File: //sbin/adduser
#! /usr/bin/perl -T
# Copyright (C) 1994 Debian Association, Inc.
# 1995 Ted Hajek <tedhajek@boombox.micro.umn.edu>
# 1995 Ian A. Murdock <imurdock@debian.org>
# 1997-1999 Guy Maor <maor@debian.org>
# 2000-2004 Roland Bauerschmidt <rb@debian.org>
# 2004-2025 Marc Haber <mh+debian-packages@zugschlus.de>
# 2005-2009 Joerg Hoh <joerg@joerghoh.de>
# 2006-2011 Stephen Gran <sgran@debian.org>
# 2016 Dr. Helge Kreutzmann <debian@helgefjell.de>
# 2016-2017 Afif Elghraoui <afif@debian.org>
# 2021-2022 Jason Franklin <jason@oneway.dev>
# 2022 Matt Barry <matt@hazelmollusk.org>
# 2022 Benjamin Drung <benjamin.drung@canonical.com>
# 2023 Guillem Jover <guillem@debian.org>
#
# Original adduser:
# Copyright (C) 1997-1999 Guy Maor <maor@debian.org>
#
# Copyright (C) 1995 Ted Hajek <tedhajek@boombox.micro.umn.edu>
# Ian A. Murdock <imurdock@gnu.ai.mit.edu>
#
# The general scheme of this program was adapted from the original
# Debian "adduser" program by Ian A. Murdock <imurdock@gnu.ai.mit.edu>.
#
# License: GPL-2+
use 5.36.0;
use utf8;
use Getopt::Long;
use Debian::AdduserCommon 3.139;
use Debian::AdduserLogging 3.139;
use Debian::AdduserRetvalues 3.139;
BEGIN {
if ( Debian::AdduserCommon->VERSION != version->declare('3.139') ||
Debian::AdduserLogging->VERSION != version->declare('3.139') ||
Debian::AdduserRetvalues->VERSION != version->declare('3.139') ) {
die "wrong module version in adduser, check your packaging or path";
}
}
my $version = "3.152";
my $encode_loaded;
my $codeset;
BEGIN {
local $ENV{PERL_DL_NONLAZY}=1;
eval {
require POSIX;
POSIX->import(qw(setlocale));
};
if ($@) {
*setlocale = sub { return 1 };
} else {
setlocale( &POSIX::LC_MESSAGES, "" );
}
eval {
require Encode;
Encode->import(qw(encode decode));
};
$encode_loaded = 1;
if ($@) {
$encode_loaded = 0;
*encode = sub { return $_[1]; };
*decode = sub { return $_[1]; };
}
$codeset = "US-ASCII";
eval {
require I18N::Langinfo;
I18N::Langinfo->import(qw(langinfo CODESET YESEXPR NOEXPR));
$codeset = I18N::Langinfo->CODESET;
};
if ($@) {
*langinfo = sub { return shift; };
*YESEXPR = sub { "^[yY]" };
*NOEXPR = sub { "^[nN]" };
}
}
use constant {
EXISTING_NOT_FOUND => 0,
EXISTING_FOUND => 1,
EXISTING_SYSTEM => 2,
EXISTING_ID_MISMATCH => 4,
EXISTING_LOCKED => 8,
};
my $yesexpr = langinfo(YESEXPR());
my $charset = langinfo($codeset);
if ($encode_loaded) {
binmode(STDOUT, ":encoding($charset)");
binmode(STDERR, ":encoding($charset)");
}
my %config; # configuration hash
my $nogroup_id = egetgrnam("nogroup") || 65534;
$0 =~ s+.*/++;
our $action;
our $verbose; # should we be verbose?
my $name_check_level = 0; # should we allow bad names?
our $stdoutmsglevel = "warn";
our $stderrmsglevel = "warn";
our $logmsglevel = "info";
my $allow_badname = 0; # should we allow bad names?
my $ask_passwd = 1; # ask for a passwd?
my $disabled_login = 0; # leave the new account disabled?
our @configfiles;
our @defaults = undef;
our $found_group_opt = undef;
our $found_sys_opt = undef;
our $ingroup_name = undef;
our $new_firstgid = undef;
our $new_firstuid = undef;
our $comment_tainted = undef;
our $gid_option = undef;
our $primary_gid = undef;
our $new_lastgid = undef;
our $new_lastuid = undef;
our $new_uid = undef;
our $no_create_home = undef;
our $special_home = undef;
our $special_shell = undef;
our $add_extra_groups;
our $add_extra_groups_old;
# Global variables we need later
my $existing_user = undef;
my $existing_group = undef;
my $new_name = undef;
my $make_group_also = 0;
my $home_dir = undef;
my $undohome = undef;
my $undouser = undef;
my $undogroup = undef;
my $shell = undef;
my $first_uid = undef;
my $last_uid = undef;
my $first_gid = undef;
my $last_gid = undef;
my $dir_mode = undef;
my $perm = undef;
my %uid_pool;
my %gid_pool;
my %reserved_uid_pool;
my %reserved_gid_pool;
my $returnvalue = RET_OK;
our @names;
log_trace("ARGV %s", join(@ARGV,"-"));
GetOptions(
'add-extra-groups' => \$add_extra_groups,
'add_extra_groups' => \$add_extra_groups_old,
'allow-all-names' => sub { $name_check_level = 2 },
'allow-badname' => sub { $name_check_level = 1 unless $name_check_level },
'allow-bad-names' => sub { $name_check_level = 1 unless $name_check_level },
'comment:s' => \$comment_tainted,
'conf|c=s' => \@configfiles,
'debug' => sub { $verbose = 2; },
'stdoutmsglevel=s' => \$stdoutmsglevel,
'stderrmsglevel=s' => \$stderrmsglevel,
'logmsglevel=s' => \$logmsglevel,
'disabled-login' => sub { $disabled_login = 1; $ask_passwd = 0 },
'disabled-password' => sub { $ask_passwd = 0 },
'firstgid=i' => \$new_firstgid,
'firstuid=i' => \$new_firstuid,
'force-badname' => sub { $name_check_level = 1 unless $name_check_level },
'gecos:s' => \$comment_tainted,
'gid=i' => \$gid_option,
'group' => \$found_group_opt,
'help|h' => sub { &usage; exit 0; },
'home=s' => \$special_home,
'ingroup=s' => \$ingroup_name,
'lastgid=i' => \$new_lastgid,
'lastuid=i' => \$new_lastuid,
'no-create-home' => \$no_create_home,
'quiet|q' => sub { $verbose = 0; },
'shell=s' => \$special_shell,
'system' => \$found_sys_opt,
'uid=i' => \$new_uid,
'verbose' => sub { $verbose = 1; },
'version|v' => sub { &version; exit },
) or &usage_error;
log_trace("ARGV %s", join(@ARGV,"-"));
if (!@configfiles) {
@defaults = ("/etc/adduser.conf");
} else {
@defaults = decode($charset, $_) for @configfiles;
}
# make sure that message levels apply for reading configuration
# this will be overridden again after reading configuration
$stdoutmsglevel = sanitize_string($stdoutmsglevel);
$stderrmsglevel = sanitize_string($stderrmsglevel);
$logmsglevel = sanitize_string($logmsglevel);
set_msglevel( $stderrmsglevel, $stdoutmsglevel, $logmsglevel );
log_trace("ARGV %s", join(@ARGV,"-"));
log_trace("special_home %s", $special_home);
log_trace("special_home %s", encode($charset, $special_home));
log_trace("special_home %s", decode($charset, $special_home));
##########################################################
# (1) preseed the config
# (2) read the default /etc/adduser.conf configuration.
# (3) read the default /etc/deluser.conf configuration.
# (4) process commmand line settings
# last match wins
##########################################################
preseed_config(\@defaults,\%config);
# explicitly set PATH, because super (1) cleans up the path and makes adduser unusable;
# this is also a good idea for sudo (which doesn't clean up)
$ENV{"PATH"}="/bin:/usr/bin:/sbin:/usr/sbin";
$ENV{"IFS"}=" \t\n";
$ENV{"ENV"}=undef;
$ENV{"BASH_ENV"}=undef;
$ENV{"CDPATH"}=undef;
# everyone can issue "--help" and "--version", but only root can go on
if( $> != 0) {
log_fatal( mtx("Only root may add a user or group to the system.") );
exit( RET_ROOT_NEEDED );
}
# TODO: Handle configuration file input, allow bare input there.
$stdoutmsglevel = sanitize_string($stdoutmsglevel);
$stderrmsglevel = sanitize_string($stderrmsglevel);
$logmsglevel = sanitize_string($logmsglevel);
set_msglevel( $stderrmsglevel, $stdoutmsglevel, $logmsglevel );
if( defined $verbose ) {
if( $verbose == 0 ) {
set_msglevel( $stderrmsglevel, "error", $logmsglevel );
} elsif( $verbose == 1 ) {
set_msglevel( $stderrmsglevel, "info", $logmsglevel );
} elsif( $verbose == 2 ) {
set_msglevel( $stderrmsglevel, "debug", $logmsglevel );
}
}
# detect the operation mode
$action = $0 eq "addgroup" ? "addgroup" : "adduser";
if (defined($found_sys_opt)) {
$action = "addsysuser" if ($action eq "adduser");
$action = "addsysgroup" if ($action eq "addgroup");
}
log_trace("action $action");
############################
# checks related to @names #
############################
log_trace("ARGV %s", join(@ARGV,"-"));
while (defined(my $arg = shift(@ARGV))) {
$arg = decode($charset, $arg);
log_trace("process argument %s", $arg);
if (defined($names[0]) && $arg =~ /^--/) {
log_fatal( mtx("No options allowed after names.") );
exit( RET_INVALID_CALL );
} else { # it's a username
log_trace("add argument %s to \@names", $arg);
push (@names, $arg);
}
}
if ( (! defined $names[0]) || length($names[0]) == 0 || @names > 2) {
log_fatal( mtx("Only one or two names allowed.") );
exit( RET_INVALID_CALL );
}
if (@names == 2) { # must be addusertogroup
if ($action eq "addsysuser" || $found_group_opt) {
log_fatal( mtx("Specify only one name in this mode.") );
exit( RET_INVALID_CALL );
}
if ($action eq "addgroup" or $action eq "addsysgroup") {
log_fatal( mtx("addgroup with two arguments is an unspecified operation.") );
exit( RET_INVALID_CALL );
}
$action = "addusertogroup";
$existing_user = sanitize_string( shift (@names), anynamere );
$existing_group = sanitize_string( shift (@names), anynamere );
}
else { # 1 parameter, must be adduser
$new_name = sanitize_name( shift (@names) );
log_trace("sanitized new_name %s", $new_name);
}
undef(@names);
# TODO: map this to log levels
$ENV{"VERBOSE"} = $verbose;
$ENV{"DEBUG"} = $verbose;
###################################
# check for consistent parameters #
###################################
if (!defined $add_extra_groups) {
if( defined $add_extra_groups_old ) {
$add_extra_groups = $add_extra_groups_old;
} else {
$add_extra_groups = 0;
}
}
if ($action ne "addgroup" &&
defined($found_group_opt) +defined($ingroup_name) +defined($gid_option) > 1 ) {
log_fatal( mtx("The --group, --ingroup, and --gid options are mutually exclusive.") );
exit( RET_EXCLUSIVE_PARAMETERS );
}
if ($found_group_opt) {
if ($action eq "addsysuser") {
$make_group_also = 1;
}
elsif ($found_sys_opt) {
$action = "addsysgroup";
}
else {
$action = "addgroup";
}
}
# read the uid and gid pool
if ($config{"uid_pool"}) {
read_pool ($config{"uid_pool"}, "uid", \%uid_pool);
if ($config{"reserve_uid_pool"} ne "no") {
%reserved_uid_pool = map {$uid_pool{$_}{id} => $_} keys %uid_pool;
}
}
if ($config{"gid_pool"}) {
read_pool ($config{"gid_pool"}, "gid", \%gid_pool);
if ($config{"reserve_gid_pool"} ne "no") {
%reserved_gid_pool = map {$gid_pool{$_}{id} => $_} keys %gid_pool;
}
}
if( defined $ingroup_name ) {
log_trace("sanitize ingroup_name");
$ingroup_name = sanitize_name( decode($charset, $ingroup_name));
}
if( defined $special_home ) {
log_trace("sanitize special_home %s", $special_home);
$special_home = sanitize_string( decode($charset, $special_home), simplepathre);
}
if ( defined $comment_tainted ) {
log_trace("check comment %s for unwanted chars", $special_home);
# do not sanitize, can't be done without libperl
if ( $comment_tainted !~ qr/^([^\x00-\x1F\x7F:]*)$/ ) {
die( "unwanted chars in comment" );
}
}
if( defined $special_shell ) {
log_trace("sanitize special_shell");
$special_shell = sanitize_string( decode($charset, $special_shell), simplepathre);
}
if( defined $new_firstgid ) {
log_trace("sanitize new_firstgid");
$new_firstgid = sanitize_string($new_firstgid, numberre);
}
if( defined $new_lastgid ) {
log_trace("sanitize new_lastgid");
$new_lastgid = sanitize_string($new_lastgid, numberre);
}
if( defined $new_firstuid ) {
log_trace("sanitize new_firstuid");
$new_firstuid = sanitize_string($new_firstuid, numberre);
}
if( defined $new_lastuid ) {
log_trace("sanitize new_lastgud");
$new_lastuid = sanitize_string($new_lastuid, numberre);
}
if( defined $new_uid ) {
log_trace("sanitize new_uid");
$new_uid = sanitize_string($new_uid, numberre);
}
if( defined $gid_option ) {
log_trace("sanitize gid_option");
$gid_option = sanitize_string($gid_option, numberre);
}
if ((defined($special_home)) && ($special_home !~ m+^/+ )) {
log_fatal( mtx("The home dir must be an absolute path.") );
exit( RET_INVALID_HOME_DIRECTORY );
}
$SIG{'INT'} = $SIG{'QUIT'} = $SIG{'HUP'} = 'handler';
#####
# OK, we've processed the arguments. $action equals one of the following,
# and the appropriate variables have been set:
#
# $action = "adduser"
# $new_name - the name of the new user.
# $ingroup_name | $gid_option - the group to add the user to
# $special_home, $new_uid, $comment_tainted - optional overrides
# $action = "addgroup"
# $new_name - the name of the new group
# $gid_option - optional override
# $action = "addsysgroup"
# $new_name - the name of the new group
# $gid_option - optional override
# $action = "addsysuser"
# $new_name - the name of the new user
# $make_group_also | $ingroup_name | $gid_option | 0 - which group
# $special_home, $new_uid, $comment_tainted - optional overrides
# $action = "addusertogroup"
# $existing_user - the user to be added
# $existing_group - the group to add her to
#####
#################
## addsysgroup ##
#################
if ($action eq "addsysgroup") {
acquire_lock();
# Check if requested group already exists and we can exit safely
my $asgret = existing_group_status($new_name, $gid_option);
log_trace( "existing_group_status( %s, %s ) returns %s", $new_name, $gid_option, $asgret );
if ($asgret & EXISTING_ID_MISMATCH) {
log_err( mtx("The group `%s' already exists, but has a different GID. Exiting."), $new_name );
exit( RET_WRONG_OBJECT_PROPERTIES );
}
if ($asgret & EXISTING_FOUND) {
log_trace( "existing_found" );
if ($asgret & (EXISTING_SYSTEM)) {
log_info( mtx("The group `%s' already exists as a system group."), $new_name );
exit( RET_OK );
} else {
log_err( mtx("The group `%s' already exists and is not a system group. Exiting."), $new_name );
exit( RET_WRONG_OBJECT_PROPERTIES );
}
}
if (defined($gid_option) && defined(getgrgid($gid_option))) {
log_fatal( mtx("The GID `%s' is already in use."), $gid_option );
exit( RET_ID_IN_USE );
}
if (!defined($gid_option)) {
$first_gid = $new_firstgid || $config{"first_system_gid"};
$last_gid = $new_lastgid || $config{"last_system_gid"};
$gid_option = &first_avail_gid($first_gid,
$last_gid,
$gid_pool{$new_name}{'id'});
if ($gid_option == -1) {
log_warn( mtx("No GID is available in the range %d-%d (FIRST_SYS_GID - LAST_SYS_GID)."),
$first_gid, $last_gid );
log_err( mtx("The group `%s' was not created."), $new_name );
exit( RET_NO_ID_IN_RANGE );
}
}
log_info( mtx("Adding group `%s' (GID %d) ..."), $new_name, $gid_option);
my $groupadd = which('groupadd');
my $ga_ret = systemcall_useradd($name_check_level, $groupadd, '-g', $gid_option, $new_name);
if( $ga_ret == RET_INVALID_NAME_FROM_USERADD ) {
$returnvalue = RET_INVALID_NAME_FROM_USERADD;
}
release_lock(0);
exit( $returnvalue );
}
##############
## addgroup ##
##############
if ($action eq "addgroup") {
acquire_lock();
if (defined egetgrnam(encode($charset, $new_name))) {
log_fatal( mtx("The group `%s' already exists."), $new_name);
exit( RET_OBJECT_EXISTS );
}
if (defined($gid_option) && defined(getgrgid($gid_option))) {
log_fatal( mtx("The GID `%s' is already in use."), $gid_option );
exit( RET_ID_IN_USE );
}
if (!defined($gid_option)) {
$first_gid = $new_firstgid || $config{"first_gid"};
$last_gid = $new_lastgid || $config{"last_gid"};
log_debug( "Searching for gid with first_gid=%s, last_gid=%s, new_name=%s, gid_pool=%s",
$first_gid,
$last_gid,
$new_name,
$gid_pool{$new_name}{'id'}
);
$gid_option = &first_avail_gid($first_gid,
$last_gid,
$gid_pool{$new_name}{'id'});
if ($gid_option == -1) {
log_warn( mtx("No GID is available in the range %d-%d (FIRST_GID - LAST_GID)."),
$first_gid, $last_gid );
log_fatal( mtx("The group `%s' was not created."), $new_name );
exit( RET_NO_ID_IN_RANGE );
}
}
log_info( mtx("Adding group `%s' (GID %d) ..."), $new_name, $gid_option);
my $groupadd = which('groupadd');
my $ga_ret = systemcall_useradd($name_check_level, $groupadd, '-g', $gid_option, $new_name);
if( $ga_ret == RET_INVALID_NAME_FROM_USERADD ) {
$returnvalue = RET_INVALID_NAME_FROM_USERADD;
}
release_lock(0);
exit( $returnvalue );
}
####################
## addusertogroup ##
####################
if ($action eq 'addusertogroup') {
if (!defined egetpwnam($existing_user)) {
log_fatal( mtx("The user `%s' does not exist."), $existing_user );
exit( RET_OBJECT_DOES_NOT_EXIST );
}
if (!defined egetgrnam($existing_group)) {
log_fatal( mtx("The group `%s' does not exist."), $existing_group );
exit( RET_OBJECT_DOES_NOT_EXIST );
}
if (&user_is_member($existing_user, $existing_group)) {
log_warn( mtx("The user `%s' is already a member of `%s'."), $existing_user, $existing_group );
exit( RET_OK );
}
log_info( mtx("Adding user `%s' to group `%s' ..."), $existing_user, $existing_group );
acquire_lock();
systemcall('/usr/sbin/usermod', '-a', '-G', $existing_group, $existing_user);
release_lock();
exit( $returnvalue );
}
################
## addsysuser ##
################
if ($action eq "addsysuser") {
acquire_lock();
my $ret = existing_user_status($new_name, $new_uid);
if (($ret & EXISTING_FOUND) && !($ret & EXISTING_SYSTEM)) {
# a user with this name already exists; it's a problem when it's not a system user
log_fatal( mtx("The user `%s' already exists, but is not a system user. Exiting."), $new_name );
exit( RET_WRONG_OBJECT_PROPERTIES );
}
if ($ret & EXISTING_ID_MISMATCH) {
log_fatal( mtx("The user `%s' already exists with a different UID. Exiting."), $new_name );
exit( RET_WRONG_OBJECT_PROPERTIES );
}
if ($ret & EXISTING_FOUND) {
log_info( mtx("The system user `%s' already exists. Exiting.\n"), $new_name );
exit( RET_OK );
}
if (!$ingroup_name && !defined($gid_option) && !$make_group_also) {
$gid_option = $nogroup_id;
}
check_user_group(1);
if (!defined($new_uid) && $make_group_also) {
$new_uid = &first_avail_uid($new_firstuid || $config{"first_system_uid"},
$new_lastuid || $config{"last_system_uid"},
$uid_pool{$new_name}{'id'});
if ($new_uid == -1) {
log_warn( mtx("No UID/GID pair is available in the range %d-%d (FIRST_SYS_UID - LAST_SYS_UID)."),
$config{"first_system_uid"},
$config{"last_system_uid"} );
log_fatal( mtx("The user `%s' was not created."), $new_name );
exit( RET_NO_ID_IN_RANGE );
}
$gid_option = &first_avail_gid($new_firstgid || $config{"first_system_gid"},
$new_lastgid || $config{"last_system_gid"},
$gid_pool{$new_name}{'id'});
$ingroup_name = $new_name;
}
elsif (!defined($new_uid) && !$make_group_also) {
$new_uid = &first_avail_uid($new_firstuid || $config{"first_system_uid"},
$new_lastuid || $config{"last_system_uid"},
$uid_pool{$new_name}{'id'});
if ($new_uid == -1) {
log_warn( mtx("No UID is available in the range %d-%d (FIRST_SYS_UID - LAST_SYS_UID)."),
$config{"first_system_uid"},
$config{"last_system_uid"} );
log_fatal( mtx("The user `%s' was not created."), $new_name);
exit( RET_NO_ID_IN_RANGE );
}
if (defined($gid_option)) {
$ingroup_name = getgrgid($gid_option);
} elsif ($ingroup_name) {
$gid_option = egetgrnam($ingroup_name);
} else {
log_fatal( mtx("Neither ingroup option nor gid given.") );
exit( RET_NO_PRIMARY_GROUP );
}
}
else {
if (defined($gid_option)) {
$ingroup_name = getgrgid($gid_option);
} elsif ($ingroup_name) {
$gid_option = egetgrnam($ingroup_name);
} elsif ($make_group_also) {
$gid_option=$new_uid; $ingroup_name=$new_name;
} else {
log_fatal( mtx("Neither ingroup option nor gid given and make_group_also unset.") );
exit( RET_NO_PRIMARY_GROUP );
}
}
log_info( mtx("Adding system user `%s' (UID %d) ..."), $new_name, $new_uid );
# if we reach this point, and the group does already exist, we can use it.
if ($make_group_also && !egetgrnam($new_name)) {
log_info( mtx("Adding new group `%s' (GID %d) ..."), $new_name, $gid_option );
$undogroup = $new_name;
my $groupadd = which('groupadd');
my $ga_ret = systemcall_useradd($name_check_level, $groupadd, '-g', $gid_option, $new_name);
if( $ga_ret == RET_INVALID_NAME_FROM_USERADD ) {
$returnvalue = RET_INVALID_NAME_FROM_USERADD;
}
}
if (defined($special_home) && $special_home ne "/nonexistent" ) {
if (!defined($no_create_home) && -d $special_home) {
log_info( mtx("The home dir %s you specified already exists.\n"), $special_home );
}
if (defined($no_create_home) && ! -d $special_home) {
log_info( mtx("The home dir %s you specified can't be accessed: %s\n"), $special_home, $! );
}
}
log_info( mtx("Adding new user `%s' (UID %d) with group `%s' ..."),
$new_name, $new_uid, $ingroup_name );
$home_dir = $special_home || $uid_pool{$new_name}{'home'} || '/nonexistent';
$no_create_home = $home_dir =~ /^\/+nonexistent(\/|$)/ ? 1 : $no_create_home;
$shell = $special_shell || $uid_pool{$new_name}{'shell'} || '/usr/sbin/nologin';
$undouser = $new_name;
my $useradd = which('useradd');
my $ua_ret = systemcall_useradd($name_check_level,
$useradd,
'-r',
'-K', sprintf('SYS_UID_MIN=%d', $new_firstuid || $config{'first_system_uid'}),
'-K', sprintf('SYS_UID_MAX=%d', $new_lastuid || $config{'last_system_uid'}),
'-d', $home_dir,
'-g', $ingroup_name,
'-s', $shell,
'-u', $new_uid,
$new_name);
if( $ua_ret == RET_INVALID_NAME_FROM_USERADD ) {
$returnvalue = RET_INVALID_NAME_FROM_USERADD;
}
release_lock(0);
if (defined($comment_tainted)) {
ch_comment($new_name, $comment_tainted);
} elsif ($uid_pool{$new_name}{'comment'}) {
ch_comment($new_name, $uid_pool{$new_name}{'comment'});
}
$primary_gid = $gid_option;
create_homedir(0, 1);
exit( $returnvalue );
}
#############
## adduser ##
#############
if ($action eq "adduser") {
acquire_lock();
$primary_gid=-1;
my @supplemental_groups=();
log_trace( "new_uid %s", $new_uid );
log_trace( "ingroup_name %s, gid_option %s", $ingroup_name, $gid_option );
log_trace( "usergroups %s", $config{"usergroups"} );
log_trace( "users_gid %s, users_group %s", $config{"users_gid"}, $config{"users_group"} );
log_trace( "primary_gid %s, supplemental groups %s", $primary_gid, join(", ",@supplemental_groups) );
if( defined($config{"users_gid"}) && defined($config{"users_group"}) ) {
log_warn ( mtx("USERS_GID and USERS_GROUP both given in configuration. This is an error.") );
log_fatal (mtx("The user `%s' was not created."),$new_name);
exit( RET_CONFIG_ERROR );
}
if ($config{"usergroups"} =~ /yes/i) {
log_trace( "config usergroups == yes code path" );
$make_group_also = 1;
if( $gid_option ) {
$make_group_also = 0;
$primary_gid = $gid_option;
log_trace( "gid_option defined %s, make_group_also 0, primary_gid=gid_option", $gid_option );
}
if( $ingroup_name ) {
$make_group_also = 0;
$primary_gid = egetgrnam($ingroup_name);
log_trace( "ingroup_name defined %s, make_group_also 0, primary_gid %s", $gid_option, $primary_gid );
}
log_trace( "make_group_also %s, primary_gid %s", $make_group_also, $primary_gid );
if( defined( $primary_gid) && $primary_gid == -1 && $make_group_also == 0 ) {
if (defined($config{"users_gid"}) && $config{"users_gid"} != -1) {
my @grgid=getgrgid($config{"users_gid"});
my $grname=$grgid[0];
log_debug( "set primary_gid to users_gid %s %s", $config{"users_gid"}, $grname);
$primary_gid = $config{"users_gid"};
} elsif (defined($config{"users_gid"}) && $config{"users_gid"} == -1) {
# nothing
} else {
my $primary_group="users";
if (defined($config{"users_group"})) {
$primary_group=$config{"users_group"};
}
$primary_gid=egetgrnam($primary_group);
log_debug( "set primary_gid to users_group %s %s", $primary_gid, $primary_group);
}
} else {
if (defined($config{"users_gid"}) && $config{"users_gid"} != -1) {
my @grgid=getgrgid($config{"users_gid"});
my $grname=$grgid[0];
log_trace( "push users_gid %s %s to supplemental_groups", $config{"users_gid"}, $grname);
push(@supplemental_groups, $grname);
} elsif (defined($config{"users_gid"}) && $config{"users_gid"} == -1) {
# nothing
} else {
my $supp_group="users";
if (defined($config{"users_group"})) {
$supp_group=$config{"users_group"};
}
log_trace( "push %s to supplemental_groups", $supp_group );
push(@supplemental_groups, $supp_group);
}
}
} else {
log_debug( "config usergroups != yes code path" );
if( defined($ingroup_name) ) {
$primary_gid=egetgrnam($ingroup_name);
} elsif (defined($config{"users_gid"})) {
log_trace( "primary_gid = users_gid = %d", $primary_gid );
$primary_gid = $config{"users_gid"};
} else {
if (defined($config{"users_group"})) {
my @grgid=egetgrnam($config{"users_group"});
my $grgid=$grgid[2];
log_trace( "primary_gid = users_group %s %s", $config{"users_group"}, $grgid);
$primary_gid = $grgid;
} else {
log_trace( "primary_gid = literal 100");
$primary_gid = 100;
}
}
if( $primary_gid == -1 ) {
log_fatal( "no primary GID for user set. User not created." );
exit( RET_NO_PRIMARY_GID );
}
}
log_debug( "primary_gid %s, supplemental groups %s", $primary_gid, join(", ",@supplemental_groups) );
if ( defined $ingroup_name || defined $gid_option ) {
$make_group_also = 0;
log_trace( "set make_group_also 0, neither ingroup_name or gid_option defined" );
}
check_user_group(0);
$first_uid = $new_firstuid || $config{"first_uid"};
$last_uid = $new_lastuid || $config{"last_uid"};
if ($config{"usergroups"} =~ /yes/i) {
$first_gid = $first_uid;
$last_gid = $last_uid;
} else {
$first_gid = $new_firstgid || $config{"first_gid"};
$last_gid = $new_lastgid || $config{"last_gid"};
}
log_trace( "first_uid %s, last_uid %s, first_gid %s, last_gid %s", $first_uid, $last_uid, $first_gid, $last_gid );
log_info (gtx("Adding user `%s' ..."),$new_name);
if (!defined($new_uid)) {
if ( defined $ingroup_name ) {
$new_uid = &first_avail_uid( $first_uid,
$last_uid,
$uid_pool{$new_name}{'id'});
} else {
my $first_uidgid = ($first_uid, $first_gid)[$first_uid > $first_gid];
my $last_uidgid = ($last_uid, $last_gid)[$last_uid < $last_gid];
# TODO: Check what happens when those ranges do not overlap
$new_uid = &first_avail_uid_gid( $first_uidgid,
$last_uidgid,
$uid_pool{$new_name}{'id'});
log_trace( "uidgid=%s, from first_uidgid %s, last_uidgid %s", $new_uid, $first_uidgid, $last_uidgid);
}
# TODO: user can specify different UID and GID here.
# idea: split handling in uid/gid, which are equally the return value of
# first_avail_uid_gid. If either pool_id is defined, set uid and gid from
# distinct first_avail_uid and first_avail_gid calls.
log_debug( "new_uid %s selected", $new_uid);
if ($new_uid == -1) {
log_warn( mtx("No UID/GID pair is available in the range %d-%d (FIRST_UID - LAST_UID)."), $first_uid, $last_uid);
log_fatal( mtx("The user `%s' was not created."), $new_name );
exit( RET_NO_ID_IN_RANGE );
}
log_trace( "gid_option %s, ingroup_name %s", $gid_option, $ingroup_name );
if ( defined $gid_option && $gid_option == -1 && defined $ingroup_name && $ingroup_name == "") {
log_warn( mtx("USERGROUPS=no, USER_GID=-1 and USERS_GROUP empty. A user needs a primary group!") );
log_fatal( mtx("The user `%s' was not created."), $new_name );
exit( RET_NO_PRIMARY_GROUP );
} elsif (defined($gid_option) && $gid_option != -1) {
$ingroup_name = getgrgid($gid_option);
$primary_gid = $gid_option;
log_debug( "gid_option defined and not -1, ingroup_name %s, primary_gid %d", $ingroup_name, $primary_gid );
} elsif ($ingroup_name) {
$primary_gid = egetgrnam($ingroup_name);
log_debug( "ingroup_name defined %s, primary_gid %d", $ingroup_name, $primary_gid );
} elsif ( defined( $primary_gid ) ) {
$ingroup_name = getgrgid($primary_gid);
log_debug( "primary_gid defined %d, ingroup_name %s", $primary_gid, $primary_gid );
} else {
$ingroup_name = 'users';
$primary_gid = 100;
log_debug( "ingroup_name hard users, primary_gid hard 100" );
}
if ($make_group_also) {
$primary_gid = $new_uid;
$ingroup_name = $new_name;
log_trace( "make_group_also %s, primary_gid %s, ingroup_name %s", $make_group_also, $primary_gid, $ingroup_name );
}
} else {
log_debug( "new_uid %s, primary_gid %s, ingroup_name %s, make_group_also %s", $new_uid, $primary_gid, $ingroup_name, $make_group_also );
if (defined($gid_option)) {
$ingroup_name = getgrgid($gid_option);
$primary_gid = $gid_option;
log_debug( "gid_option defined %s, ingroup_name %s", $gid_option, $ingroup_name );
} elsif (defined($primary_gid) && $primary_gid != -1) {
$ingroup_name = getgrgid($primary_gid);
log_debug( "primary_gid defined %s, ingroup_name %s", $primary_gid, $ingroup_name );
} elsif ($ingroup_name) {
$primary_gid = egetgrnam($ingroup_name);
log_debug( "ingroup_name defined %s, primary_gid %s", $ingroup_name, $primary_gid );
} elsif ($make_group_also) {
$primary_gid=$new_uid; $ingroup_name=$new_name;
log_debug( "make_group_also %s, primary_gid defined %s, ingroup_name %s", $make_group_also, $primary_gid, $ingroup_name );
} else {
log_debug( "no gid_option, no primary_gid, no ingroup_name, no make_group_also" );
log_fatal( mtx("Internal error interpreting parameter combination") );
exit( RET_INTERNAL );
}
}
log_debug ("make_group_also %s", $make_group_also );
if ($make_group_also) {
$undogroup = $new_name;
my $groupadd = which('groupadd');
my $ret;
if( defined( $primary_gid ) ) {
log_info( mtx("Adding new group `%s' (%d) ..."), $new_name, $primary_gid);
$ret = systemcall_useradd($name_check_level, $groupadd, '-g', $primary_gid, $new_name);
} else {
log_info( mtx("Adding new group `%s' (new group ID) ..."), $new_name);
$ret = systemcall_useradd($name_check_level, $groupadd, $new_name);
$primary_gid = egetgrnam($new_name);
log_info( mtx("new group '%s' created with GID %d"), $new_name, $primary_gid );
}
if( $ret == RET_INVALID_NAME_FROM_USERADD ) {
$returnvalue = RET_INVALID_NAME_FROM_USERADD;
}
}
if (defined($special_home) && $special_home ne "/nonexistent" ) {
if (!defined($no_create_home) && -d $special_home) {
log_warn( mtx("The home dir %s you specified already exists.\n"), $special_home );
}
if (defined($no_create_home) && ! -d $special_home) {
log_warn( mtx("The home dir %s you specified can't be accessed: %s\n"), $special_home, $! );
}
}
{
my @grgid=getgrgid($primary_gid);
my $grname=$grgid[0];
log_info( mtx("Adding new user `%s' (%d) with group `%s (%d)' ..."), $new_name, $new_uid, $grname, $primary_gid );
}
$home_dir = $special_home || $uid_pool{$new_name}{'home'} || &homedir($new_name, $ingroup_name);
if( !$disabled_login ) {
$shell = $special_shell || $uid_pool{$new_name}{'shell'} || $config{"dshell"};
} else {
$shell = $special_shell || $uid_pool{$new_name}{'shell'} || "/usr/sbin/nologin";
}
log_debug( "creating new user %s with home_dir %s and shell %s", $new_name, $home_dir, $shell );
$undouser = $new_name;
my $useradd = which('useradd');
my $ret = systemcall_useradd($name_check_level,
$useradd,
'-d', $home_dir,
'-g', $primary_gid,
'-s', $shell,
'-u', $new_uid,
$new_name);
if( $ret == RET_INVALID_NAME_FROM_USERADD ) {
$returnvalue = RET_INVALID_NAME_FROM_USERADD;
}
create_homedir (1, 0); # copy skeleton data
# useradd without -p has left the account disabled (password string is '!')
my $yesexpr = langinfo(YESEXPR());
my $noexpr = langinfo(NOEXPR());
if ($ask_passwd) {
PASSWD: for (;;) {
my $passwd = which('passwd');
my $ok = systemcall_or_warn($passwd, $new_name);
$ok = $ok >> 8;
log_debug( "systemcall_or_warn %s %s return value %s", $passwd, $new_name, $ok);
if ($ok != 0) {
my $answer;
# hm, error, should we break now?
if ($ok == 1) {
log_warn( mtx("Permission denied"));
} elsif ($ok == 2) {
log_warn( mtx("invalid combination of options"));
} elsif ($ok == 3) {
log_warn( mtx("unexpected failure, nothing done"));
} elsif ($ok == 4) {
log_warn( mtx("unexpected failure, passwd file missing"));
} elsif ($ok == 5) {
log_warn( mtx("passwd file busy, try again"));
} elsif ($ok == 6) {
log_warn( mtx("invalid argument to option"));
} elsif ($ok == 10) {
log_warn( mtx("wrong password given or password retyped incorrectly"));
} else {
log_warn( mtx("unexpected return code %s given from passwd"), $ok );
}
# Translators: [y/N] has to be replaced by values defined in your
# locale. You can see by running "locale noexpr" which regular
# expression will be checked to find positive answer.
PROMPT: for (;;) {
print (gtx("Try again? [y/N] "));
chop ($answer=<STDIN>);
last PROMPT if ($answer =~ m/$yesexpr/o);
last PASSWD if ($answer =~ m/$noexpr/o);
last PASSWD if (!$answer);
}
} else {
last; ## passwd ok
}
}
}
if (defined($comment_tainted)) {
ch_comment($new_name, $comment_tainted);
} elsif ($uid_pool{$new_name}{'comment'}) {
ch_comment($new_name, $uid_pool{$new_name}{'comment'});
} else {
my $noexpr = langinfo(NOEXPR());
my $yesexpr = langinfo(YESEXPR());
CHFN: for (;;) {
my $chfn = &which('chfn');
systemcall($chfn, $new_name);
# Translators: [y/N] has to be replaced by values defined in your
# locale. You can see by running "locale yesexpr" which regular
# expression will be checked to find positive answer.
PROMPT: for (;;) {
print (gtx("Is the information correct? [Y/n] "));
chop (my $answer=<STDIN>);
last PROMPT if ($answer =~ m/$noexpr/o);
last CHFN if ($answer =~ m/$yesexpr/o);
last CHFN if (!$answer);
}
}
}
if ( ( $add_extra_groups || $config{"add_extra_groups"} ) && defined($config{"extra_groups"}) ) {
log_debug( "add extra_groups from config (%s) to supplemental_groups", $config{"extra_groups"} );
push (@supplemental_groups, split(/\s+/,$config{"extra_groups"}));
}
if ( @supplemental_groups ) {
log_info( mtx("Adding new user `%s' to supplemental / extra groups `%s' ..."), $new_name, join(", ", @supplemental_groups) );
foreach my $newgrp ( @supplemental_groups ) {
log_trace( "newgrp %s", $newgrp );
if (!defined egetgrnam($newgrp)) {
log_warn( mtx("The group `%s' does not exist."), $newgrp);
next;
}
if (&user_is_member($new_name, $newgrp)) {
log_warn( mtx("The user `%s' is already a member of `%s'."),
$new_name,$newgrp );
next;
}
log_info( mtx("Adding user `%s' to group `%s' ..."), $new_name, $newgrp );
my $gpasswd = &which('gpasswd');
systemcall($gpasswd, '-M',
join(',', get_group_members($newgrp), $new_name),
$newgrp);
}
}
if ($config{"quotauser"}) {
log_info( mtx("Setting quota for user `%s' to values of user `%s' ..."), $new_name, $config{quotauser} );
my $edquota = &which('edquota');
systemcall($edquota, '-p', $config{quotauser}, $new_name);
}
systemcall('/usr/local/sbin/adduser.local', $new_name, $new_uid,
$primary_gid, $home_dir) if (-x "/usr/local/sbin/adduser.local");
release_lock(0);
exit( $returnvalue );
}
#
# we never go here
#
# calculate home directory
sub homedir {
my $dir = $config{"dhome"};
$dir .= '/' . $_[1] if ($config{"grouphomes"} =~ /yes/i);
$dir .= '/' . substr($_[0],0,1) if ($config{"letterhomes"} =~ /yes/i);
$dir .= '/' . $_[0];
return $dir;
}
# create_homedir -- create the homedirectory
# parameter
# 1: $copy_skeleton:
# if 0 -> do not copy the skeleton data
# if 1 -> copy the files in /etc/skel to the newly created home directory
# return values:
# none
sub create_homedir {
my ($copy_skeleton, $system_user) = @_;
if ($home_dir =~ /^\/+nonexistent(\/|$)/) {
log_info( mtx("Not creating `%s'."), $home_dir );
} elsif ($no_create_home) {
log_info( mtx("Not creating home directory `%s' as requested."), $home_dir );
} elsif (-e $home_dir) {
if( !$system_user ) {
log_warn( mtx("The home directory `%s' already exists. Not touching this directory."),
$home_dir );
my @homedir_stat = stat($home_dir);
my $home_uid = $homedir_stat[4];
my $home_gid = $homedir_stat[5];
if (($home_uid != $new_uid) || ($home_gid != $primary_gid)) {
log_warn( mtx("Warning: The home directory `%s' does not belong to the user you are currently creating."), $home_dir );
}
}
} else {
log_info( mtx("Creating home directory `%s' ..."),$home_dir );
$undohome = $home_dir;
if( !&mktree($home_dir) ) {
log_err( gtx("Couldn't create home directory `%s': %s."), $home_dir, $!);
&cleanup();
}
if( !chown($new_uid, $primary_gid, $home_dir) ) {
log_err("chown %s:%s %s: %s", $new_uid, $primary_gid, $home_dir, $!);
&cleanup();
}
$dir_mode = get_dir_mode();
if( !chmod ($dir_mode, $home_dir) ) {
log_err("chmod %s %s: %s", $dir_mode, $home_dir, $!);
&cleanup();
}
if ($config{"skel"} && $copy_skeleton) {
log_info( mtx("Copying files from `%s' ..."), $config{skel} );
my $findpipe;
if( !open($findpipe, q{-|}, "cd $config{skel}; find . -print") ) {
log_err( mtx("fork for `find' failed: %s"), $!);
&cleanup();
}
while (<$findpipe>) {
chop;
next if ($_ eq ".");
next if ($_ =~ qr/$config{skel_ignore_regex}/ );
my $src = sanitize_string($_, pathre );
log_trace("copy_to_dir(%s, %s, %s, %s, %s)", $config{"skel"}, $src, $home_dir, $new_uid, $primary_gid );
©_to_dir($config{"skel"}, $src, $home_dir, $new_uid,
$primary_gid, ($config{"setgid_home"} =~ /yes/i));
}
close ($findpipe);
}
}
}
# mktree: create a directory and all parent directories
# we do not care about the rights and so on
# parameters:
# tree: the path
# return values:
# none
sub mktree {
my($tree) = @_;
my($done, @path);
my $default_dir_mode = oct(755);
$tree =~ s:^/*(.*)/*$:$1:; # chop off leading & trailing slashes
@path = split(/\//, $tree);
$done = "";
while (@path) {
$done .= '/' . shift(@path);
-d $done || mkdir($done, $default_dir_mode) || return 0;
}
return 1;
}
# existing_user_status: check if there is already a user present
# on the system which satisfies the requirements
# parameter:
# new_name: the name of the user to check
# new_uid : the UID of the user
# return value:
# bitwise combination of these constants:
# EXISTING_NOT_FOUND => 0
# EXISTING_FOUND => 1
# EXISTING_SYSTEM => 2
# EXISTING_ID_MISMATCH => 4
# EXISTING_LOCKED => 8
# e.g. if the requested account name exists as a locked system user,
# return 8|2|1 == 11
sub existing_user_status {
my ($new_name,$new_uid) = @_;
my ($pw,$uid);
my $ret = EXISTING_NOT_FOUND;
log_trace( "existing_user_status called with new_name %s, new_uid %s", $new_name, $new_uid );
if ((undef,$pw,$uid) = egetpwnam($new_name)) {
log_trace("egetpwnam %s returned successfully, uid = %s", $new_name, $uid);
$ret |= EXISTING_FOUND;
$ret |= EXISTING_ID_MISMATCH if (defined($new_uid) && $uid != $new_uid);
$ret |= EXISTING_SYSTEM if
($uid >= $config{"first_system_uid"} && $uid <= $config{"last_system_uid"});
} elsif ($new_uid && getpwuid($new_uid)) {
$ret |= EXISTING_ID_MISMATCH;
}
log_trace( "existing_user_status( %s, %s ) returns %s", $new_name, $new_uid, $ret );
return $ret;
}
# existing_group_status: check if there is already a group which satisfies the requirements
# parameter:
# new_name: the name of the group
# new_gid : the GID of the group
# return value:
# bitwise combination of these constants:
# EXISTING_NOT_FOUND => 0
# EXISTING_FOUND => 1
# EXISTING_SYSTEM => 2
# EXISTING_ID_MISMATCH => 4
sub existing_group_status {
my ($new_name,$new_gid) = @_;
my $gid;
my $ret = EXISTING_NOT_FOUND;
log_trace( "existing_group_status called with new_name %s, new_gid %s", $new_name, $new_gid );
if ((undef,undef,$gid) = egetgrnam($new_name)) {
log_trace("egetgrnam %s returned successfully, gid = %s", $new_name, $gid);
$ret |= EXISTING_FOUND;
$ret |= EXISTING_ID_MISMATCH if (defined($new_gid) && $gid != $new_gid);
$ret |= EXISTING_SYSTEM if
($gid >= $config{"first_system_gid"} && $gid <= $config{"last_system_gid"});
} elsif ($new_gid && getgrgid($new_gid)) {
$ret |= EXISTING_ID_MISMATCH;
}
log_trace( "existing_group_status( %s, %s ) returns %s", $new_name, $new_gid, $ret );
return $ret;
}
# check_user_group: ???
# parameters:
# system: 0 if the user is not a system user, 1 otherwise
# return values:
#
# todo: not sure whether global variables apply fine here.
sub check_user_group {
my ($system) = @_;
log_debug( "check_user_group %s called, make_group_also %s", $system, $make_group_also );
my $ustat = existing_user_status($new_name, $new_uid);
if ($system) {
if (($ustat & EXISTING_FOUND) && !($ustat & EXISTING_SYSTEM)) {
log_fatal( mtx("The user `%s' already exists, and is not a system user."), $new_name);
exit( RET_WRONG_OBJECT_PROPERTIES );
}
# if ($new_uid && !($ustat & EXISTING_SYSTEM)) {
# log_fatal( mtx("The uid `%s' is invalid for system users."), $new_name);
# exit( RET_OBJECT_EXISTS );
# }
} else {
if ($ustat & EXISTING_FOUND) {
log_fatal( mtx("The user `%s' already exists."), $new_name);
exit( RET_OBJECT_EXISTS );
}
}
if ($make_group_also) {
log_trace( "make_group_also 1, new_name %s, new_uid %s", $new_name, $new_uid );
if( !$system || !existing_group_status($new_name, $new_uid) ) {
if (defined egetgrnam($new_name)) {
log_fatal( mtx("The group `%s' already exists."),$new_name );
exit( RET_OBJECT_EXISTS );
}
if (defined($new_uid) && defined(getgrgid($new_uid))) {
log_fatal( mtx("The GID %d is already in use."),$new_uid );
exit( RET_ID_IN_USE );
}
}
} else {
if ($ingroup_name && !defined(egetgrnam($ingroup_name))) {
log_fatal( mtx("The group `%s' does not exist."), $ingroup_name);
exit( RET_OBJECT_DOES_NOT_EXIST );
}
if (defined($gid_option) && !defined(getgrgid($gid_option))) {
log_fatal( mtx("No group with GID %d found."), $gid_option);
exit( RET_OBJECT_DOES_NOT_EXIST );
}
}
log_debug( "return from check_user_group" );
}
# copy_to_dir :
# parameters:
# fromdir
# file
# todir
# newi
# newg
# sgiddir
# return values:
# none
sub copy_to_dir {
my($fromdir, $file, $todir, $newu, $newg, $sgiddir) = @_;
log_trace("copy_to_dir fromdir: %s", $fromdir);
log_trace("copy_to_dir file: %s", $file);
if (-l "$fromdir/$file") {
my $target;
if( !($target = sanitize_string(readlink("$fromdir/$file"), pathre)) ) {
log_err( "readlink: %s", $! );
&cleanup();
}
my $curgid="$)";
my $curuid="$>";
my $error="";
$)="$newg";
$>="$newu";
symlink("$target", "$todir/$file") or $error="$!";
$>="$curuid";
$)="$curgid";
if( "$error" ne "" ) {
log_err( "symlink: %s", $!);
&cleanup();
}
return;
} elsif (-f "$fromdir/$file") {
my $filefh;
my $newfilefh;
if( !open ($filefh, q{<}, "$fromdir/$file") ) {
log_err( "open %s/%s: %s", $fromdir, $file , $!);
&cleanup();
}
if( !open ($newfilefh, q{>}, "$todir/$file") ) {
log_err( "open >%s/%s: %s", $todir, $file, $!);
&cleanup();
}
if( !print $newfilefh (<$filefh>) ) {
log_err( "print %s/%s: %s", $todir, $file, $!);
&cleanup();
}
close($filefh);
if( !close($newfilefh) ) {
log_err( "close %s/%s: %s", $todir, $file, $!);
&cleanup();
}
} elsif (-d "$fromdir/$file") {
if( ! -d "$todir/$file" ) {
if( !mkdir("$todir/$file", 700) ) {
log_err( "mkdir: %s/%s: %s", $todir, $file, $!);
&cleanup();
}
}
} else {
log_err( mtx("%s/%s is neither a dir, file, nor a symlink."), $fromdir, $file );
&cleanup();
}
if( !chown($newu, $newg, "$todir/$file") ) {
log_err( "chown %s:%s %s/%s: %s", $newu, $newg, $todir, $file, $! );
&cleanup();
}
$perm = (stat("$fromdir/$file"))[2] & oct(7777);
if (-d "$fromdir/$file" && ($perm & oct(10)) && $sgiddir) {
$perm |= oct(2000);
}
if( !chmod($perm, "$todir/$file") ) {
log_err( "chmod %s/%s: %s", $todir, $file, $!);
&cleanup();
}
}
# sanitize_name: perform some sanity checks
# parameters:
# name: the name to check
# return values:
# the sanitized and untainted name, available to use
sub sanitize_name {
my ($name) = @_;
my $name_regex_var = $found_sys_opt ? 'SYS_NAME_REGEX' : 'NAME_REGEX';
my $name_regex = $config{lc $name_regex_var};
log_trace("sanitize name %s called. name_regex_var %s, name_regex %s, Now testing all numeric. ", $name, $name_regex_var, $name_regex);
if ($name =~ qr/^-?[\d]+$/) {
# this check cannot be turned off
log_err( mtx("To avoid ambiguity with numerical UIDs, usernames which
resemble numbers or negative numbers are not allowed.") );
exit( RET_INVALID_CHARS_IN_NAME );
}
log_trace("sanitize_name testing single or double period");
if ( $name =~ qr/^\.\.?$/ ) {
# this check cannot be turned off
log_err( mtx("Usernames must not be a single or a double period.") );
exit( RET_INVALID_CHARS_IN_NAME );
}
log_trace("sanitize_name testing > 32 chars");
if (length( encode($charset, $name) ) > 32) {
# this check cannot be turned off
log_err( mtx("Usernames must be no more than 32 bytes in length.") );
exit( RET_INVALID_CHARS_IN_NAME );
}
log_trace("sanitize_name testing %s against insane chars %s", $name, def_min_regex);
if ($name !~ def_min_regex) {
# this check cannot be turned off
log_err( mtx("To avoid problems, the username must not start with a
dash, plus sign, or tilde, and it must not contain any of the
following: colon, comma, slash, or any whitespace characters
including spaces, tabs, and newlines.") );
exit( RET_INVALID_CHARS_IN_NAME );
}
log_trace("sanitize_name checking %s against %s (%s)", $name, $name_regex, $name_regex_var);
if ($name =~ qr/($name_regex)/) {
log_trace("sanitize_name passed. returning %s", $1);
return $1;
};
log_trace("sanitize_name checking %s ieee_regex %s", $name, def_ieee_name_regex);
if ($name !~ def_ieee_name_regex && $name_check_level < 2) {
log_err( mtx("To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and
not start with a dash (as defined by IEEE Std 1003.1-2001). For
compatibility with Samba machine accounts, \$ is also supported
at the end of the username. (Use the `--allow-all-names' option
to bypass this restriction.)") );
exit( RET_INVALID_CHARS_IN_NAME );
}
if ($name_check_level) {
log_info( mtx("Allowing use of questionable username.") );
} else {
log_err( mtx("Please enter a username matching the regular expression
configured via the %s configuration variable. Use the
`--allow-bad-names' option to relax this check or reconfigure
%s in configuration."), $name_regex_var, $name_regex_var );
exit( RET_INVALID_CHARS_IN_NAME );
}
log_trace("sanitize_name checking %s against %s", $name, anynamere);
if ($name =~ anynamere) {
log_trace("sanitize_name passed. returning %s", $1);
return $1;
};
log_fatal("sanitize_name failed. invalid user name %s", $name);
return "";
}
# first_avail_uid: return the first available uid in given range
# parameters:
# min, max: the range
# pool_id: user id suggested from pool
# return values:
# -1 if no free uid is available
# otherwise the choosen uid
sub first_avail_uid {
my ($min, $max, $pool_id) = @_;
if (defined ($pool_id)) {
return $pool_id if (!defined(getpwuid($pool_id)));
return -1;
}
log_info( mtx("Selecting UID from range %d to %d ...\n"),$min,$max);
my $t = $min;
while ($t <= $max) {
return $t if (!exists($reserved_uid_pool{$t}) and !defined(getpwuid($t)));
$t++;
}
return -1; # nothing available
}
# first_avail_gid: return the first available gid in given range
# parameters:
# min, max: the range
# pool_id: group id suggested from pool
# return values:
# -1 if no free gid is available
# otherwise the choosen gid
sub first_avail_gid {
my ($min, $max, $pool_id) = @_;
if (defined ($pool_id)) {
return $pool_id if (!defined(getgrgid($pool_id)));
return -1;
}
log_info( mtx("Selecting GID from range %d to %d ..."),$min,$max);
my $t = $min;
while ($t <= $max) {
return $t if (!exists($reserved_gid_pool{$t}) and !defined(getgrgid($t)));
$t++;
}
return -1; # nothing available
}
# first_avail_uid_gid: return the first available id in given range
# that is both available as uid and gid
# parameters:
# min, max: the range
# pool_id: user id suggested from pool
# return values:
# -1 if no free id is available
# otherwise the choosen id
sub first_avail_uid_gid {
my ($min, $max, $pool_id) = @_;
if (defined ($pool_id)) {
return $pool_id if (!defined(getgrgid($pool_id)));
return -1;
}
log_info( mtx("Selecting UID/GID from range %d to %d ..."), $min, $max );
my $t = $min;
while ($t <= $max) {
return $t if (!exists($reserved_uid_pool{$t}) && !exists($reserved_gid_pool{$t}) &&
!defined(getgrgid($t)) && !defined(getpwuid($t)));
$t++;
}
return -1; # nothing available
}
sub ch_comment {
my ($name, $comment) = @_;
my $usermod = &which('usermod');
# untaint unconditionally. our call to system() is safe, so
# we leave the check to usermod
if ($comment =~ qr/^([^\x00-\x1F\x7F:]*)$/ ) {
systemcall($usermod, '-c', $1, $name);
} else {
log_fatal("unconditional sanitize of comment failed. This should not happen.");
}
}
# user is member of group?
sub user_is_member {
my($user, $group) = @_;
for (split(/ /, (egetgrnam($group))[3])) {
return 1 if ($user eq $_);
}
return 0;
}
sub cleanup {
if ($undohome) {
log_info( mtx("Removing directory `%s' ..."), $undohome);
systemcall('rm', '-rf', $undohome);
}
if ($undouser) {
log_info( mtx("Removing user `%s' ..."), $undouser);
systemcall('userdel', $undouser);
}
if ($undogroup) {
log_info( mtx("Removing group `%s' ..."), $undogroup);
systemcall('groupdel', $undogroup);
}
exit( RET_ADDUSER_ABORTED );
}
sub handler {
my($sig) = @_;
# Translators: the variable %s is INT, QUIT, or HUP.
# Please do not insert a space character between SIG and %s.
log_err( mtx( "Caught a SIG%s." ), $sig );
&cleanup();
}
sub version {
printf( gtx("adduser version %s\n\n"), $version );
print( gtx("Adds a user or group to the system.
For detailed copyright information, please refer to
/usr/share/doc/adduser/copyright.
\n") );
print( gtx(
"This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License, /usr/share/common-licenses/GPL, for more details.
") );
}
sub usage {
printf( gtx(
"adduser [--uid id] [--firstuid id] [--lastuid id]
[--gid id] [--firstgid id] [--lastgid id] [--ingroup group]
[--add-extra-groups] [--shell shell]
[--comment comment] [--home dir] [--no-create-home]
[--allow-all-names] [--allow-bad-names]
[--disabled-password] [--disabled-login]
[--conf file] [--quiet] [--verbose] [--debug]
user
Add a regular user
adduser --system
[--uid id] [--group] [--ingroup group] [--gid id]
[--shell shell] [--comment comment] [--home dir] [--no-create-home]
[--conf file] [--quiet] [--verbose] [--debug]
user
Add a system user
adduser --group
[--gid ID] [--firstgid id] [--lastgid id]
[--conf file] [--quiet] [--verbose] [--debug]
group
addgroup
[--gid ID] [--firstgid id] [--lastgid id]
[--conf file] [--quiet] [--verbose] [--debug]
group
Add a user group
addgroup --system
[--gid id]
[--conf file] [--quiet] [--verbose] [--debug]
group
Add a system group
adduser USER GROUP
Add an existing user to an existing group\n") );
}
sub usage_error {
&usage;
exit( RET_INVALID_CALL );
}
# get_dir_mode: return the appropriate permissions mode for a home directory
# parameters:
# none
# return value:
# a valid octal mode
sub get_dir_mode
{
my $setgid = $config{"setgid_home"} =~ /yes/i;
my $mode = $found_sys_opt
? $config{"sys_dir_mode"}
: $config{"dir_mode"};
if(!defined($mode) || ! ($mode =~ /[0-7]{3}/ || $mode =~ /[0-7]{4}/)) {
$mode = ($found_sys_opt) ? "755" : "0700";
}
if($setgid && (length($mode) == 3 || $mode =~ /^[0-1|4-5][0-7]{3}$/)) {
$mode += 2000;
}
return oct($mode);
}
# Local Variables:
# mode:cperl
# cperl-indent-level:4
# End:
# vim: tabstop=4 shiftwidth=4 expandtab