2 # $Id: sync-accounts,v 1.17 2001-03-06 18:35:09 ian Exp $
4 # Copyright (C)1999-2000 Ian Jackson <ian@davenant.greenend.org.uk>
5 # Copyright (C)2000-2001 nCipher Corporation Ltd
7 # This is free software; you can redistribute it and/or modify it under
8 # the terms of the GNU General Public License as published by the Free
9 # Software Foundation; either version 2, or (at your option) any later
12 # This is distributed in the hope that it will be useful, but WITHOUT
13 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 # You should already have a copy of the GNU General Public License.
18 # If not, write to the Free Software Foundation, Inc., 59 Temple
19 # Place - Suite 330, Boston, MA 02111-1307, USA.
21 # usage: sync-accounts [-n] [-C<config-file>] [<host> ...]
23 # -n do not really do anything
24 # -C alternative config file (default is /etc/sync-accounts)
25 # -q display accounts synched, not synched, etc.
26 # if no host(s) specified, does all
27 # host(s) may not be specified with -q
29 # The config file consists of directives, one per line. Leading and
30 # trailing whitespace, blank lines and lines starting # are ignored.
32 # Some config file directives apply globally and should appear first:
34 # lockpasswd link <suffix/filename>
35 # lockgroup link <suffix/filename>
36 # Specifies the lockfile suffix or pathname to use when editing
37 # the passwd and group files. The value is a suffix if it does
38 # not start with `/'. If set to /dev/null no locking is done.
40 # lockpasswd runvia <program>
41 # lockgroup runvia <program>
42 # Lock by reinvoking ourselves via a program as EDITOR.
43 # (<program> would typically be vipw or vigr.)
50 # Append log messages to <filename> instead of stdout.
51 # Errors still go to stderr.
54 # Specifies the local password file is in the relevant format:
55 # `std' is the standard V7 password file (with a SysV- style
56 # /etc/shadow if one is detected at run-time); `bsd' is the weird
57 # BSD4.4 master.passwd format, and should be used only with
58 # `lockpasswd runvia vipw'. The default is `std'.
60 # Some config file directives set options which may be different at
61 # different points in the file. The most-recently-seen value is used
67 # When an account is to be created, a uid/gid will be chosen
68 # which is one higher than the highest currently in use (except
69 # that ids outside the range <min>-<max> are ignored and will
70 # never be used). The default home directory location is
71 # <pathname>/<username>.
75 # Specifies whether uids are supposed to match. The default is
76 # nosameuid. When sameuid is on, it is an error for the uid or
77 # gid of a local account not to match the corresponding remote
78 # account, and new local accounts will get the remote accounts'
84 # Specifies whether local accounts are supposed to have
85 # corresponding groups, or all be part of a particular group. If
86 # usergroups is set, when a new account is created, the
87 # corresponding per-user group will be created as well, and
88 # per-user groups are created for existing accounts if necessary
89 # (if account creation is enabled). If the gid or group name for
90 # a per-user group is already taken for a different group name or
91 # gid this will be logged, and processing of that account will be
92 # inhibited, but it is not a fatal error. If defaultgid is used,
93 # then newly-created accounts will be made a part of that group,
94 # and the groups of existing accounts will be left alone. If
95 # nousergroups is specified then no new accounts can be created,
96 # and existing accounts' groups will be left alone. The default
100 # createuser <commandname>
102 # Specifies whether accounts found on the remote host should be
103 # created if necessary, and what command to run to do the
104 # creation (eg, setup of home directory). The default is
105 # nocreateuser. If createuser is specified without a commandname
106 # then sync-accounts-createuser is used. The command is found on
107 # the PATH if necessary. Either sameuid, or both uidmin and
108 # uidmax, must be specified, if accounts are to be created.
110 # The command (which will be run with sh -c) must at least create
111 # the new account's home directory. The passwd and group entries
112 # will not have been set up. The following environment variables
113 # will be set, giving details about the account to be created:
114 # SYNCUSER_CREATE_USER
115 # SYNCUSER_CREATE_UID
116 # SYNCUSER_CREATE_GID
117 # SYNCUSER_CREATE_COMMENT
118 # SYNCUSER_CREATE_HOME
119 # SYNCUSER_CREATE_SHELL
120 # If it chooses, the script may modify the password entry which
121 # will be added to the system, by outputting a replacement
122 # password file entry. (The password field of that is ignored.)
123 # If the script outputs a line which does not contain a : then
124 # the account will not be created after all.
126 # group <glob-pattern>
127 # nogroup <glob-pattern>
128 # Specifies that the membership of the local groups specified
129 # should be adjusted or not adjusted whenever account data for a
130 # particular user is copied, so that the account will be a member
131 # of the affected group locally iff it is a member of the same
132 # group on the remote host. The most recently-encountered
133 # glob-pattern for a particular group takes effect. The default
136 # defaultshell <pathname>
137 # If, when creating an account, the remote account's shell is not
138 # available on the local system, this value will be used. The
139 # default is /bin/sh.
141 # Some config file directives are per-host, and should appear before
142 # any directives which actually modify accounts:
144 # host <shorthostname>
145 # Starts a host's section. This resets the per-host parameters
146 # to the defaults. The shorthostname need not be the host's
147 # official name in any sense. If sync-accounts is invoked with
148 # host names on the command line they are compared with the
151 # getpasswd <command>
153 # Commands to run on the local host to get the passwd, shadow and
154 # group data for the host in question. getpasswd must be
155 # specified if user data is to be transferred; getgroup must be
156 # specified if group data is to be transferred.
158 # getshadow <command>
159 # Specifies that shadow file data is to be used (by default,
160 # password information is found from the output of getpasswd).
161 # The command should emit shadow data in the format specified by
162 # shadow(5) on Linux. getshadow should not be specified without
165 # remoteformat std|bsd
166 # Specifies the format of the output of `getpasswd'. `std' is
167 # standard V7 passwd file format (optionally augmented by the use
168 # of a shadow file fetched with getshadow). `bsd' is the weird
169 # BSD4.4 master.passwd format (and getshadow should not normally
170 # be used with `remoteformat bsd'). The default is `std'.
172 # Some configuration file directives specify that account data is to
173 # transferred from the current host. They should appear as the last
174 # thing(s) in a host section:
176 # user <username> [remote=<remoteusername>]
177 # Specifies that account data should be copied for local user
178 # <username> from the remote account <remoteusername> (assumed to
179 # be the same as <username> if not specified). The account
180 # password, comment field, and shell will be copied
181 # unconditionally. If sameuid is specified the uid will be
184 # users <ruidmin>-<ruidmax>
185 # Specifies that all remote users whose uid is in the given range
186 # are to be copied to corresponding local user accounts.
189 # Specifies that data for <username> is _not_ to be copied, even
190 # if subsequent user or users directives suggest that it should
193 # (A note is made when a `user', `users' or `nouser' directive is
194 # encountered for a particular account, and no subsequent directives
195 # for that account will take effect.)
198 # This directive has no effect on `sync-accounts'. However, it
199 # is used as a placeholder by `grab-account': new accounts for
200 # creation are inserted just before `addhere'.
202 # Finally, the config file must finish with:
208 $configfile= '/etc/sync-accounts';
209 $def_createuser= 'sync-accounts-createuser';
210 $ch_homebase= '/home';
211 $ch_defaultshell= '/bin/sh';
212 $defaultgid= -1; # -1 => usergroups; -2 => nousergroups
213 @groupglobs= [ '.*', 0 ];
216 $file{'passwd','std'}= 'passwd';
217 $file{'shadow','std'}= 'shadow';
218 $file{'group','std'}= 'group';
220 $file{'passwd','bsd'}= 'master.passwd';
221 $file{'shadow','bsd'}= 'shadow-non-existent';
222 $file{'group','bsd'}= 'group';
224 @fields_pw_std= qw(USER PW UID GID COMMENT HOME SHELL);
225 @fields_pw_bsd= qw(USER PW UID GID CLASS CHANGE EXPIRE COMMENT HOME SHELL);
226 fields_fmt('PW','std');
227 fields('GR',qw(GROUP PW GID USERS));
228 fields('SP',qw(USER PW DAYSCHGD DAYSFIX DAYSEXP DAYSWARN DAYSEXPDIS DAYSDISD RESERVED));
229 # The name field had better always be field 0 !
232 foreach $x (@unlocks) {
233 ($fn, $style, $arg) = @$x;
234 &{ "unlock_$style" } ( $fn,$arg );
241 foreach $v (@l) { $vn= "${pfx}_$v"; $$vn = $i++; }
242 $vn= "${pfx}_fields"; $$vn= $i;
245 sub fields_fmt ($$) {
248 $vn= "fields_pw_$fmt";
249 die "unknown format $fmt\n" unless defined @$vn;
251 $vn= "${pfx}_format";
256 my ($pfx,$name,@field_val_list) = @_;
257 my (@rv, $vn, $fn, $v, $i);
259 $vn= "${pfx}_fields";
260 for ($i=0; $i<$$vn; $i++) { $rv[$i]= ''; }
261 die "@field_val_list ?" if @field_val_list % 2;
263 while (@field_val_list) {
264 ($fn,$v,@field_val_list) = @field_val_list;
266 #print STDERR ">$fn|$v|$vn|$$vn<\n";
273 $cdays= int(time/86400);
275 @envs_createuser= qw(USER UID GID COMMENT HOME SHELL);
277 if (@ARGV == 1 && length $ENV{'SYNC_ACCOUNTS_RUNVIA_INFO'}) {
279 s/\%([0-9a-f][0-9a-f])/ pack("C", hex $1) /ge;
281 } split(/\:/, $ENV{'SYNC_ACCOUNTS_RUNVIA_INFO'});
282 delete $ENV{'SYNC_ACCOUNTS_RUNVIA_INFO'};
284 $ENV{"SYNC_ACCOUNTS_RUNVIA_LOCKEDGOT_$ta"} = $ARGV[0];
290 while ($ARGV[0] =~ m/^-/) {
302 die "unknown option $_\n";
306 die "hosts must not be specified with -q\n" if @ARGV && $display;
308 for $h (@ARGV) { $wanthost{$h}= 1; }
310 open CF,"< $configfile" or die "$configfile: $!";
312 sub fetchfile (\%$) {
313 my ($ary_ref,$get_str) = @_;
316 open G,"$get_str" or die "$get_str: $!";
319 m/^([^:]+)\:/ or die "$ch_name: $get_str:$.: $_ ?\n";
320 $ary_ref->{$1}= [ split(/\:/,$_,-1) ];
322 close G; $? and die "$ch_name: $get_str: exit code $?\n";
325 sub lockstyle_ ($$) {
328 die "$configfile:$.: locking mechanism for $fn not".
329 " defined (use lockpasswd/lockgroup)\n";
336 $lock= "$fn$lock" unless $lock =~ m,^/,;
340 sub lock_none ($$) { return (abslock(@_))[0]; }
341 sub unlock_none ($$) { }
344 my ($fn,$lock) = abslock(@_);
345 link $fn,$lock or die "cannot lock $fn by creating $lock: $!\n";
348 sub unlock_link ($$) {
349 my ($fn,$lock) = abslock(@_);
350 unlink $lock or warn "unable to unlock by removing $lock: $!\n";
353 sub lock_runvia ($$) {
356 $evn= "SYNC_ACCOUNTS_RUNVIA_LOCKEDGOT_$fn";
357 return $ENV{$evn} if exists $ENV{$evn};
360 s/\W/ sprintf("%%%02x", unpack("C", $&)) /ge;
363 $ENV{'SYNC_ACCOUNTS_RUNVIA_INFO'}= join(":", @na);
365 delete $ENV{'VISUAL'};
366 exec $lock; die "cannot lock $fn by executing $lock: $!\n";
368 sub unlock_runvia ($$) { }
370 sub fetchownfile (\@$$$$) {
371 my ($ary_ref,$fn_str,$nfields,$style,$lock_arg) = @_;
372 my ($fn_use, $record, $fn_emsg);
375 $fn_use= &{ "lock_$style" } ($fn_str, $lock_arg);
376 push @unlocks, [ $fn_str, $style, $lock_arg ];
377 $savebackto{$fn_str}= $fn_use;
379 $fn_use= $fn_emsg= "/etc/".$file{$fn_str,$PW_format};
381 open O,"$fn_use" or die "$fn_use ($fn_str): $!";
384 $record= [ split(/\:/,$_,-1) ];
385 die "$fn_emsg:$.:wrong number of fields:\`$_'\n"
386 unless @$record == $nfields;
387 push @$ary_ref, $record;
389 close O or die "$fn_use ($fn_str): $!";
393 print "$diagstr: $_[0]\n" or die $!;
396 sub regroupglobs () {
397 $nogroups= (@groupglobs == 1 &&
398 $groupglobs[0]->[0] eq '.*' &&
399 !$groupglobs[0]->[1]);
400 $ggfunc= "sub wantsyncgroup {\n \$_= \$_[0];\n return\n";
401 for $g (@groupglobs) { $ggfunc.= " m/^$g->[0]\$/ ? $g->[1] :\n"; }
402 $ggfunc.= " die;\n};\n1;\n";
403 #print STDERR "$ggfunc\n";
404 eval $ggfunc or die "$ggfunc // $@";
408 if (!$own_fetchedpasswd) {
409 #print STDERR ">$PW_fields<\n";
410 fetchownfile(@ownpasswd,'passwd',
411 $PW_fields, $ch_lockstyle_passwd, $ch_lock_passwd);
412 $shadowfile= $file{'shadow',$PW_format};
413 if (stat("/etc/$shadowfile")) {
415 $own_fetchedshadow= 1;
416 fetchownfile(@ownshadow,'shadow',$SP_fields,'none','');
417 } elsif ($! == &ENOENT) {
420 die "unable to check for /etc/$shadowfile: $!\n";
422 $own_fetchedpasswd= 1;
424 if (!$own_fetchedgroup) {
425 fetchownfile(@owngroup,'group',$GR_fields,
426 $ch_lockstyle_group, $ch_lock_group);
427 $own_fetchedgroup= 1;
429 #print STDERR "fetchown() -> $#ownpasswd $#owngroup\n";
433 my ($useuid,$foruser) = @_;
434 for $e (@ownpasswd) {
435 if ($e->[$PW_USER] ne $foruser && $e->[$PW_UID] == $useuid) {
436 diag("uid clash with $e->[$PW_USER] (uid $e->[$PW_UID])");
443 sub copyfield ($$$$) {
444 my ($file,$entry,$field,$value) = @_;
445 eval "\$ary_ref= \\\@own$file; 1;" or die $@;
446 #print STDERR "copyfield($file,$entry,$field,$value)\n";
448 #print STDERR "copyfield($file,$entry,$field,$value) $e->[0] $e->[field] ".join(':',@$e)."\n";
449 next unless $e->[0] eq $entry;
450 next if $e->[$field] eq $value;
451 $e->[$field]= $value;
452 eval "\$modified$file= 1; 1;" or die $@;
457 return if $ch_fetchedpasswd;
458 die "$configfile:$.: getpasswd not specified for host $ch_name\n"
459 unless length $ch_getpasswd;
461 fetchfile(%rempasswd,"$ch_getpasswd |");
462 if (length $ch_getshadow) {
463 fetchfile(%remshadow,"$ch_getshadow |");
464 for $k (keys %rempasswd) {
465 $rempasswd{$k}->[$REM_PW]= 'xx' unless length $rempasswd{$k}->[$REM_PW];
467 for $k (keys %remshadow) {
468 next unless exists $rempasswd{$k};
469 $rempasswd{$k}->[$REM_PW]= $remshadow{$k}->[$SP_PW];
472 $ch_fetchedpasswd= 1;
476 return if $ch_fetchedgroup;
477 die "$configfile:$.: getgroup not specified for host $ch_name\n"
478 unless length $ch_getgroup;
479 fetchfile(%remgroup,"$ch_getgroup |");
483 sub syncusergroup ($$) {
486 return 1 if $defaultgid != -1;
487 #print STDERR "syncusergroup($lu,$luid)\n";
491 $samename= $e->[$GR_GROUP] eq $lu;
492 $sameid= $e->[$GR_GID] eq $luid;
493 next unless $samename || $sameid;
494 if (!$samename || !$sameid) {
495 diag("local group $e->[$GR_GROUP] ($e->[$GR_GID]) mismatch vs.".
496 " local user $lu ($luid)");
500 diag("per-user group $lu ($luid) duplicated");
506 return 1 if $ugfound;
508 if (!length $opt_createuser) {
509 diag("account creation not enabled, not creating per-user group");
512 push @owngroup, [ newentry('GR', $lu,
521 return if $hostheaddone eq $th;
522 print "\n\n" or die $! if length $hostheaddone;
523 print "==== $th ====\n" or die $!;
531 #print STDERR "syncuser($lu,$ru)\n";
532 return if $doneuser{$lu}++;
533 next unless $ch_doinghost;
534 return if !length $ru;
539 for $e (@ownpasswd) {
540 next unless $e->[$PW_USER] eq $lu;
541 hosthead("from $ch_name");
542 print ($lu eq $ru ? " $lu" : " $lu($ru)") or die $!;
543 print "<DUPLICATE>" if $displaydone{$lu}++;
548 $diagstr= "user $lu from $ch_name!$ru";
550 #print STDERR "syncuser($lu,$ru) doing\n";
553 if (!$rempasswd{$ru}) { diag("no remote entry"); return; }
554 if (length $ch_getshadow && exists $remshadow{$ru} &&
555 length $remshadow{$ru}->[$SP_DAYSDISD]) {
556 diag("remote account disabled in shadow");
560 if (!grep($_->[$PW_USER] eq $lu, @ownpasswd)) {
561 if (!length $opt_createuser) { diag("account creation not enabled"); return; }
562 if ($no_act) { diag("-n specified; not creating account"); return; }
565 $useuid= $rempasswd{$ru}->[$REM_UID];
566 $usegid= $rempasswd{$ru}->[$REM_GID];
568 die "nousergroups specified, cannot create users\n" if $defaultgid==-2;
569 length $ch_uidmin or die "no uidmin specified, cannot create users\n";
570 length $ch_uidmax or die "no uidmax specified, cannot create users\n";
571 $ch_uidmin<$ch_uidmax or die "uidmin>=uidmax, cannot create users\n";
574 for $e ($defaultgid==-1 ? (@ownpasswd, @owngroup) : (@ownpasswd)) {
575 $tuid= $e->[$PW_UID]; next if $tuid<$useuid || $tuid>$ch_uidmax;
576 if ($tuid==$ch_uidmax) {
577 diag("uid (or gid?) $ch_uidmax used, cannot create users");
582 $usegid= $defaultgid==-1 ? $useuid : $defaultgid;
585 @newpwent= newentry('PW', $lu,
589 'COMMENT', $rempasswd{$ru}->[$REM_COMMENT],
590 'HOME', "$ch_homebase/$lu",
591 'SHELL', $ch_defaultshell);
593 defined($c= open CU,"-|") or die $!;
596 defined($c2= open STDIN,"-|") or die $!;
598 print STDOUT join(':',@newpwent),"\n" or die $!;
601 for ($i=0; $i<@envs_createuser; $i++) {
602 $vn= "PW_$envs_createuser[$i]";
603 #print STDERR ">$i|$vn|$$vn|$newpwent[$$vn]<\n";
604 $ENV{"SYNCUSER_CREATE_$envs_createuser[$i]"}= $newpwent[$$vn];
606 exec $opt_createuser; die "$configfile:$.: ($lu): $opt_createuser: $!\n";
609 close CU; $? and die "$configfile:$.: ($lu): $opt_createuser: code $?\n";
611 if (length $newpwent) {
612 if ($newpwent !~ m/\:/) { diag("creation script demurred"); return; }
613 @newpwent= split(/\:/,$newpwent,-1);
615 die "$opt_createuser: bad result: \`".join(':',@newpwent)."\'\n"
616 if @newpwent != $PW_fields or $newpwent[$PW_USER] ne $lu;
617 checkuid($newpwent[$PW_UID],$lu) or return;
618 if ($own_haveshadow) {
619 push @ownshadow, [ newentry('SP', $lu,
627 syncusergroup($lu,$newpwent[$PW_UID]) or return;
628 push @ownpasswd,[ @newpwent ];
632 for $e (@ownpasswd) {
633 next unless $e->[$PW_USER] eq $lu;
634 syncusergroup($lu,$e->[$PW_UID]) or return;
637 $ruid= $rempasswd{$ru}->[$REM_UID];
638 $rgid= $rempasswd{$ru}->[$REM_GID];
639 if ($opt_sameuid && checkuid($ruid,$lu)) {
640 for $e (@ownpasswd) {
641 next unless $e->[$PW_USER] eq $lu;
642 $luid= $e->[$PW_UID]; $lgid= $e->[$PW_GID];
643 die "$diagstr: local uid $luid, remote uid $ruid\n" if $luid ne $ruid;
644 die "$diagstr: local gid $lgid, remote gid $rgid\n" if $lgid ne $rgid;
648 #print STDERR "syncuser($lu,$ru) exists $own_haveshadow\n";
649 if ($own_haveshadow && grep($_->[$PW_USER] eq $lu, @ownshadow)) {
650 #print STDERR "syncuser($lu,$ru) shadow $rempasswd{$ru}->[$REM_PW]\n";
651 copyfield('shadow',$lu,$SP_PW, $rempasswd{$ru}->[$REM_PW]);
653 #print STDERR "syncuser($lu,$ru) passwd $rempasswd{$ru}->[$REM_PW]\n";
654 copyfield('passwd',$lu,$PW_PW, $rempasswd{$ru}->[$REM_PW]);
656 copyfield('passwd',$lu,$PW_COMMENT, $rempasswd{$ru}->[$REM_COMMENT]);
658 $newsh= $rempasswd{$ru}->[$REM_SHELL];
659 $oksh= $checkedshell{$newsh};
660 if (!length $oksh) { $checkedshell{$newsh}= $oksh= (-x $newsh) ? 1 : 0; }
661 copyfield('passwd',$lu,$PW_SHELL, $newsh) if $oksh;
665 $tgroup= $e->[$GR_GROUP];
666 #print STDERR "syncuser($lu,$ru) group $tgroup\n";
667 next unless &wantsyncgroup($tgroup);
668 #print STDERR "syncuser($lu,$ru) group $tgroup yes\n";
670 if (!exists $remgroup{$tgroup}) {
671 diag("group $tgroup: not on remote host");
674 $inremote= grep($_ eq $ru, split(/\,/,$remgroup{$tgroup}->[$GR_USERS]));
675 $cusers= $e->[$GR_USERS]; $inlocal= grep($_ eq $lu, split(/\,/,$cusers));
676 if ($inremote && !$inlocal) {
677 $cusers.= ',' if length $cusers;
679 } elsif ($inlocal && !$inremote) {
680 $cusers= join(',', grep($_ ne $lu, split(/\,/, $cusers)));
684 $e->[$GR_USERS]= $cusers;
691 return if $bannerdone;
692 print "\n" or die $!; system 'date'; $? and die $?;
697 for $h (keys %wanthost) {
698 die "host $h not in config file\n" if $wanthost{$h};
702 #print STDERR "\n\nfinish display=$display pw=$pw\n\n";
703 for $e (@ownpasswd) {
705 $tuid= $e->[$PW_UID];
706 next if $displaydone{$tu};
708 #print STDERR ">$tu|$tpw<\n";
709 for $e2 (@ownshadow) {
710 next unless $e2->[$SP_USER] eq $tu;
711 $tpw= $e2->[$SP_PW]; last;
713 $tpw= length($tpw)>=13 ? 1 : length($tpw) ? -1 : 0;
714 $head= ($tpw == 1 ? "unsynched" :
715 $tpw == 0 ? "unsynched, passwordless" :
716 "unsynched, no-logins").
717 ($tuid < 100 ? " system account" : " normal user");
718 $unsynch_type{$head} .= " $e->[$PW_USER]";
720 foreach $head (sort keys %unsynch_type) {
722 print $unsynch_type{$head} or die $!;
724 print "\n\n" or die $!;
729 for $file (qw(passwd shadow group)) {
730 $realfile= $file{$file,$PW_format};
731 eval "\$modified= \$modified$file; \$data_ref= \\\@own$file;".
732 " \$fetched= \$own_fetched$file; 1;" or die $@;
734 die $file unless $fetched;
737 $newfileinst= "/etc/$realfile";
738 $newfile= "$realfile.new";
740 $newfileinst= $savebackto{$file};
741 $newfile= "$newfileinst.new";
743 open NF,"> $newfile" or die "$newfile: $!";
744 for $e (@$data_ref) {
745 print NF join(':',@$e),"\n" or die $!;
748 system 'diff','-U0','--label',$realfile,$newfileinst,
749 '--label',"$realfile.new",$newfile;
752 (@stats= stat $newfileinst) or die "$file: $!";
753 chown $stats[4],$stats[5], $newfile or die $!;
754 chmod $stats[2] & 07777, $newfile or die $!;
755 rename $newfile, $newfileinst or die $!;
763 next if m/^\#/ || !m/\S/;
765 finish() if m/^end$/;
766 if (m/^host\s+(\S+)$/) {
768 $ch_getpasswd= $ch_getgroup= $ch_getshadow= '';
769 $ch_fetchedpasswd= $ch_fetchedgroup;
772 } elsif (exists $wanthost{$ch_name}) {
773 $wanthost{$ch_name}= 0;
778 fields_fmt('REM','std');
779 } elsif (m/^(getpasswd|getshadow|getgroup)\s+(.*\S)$/) {
780 eval "\$ch_$1= \$2; 1;" or die $@;
781 } elsif (m/^(local|remote)format\s+(\w+)$/) {
782 fields_fmt($1 eq 'local' ? 'PW' :
783 $1 eq 'remote' ? 'REM' : die,
785 } elsif (m/^lock(passwd|group)\s+(runvia|link)\s+(\S+)$/) {
786 eval "\$ch_lock_$1= \$3; \$ch_lockstyle_$1= \$2; 1;" or die $@;
787 } elsif (m/^lock(passwd|group)\s+(none)$/) {
788 eval "\$ch_lockstyle_$1= \$2; 1;" or die $@;
789 } elsif (m,^(homebase|defaultshell)\s+(/\S+)$,) {
790 eval "\$ch_$1= \$2; 1;" or die $@;
791 } elsif (m/^(uidmin|uidmax)\s+(\d+)$/ && $2>0) {
792 eval "\$ch_$1= \$2; 1;" or die $@;
793 } elsif (m/^createuser$/) {
794 $opt_createuser= $def_createuser;
795 } elsif (m/^nocreateuser$/) {
797 } elsif (m/^createuser\s+(\S+)$/) {
799 } elsif (m/^logfile\s+(.*\S)$/) {
801 open STDOUT,">> $1" or die "$1: $!"; $|=1;
802 $!=0; system 'date'; $? and die "date: $! $?\n";
803 } elsif (!$display) {
804 print "would log to $1\n" or die $!;
806 } elsif (m/^(no|)(sameuid)$/) {
807 eval "\$opt_$2= ".($1 eq 'no' ? 0 : 1)."; 1;" or die $@;
808 } elsif (m/^usergroups$/) {
810 } elsif (m/^nousergroups$/) {
812 } elsif (m/^defaultgid\s+(\d+)$/) {
814 } elsif (m/^(no|)group\s+([-+.0-9a-zA-Z*?]+)$/) {
815 $yes= $1 eq 'no' ? 0 : 1;
817 @groupglobs=() if $_ eq '*';
821 unshift @groupglobs, [ $_, $yes ];
823 } elsif (m/^user\s+(\S+)$/) {
825 } elsif (m/^user\s+(\S+)\s+remote\=(\S+)$/) {
827 } elsif (m/^nouser\s+(\S+)$/) {
829 } elsif (m/^users\s+(\d+)\-(\d+)$/) {
830 $tmin= $1; $tmax= $2; $except= $3;
832 for $k (keys %rempasswd) {
833 $tuid= $rempasswd{$k}->[2];
834 next if $tuid<$1 or $tuid>$2;
837 } elsif (m/^addhere$/) {
839 die "$configfile:$.: unknown directive\n";
843 die "$configfile:$.: missing \`end', or read error\n";