbname (),