2 # This is part of sync-accounts, a tool for synchronising UN*X password data.
5 # Copyright 1999-2000,2002 Ian Jackson <ian@davenant.greenend.org.uk>
6 # Copyright 2000-2001 nCipher Corporation Ltd
8 # sync-accounts is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License as
10 # published by the Free Software Foundation; either version 2, or (at
11 # your option) any later version.
13 # sync-accounts is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 # General Public License for more details.
18 # You should already have a copy of the GNU General Public License.
19 # If not, write to the Free Software Foundation, Inc., 59 Temple
20 # Place - Suite 330, Boston, MA 02111-1307, USA.
22 # $Id: sync-accounts,v 1.22 2002-07-14 22:21:29 ianmdlvl Exp $
26 $configfile= '/etc/sync-accounts';
27 $def_createuser= 'sync-accounts-createuser';
28 $ch_homebase= '/home';
29 $ch_defaultshell= '/bin/sh';
30 $defaultgid= -1; # -1 => usergroups; -2 => nousergroups
31 @groupglobs= [ '.*', 0 ];
34 $file{'passwd','std'}= 'passwd';
35 $file{'shadow','std'}= 'shadow';
36 $file{'group','std'}= 'group';
38 $file{'passwd','bsd'}= 'master.passwd';
39 $file{'shadow','bsd'}= 'shadow-non-existent';
40 $file{'group','bsd'}= 'group';
42 @fields_pw_std= qw(USER PW UID GID COMMENT HOME SHELL);
43 @fields_pw_bsd= qw(USER PW UID GID CLASS CHANGE EXPIRE COMMENT HOME SHELL);
44 fields_fmt('PW','std');
45 fields('GR',qw(GROUP PW GID USERS));
46 fields('SP',qw(USER PW DAYSCHGD DAYSFIX DAYSEXP DAYSWARN DAYSEXPDIS DAYSDISD RESERVED));
47 # The name field had better always be field 0 !
50 foreach $x (@unlocks) {
51 ($fn, $style, $arg) = @$x;
52 &{ "unlock_$style" } ( $fn,$arg );
59 foreach $v (@l) { $vn= "${pfx}_$v"; $$vn = $i++; }
60 $vn= "${pfx}_fields"; $$vn= $i;
66 $vn= "fields_pw_$fmt";
67 die "unknown format $fmt\n" unless defined @$vn;
74 my ($pfx,$name,@field_val_list) = @_;
75 my (@rv, $vn, $fn, $v, $i);
78 for ($i=0; $i<$$vn; $i++) { $rv[$i]= ''; }
79 die "@field_val_list ?" if @field_val_list % 2;
81 while (@field_val_list) {
82 ($fn,$v,@field_val_list) = @field_val_list;
84 #print STDERR ">$fn|$v|$vn|$$vn<\n";
91 $cdays= int(time/86400);
93 @envs_createuser= qw(USER UID GID COMMENT HOME SHELL);
95 if (@ARGV == 1 && length $ENV{'SYNC_ACCOUNTS_RUNVIA_INFO'}) {
97 s/\%([0-9a-f][0-9a-f])/ pack("C", hex $1) /ge;
99 } split(/\:/, $ENV{'SYNC_ACCOUNTS_RUNVIA_INFO'});
100 delete $ENV{'SYNC_ACCOUNTS_RUNVIA_INFO'};
102 $ENV{"SYNC_ACCOUNTS_RUNVIA_LOCKEDGOT_$ta"} = $ARGV[0];
108 while ($ARGV[0] =~ m/^-/) {
120 die "unknown option $_\n";
124 die "hosts must not be specified with -q\n" if @ARGV && $display;
126 for $h (@ARGV) { $wanthost{$h}= 1; }
128 open CF,"< $configfile" or die "$configfile: $!";
130 sub fetchfile (\%$) {
131 my ($ary_ref,$get_str) = @_;
134 open G,"$get_str" or die "$get_str: $!";
137 m/^([^:]+)\:/ or die "$ch_name: $get_str:$.: $_ ?\n";
138 $ary_ref->{$1}= [ split(/\:/,$_,-1) ];
140 close G; $? and die "$ch_name: $get_str: exit code $?\n";
143 sub lockstyle_ ($$) {
146 die "$configfile:$.: locking mechanism for $fn not".
147 " defined (use lockpasswd/lockgroup)\n";
154 $lock= "$fn$lock" unless $lock =~ m,^/,;
158 sub lock_none ($$) { return (abslock(@_))[0]; }
159 sub unlock_none ($$) { }
162 my ($fn,$lock) = abslock(@_);
163 link $fn,$lock or die "cannot lock $fn by creating $lock: $!\n";
166 sub unlock_link ($$) {
167 my ($fn,$lock) = abslock(@_);
168 unlink $lock or warn "unable to unlock by removing $lock: $!\n";
171 sub lock_runvia ($$) {
174 $evn= "SYNC_ACCOUNTS_RUNVIA_LOCKEDGOT_$fn";
175 return $ENV{$evn} if exists $ENV{$evn};
178 s/\W/ sprintf("%%%02x", unpack("C", $&)) /ge;
181 $ENV{'SYNC_ACCOUNTS_RUNVIA_INFO'}= join(":", @na);
183 delete $ENV{'VISUAL'};
184 exec $lock; die "cannot lock $fn by executing $lock: $!\n";
186 sub unlock_runvia ($$) { }
188 sub fetchownfile (\@$$$$) {
189 my ($ary_ref,$fn_str,$nfields,$style,$lock_arg) = @_;
190 my ($fn_use, $record, $fn_emsg);
193 $fn_use= &{ "lock_$style" } ($fn_str, $lock_arg);
194 push @unlocks, [ $fn_str, $style, $lock_arg ];
195 $savebackto{$fn_str}= $fn_use;
197 $fn_use= $fn_emsg= "/etc/".$file{$fn_str,$PW_format};
199 open O,"$fn_use" or die "$fn_use ($fn_str): $!";
202 if (m/^\#/ || !m/\S/) {
205 $record= [ split(/\:/,$_,-1) ];
206 die "$fn_emsg:$.:wrong number of fields:\`$_'\n"
207 unless @$record == $nfields;
209 push @$ary_ref, $record;
211 close O or die "$fn_use ($fn_str): $!";
215 print "$diagstr: $_[0]\n" or die $!;
218 sub regroupglobs () {
219 $nogroups= (@groupglobs == 1 &&
220 $groupglobs[0]->[0] eq '.*' &&
221 !$groupglobs[0]->[1]);
222 $ggfunc= "sub wantsyncgroup {\n \$_= \$_[0];\n return\n";
223 for $g (@groupglobs) { $ggfunc.= " m/^$g->[0]\$/ ? $g->[1] :\n"; }
224 $ggfunc.= " die;\n};\n1;\n";
225 #print STDERR "$ggfunc\n";
226 eval $ggfunc or die "$ggfunc // $@";
230 if (!$own_fetchedpasswd) {
231 #print STDERR ">$PW_fields<\n";
232 fetchownfile(@ownpasswd,'passwd',
233 $PW_fields, $ch_lockstyle_passwd, $ch_lock_passwd);
234 $shadowfile= $file{'shadow',$PW_format};
235 if (stat("/etc/$shadowfile")) {
237 $own_fetchedshadow= 1;
238 fetchownfile(@ownshadow,'shadow',$SP_fields,'none','');
239 } elsif ($! == &ENOENT) {
242 die "unable to check for /etc/$shadowfile: $!\n";
244 $own_fetchedpasswd= 1;
246 if (!$own_fetchedgroup) {
247 fetchownfile(@owngroup,'group',$GR_fields,
248 $ch_lockstyle_group, $ch_lock_group);
249 $own_fetchedgroup= 1;
251 #print STDERR "fetchown() -> $#ownpasswd $#owngroup\n";
255 my ($useuid,$foruser) = @_;
256 for $e (@ownpasswd) {
258 if ($e->[$PW_USER] ne $foruser && $e->[$PW_UID] == $useuid) {
259 diag("uid clash with $e->[$PW_USER] (uid $e->[$PW_UID])");
266 sub copyfield ($$$$) {
267 my ($file,$entry,$field,$value) = @_;
268 eval "\$ary_ref= \\\@own$file; 1;" or die $@;
269 #print STDERR "copyfield($file,$entry,$field,$value)\n";
271 #print STDERR "copyfield($file,$entry,$field,$value) $e->[0] $e->[field] ".join(':',@$e)."\n";
272 next unless $e->[0] eq $entry;
273 next if $e->[$field] eq $value;
274 $e->[$field]= $value;
275 eval "\$modified$file= 1; 1;" or die $@;
280 return if $ch_fetchedpasswd;
281 die "$configfile:$.: getpasswd not specified for host $ch_name\n"
282 unless length $ch_getpasswd;
284 fetchfile(%rempasswd,"$ch_getpasswd |");
285 if (length $ch_getshadow) {
286 fetchfile(%remshadow,"$ch_getshadow |");
287 for $k (keys %rempasswd) {
288 $rempasswd{$k}->[$REM_PW]= 'xx' unless length $rempasswd{$k}->[$REM_PW];
290 for $k (keys %remshadow) {
291 next unless exists $rempasswd{$k};
292 $rempasswd{$k}->[$REM_PW]= $remshadow{$k}->[$SP_PW];
295 $ch_fetchedpasswd= 1;
299 return if $ch_fetchedgroup;
300 die "$configfile:$.: getgroup not specified for host $ch_name\n"
301 unless length $ch_getgroup;
302 fetchfile(%remgroup,"$ch_getgroup |");
306 sub syncusergroup ($$) {
309 return 1 if $defaultgid != -1;
310 #print STDERR "syncusergroup($lu,$luid)\n";
315 $samename= $e->[$GR_GROUP] eq $lu;
316 $sameid= $e->[$GR_GID] eq $luid;
317 next unless $samename || $sameid;
318 if (!$samename || !$sameid) {
319 diag("local group $e->[$GR_GROUP] ($e->[$GR_GID]) mismatch vs.".
320 " local user $lu ($luid)");
324 diag("per-user group $lu ($luid) duplicated");
330 return 1 if $ugfound;
332 if (!length $opt_createuser) {
333 diag("account creation not enabled, not creating per-user group");
336 push @owngroup, [ newentry('GR', $lu,
345 return if $hostheaddone eq $th;
346 print "\n\n" or die $! if length $hostheaddone;
347 print "==== $th ====\n" or die $!;
355 #print STDERR "syncuser($lu,$ru)\n";
356 return if $doneuser{$lu}++;
357 next unless $ch_doinghost;
358 return if !length $ru;
363 for $e (@ownpasswd) {
364 next unless ref $e && $e->[$PW_USER] eq $lu;
365 hosthead("from $ch_name");
366 print ($lu eq $ru ? " $lu" : " $lu($ru)") or die $!;
367 print "<DUPLICATE>" if $displaydone{$lu}++;
372 $diagstr= "user $lu from $ch_name!$ru";
374 #print STDERR "syncuser($lu,$ru) doing\n";
377 if (!$rempasswd{$ru}) { diag("no remote entry"); return; }
378 if (length $ch_getshadow && exists $remshadow{$ru} &&
379 length $remshadow{$ru}->[$SP_DAYSDISD]) {
380 diag("remote account disabled in shadow");
384 if (!grep(ref $_ && $_->[$PW_USER] eq $lu, @ownpasswd)) {
385 if (!length $opt_createuser) { diag("account creation not enabled"); return; }
386 if ($no_act) { diag("-n specified; not creating account"); return; }
389 $useuid= $rempasswd{$ru}->[$REM_UID];
390 $usegid= $rempasswd{$ru}->[$REM_GID];
392 die "nousergroups specified, cannot create users\n" if $defaultgid==-2;
393 length $ch_uidmin or die "no uidmin specified, cannot create users\n";
394 length $ch_uidmax or die "no uidmax specified, cannot create users\n";
395 $ch_uidmin<$ch_uidmax or die "uidmin>=uidmax, cannot create users\n";
398 for $e ($defaultgid==-1 ? (@ownpasswd, @owngroup) : (@ownpasswd)) {
400 $tuid= $e->[$PW_UID]; next if $tuid<$useuid || $tuid>$ch_uidmax;
401 if ($tuid==$ch_uidmax) {
402 diag("uid (or gid?) $ch_uidmax used, cannot create users");
407 $usegid= $defaultgid==-1 ? $useuid : $defaultgid;
410 @newpwent= newentry('PW', $lu,
414 'COMMENT', $rempasswd{$ru}->[$REM_COMMENT],
415 'HOME', "$ch_homebase/$lu",
416 'SHELL', $ch_defaultshell);
418 defined($c= open CU,"-|") or die $!;
421 defined($c2= open STDIN,"-|") or die $!;
423 print STDOUT join(':',@newpwent),"\n" or die $!;
426 for ($i=0; $i<@envs_createuser; $i++) {
427 $vn= "PW_$envs_createuser[$i]";
428 #print STDERR ">$i|$vn|$$vn|$newpwent[$$vn]<\n";
429 $ENV{"SYNCUSER_CREATE_$envs_createuser[$i]"}= $newpwent[$$vn];
431 exec $opt_createuser; die "$configfile:$.: ($lu): $opt_createuser: $!\n";
434 close CU; $? and die "$configfile:$.: ($lu): $opt_createuser: code $?\n";
436 if (length $newpwent) {
437 if ($newpwent !~ m/\:/) { diag("creation script demurred"); return; }
438 @newpwent= split(/\:/,$newpwent,-1);
440 die "$opt_createuser: bad result: \`".join(':',@newpwent)."\'\n"
441 if @newpwent != $PW_fields or $newpwent[$PW_USER] ne $lu;
442 checkuid($newpwent[$PW_UID],$lu) or return;
443 if ($own_haveshadow) {
444 push @ownshadow, [ newentry('SP', $lu,
452 syncusergroup($lu,$newpwent[$PW_UID]) or return;
453 push @ownpasswd,[ @newpwent ];
457 for $e (@ownpasswd) {
458 next unless ref $e && $e->[$PW_USER] eq $lu;
459 syncusergroup($lu,$e->[$PW_UID]) or return;
462 $ruid= $rempasswd{$ru}->[$REM_UID];
463 $rgid= $rempasswd{$ru}->[$REM_GID];
464 if ($opt_sameuid && checkuid($ruid,$lu)) {
465 for $e (@ownpasswd) {
466 next unless ref $e && $e->[$PW_USER] eq $lu;
467 $luid= $e->[$PW_UID]; $lgid= $e->[$PW_GID];
468 die "$diagstr: local uid $luid, remote uid $ruid\n" if $luid ne $ruid;
469 die "$diagstr: local gid $lgid, remote gid $rgid\n" if $lgid ne $rgid;
473 #print STDERR "syncuser($lu,$ru) exists $own_haveshadow\n";
474 if ($own_haveshadow && grep(ref $_ && $_->[$PW_USER] eq $lu, @ownshadow)) {
475 #print STDERR "syncuser($lu,$ru) shadow $rempasswd{$ru}->[$REM_PW]\n";
476 copyfield('shadow',$lu,$SP_PW, $rempasswd{$ru}->[$REM_PW]);
478 #print STDERR "syncuser($lu,$ru) passwd $rempasswd{$ru}->[$REM_PW]\n";
479 copyfield('passwd',$lu,$PW_PW, $rempasswd{$ru}->[$REM_PW]);
481 copyfield('passwd',$lu,$PW_COMMENT, $rempasswd{$ru}->[$REM_COMMENT]);
483 $newsh= $rempasswd{$ru}->[$REM_SHELL];
484 $oksh= $checkedshell{$newsh};
485 if (!length $oksh) { $checkedshell{$newsh}= $oksh= (-x $newsh) ? 1 : 0; }
486 copyfield('passwd',$lu,$PW_SHELL, $newsh) if $oksh;
491 $tgroup= $e->[$GR_GROUP];
492 #print STDERR "syncuser($lu,$ru) group $tgroup\n";
493 next unless &wantsyncgroup($tgroup);
494 #print STDERR "syncuser($lu,$ru) group $tgroup yes\n";
496 if (!exists $remgroup{$tgroup}) {
497 diag("group $tgroup: not on remote host");
500 $inremote= grep($_ eq $ru, split(/\,/,$remgroup{$tgroup}->[$GR_USERS]));
501 $cusers= $e->[$GR_USERS]; $inlocal= grep($_ eq $lu, split(/\,/,$cusers));
502 if ($inremote && !$inlocal) {
503 $cusers.= ',' if length $cusers;
505 } elsif ($inlocal && !$inremote) {
506 $cusers= join(',', grep($_ ne $lu, split(/\,/, $cusers)));
510 $e->[$GR_USERS]= $cusers;
517 return if $bannerdone;
518 print "\n" or die $!; system 'date'; $? and die $?;
525 for $h (keys %wanthost) {
526 die "host $h not in config file\n" if $wanthost{$h};
530 #print STDERR "\n\nfinish display=$display pw=$pw\n\n";
531 for $e (@ownpasswd) {
534 $tuid= $e->[$PW_UID];
535 next if $displaydone{$tu};
537 #print STDERR ">$tu|$tpw<\n";
538 for $e2 (@ownshadow) {
539 next unless ref $e2 && $e2->[$SP_USER] eq $tu;
540 $tpw= $e2->[$SP_PW]; last;
542 $tpw= length($tpw)>=13 ? 1 : length($tpw) ? -1 : 0;
543 $head= ($tpw == 1 ? "unsynched" :
544 $tpw == 0 ? "unsynched, passwordless" :
545 "unsynched, no-logins").
546 ($tuid < 100 ? " system account" : " normal user");
547 $unsynch_type{$head} .= " $e->[$PW_USER]";
549 foreach $head (sort keys %unsynch_type) {
551 print $unsynch_type{$head} or die $!;
553 print "\n\n" or die $!;
558 for $file (qw(passwd shadow group)) {
559 $realfile= $file{$file,$PW_format};
560 eval "\$modified= \$modified$file; \$data_ref= \\\@own$file;".
561 " \$fetched= \$own_fetched$file; 1;" or die $@;
563 die $file unless $fetched;
566 $newfileinst= "/etc/$realfile";
567 $newfile= "$realfile.new";
569 $newfileinst= $savebackto{$file};
570 $newfile= "$newfileinst.new";
572 open NF,"> $newfile" or die "$newfile: $!";
573 for $e (@$data_ref) {
574 $record= ref $e ? join(':',@$e) : $e;
575 print NF $record,"\n" or die $!;
578 system 'diff','-U0','--label',$realfile,$newfileinst,
579 '--label',"$realfile.new",$newfile;
582 (@stats= stat $newfileinst) or die "$file: $!";
583 chown $stats[4],$stats[5], $newfile or die $!;
584 chmod $stats[2] & 07777, $newfile or die $!;
585 rename $newfile, $newfileinst or die $!;
594 next if m/^\#/ || !m/\S/;
595 finish() if m/^end$/;
596 if (m/^host\s+(\S+)$/) {
598 $ch_getpasswd= $ch_getgroup= $ch_getshadow= '';
599 $ch_fetchedpasswd= $ch_fetchedgroup;
602 } elsif (exists $wanthost{$ch_name}) {
603 $wanthost{$ch_name}= 0;
608 fields_fmt('REM','std');
609 } elsif (m/^(getpasswd|getshadow|getgroup)\s+(.*\S)$/) {
610 eval "\$ch_$1= \$2; 1;" or die $@;
611 } elsif (m/^(local|remote)format\s+(\w+)$/) {
612 fields_fmt($1 eq 'local' ? 'PW' :
613 $1 eq 'remote' ? 'REM' : die,
615 } elsif (m/^lock(passwd|group)\s+(runvia|link)\s+(\S+)$/) {
616 eval "\$ch_lock_$1= \$3; \$ch_lockstyle_$1= \$2; 1;" or die $@;
617 } elsif (m/^lock(passwd|group)\s+(none)$/) {
618 eval "\$ch_lockstyle_$1= \$2; 1;" or die $@;
619 } elsif (m,^(homebase|defaultshell)\s+(/\S+)$,) {
620 eval "\$ch_$1= \$2; 1;" or die $@;
621 } elsif (m/^(uidmin|uidmax)\s+(\d+)$/ && $2>0) {
622 eval "\$ch_$1= \$2; 1;" or die $@;
623 } elsif (m/^createuser$/) {
624 $opt_createuser= $def_createuser;
625 } elsif (m/^nocreateuser$/) {
627 } elsif (m/^createuser\s+(\S+)$/) {
629 } elsif (m/^logfile\s+(.*\S)$/) {
631 open STDOUT,">> $1" or die "$1: $!"; $|=1;
632 $!=0; system 'date'; $? and die "date: $! $?\n";
633 } elsif (!$display) {
634 print "would log to $1\n" or die $!;
636 } elsif (m/^(no|)(sameuid)$/) {
637 eval "\$opt_$2= ".($1 eq 'no' ? 0 : 1)."; 1;" or die $@;
638 } elsif (m/^usergroups$/) {
640 } elsif (m/^nousergroups$/) {
642 } elsif (m/^defaultgid\s+(\d+)$/) {
644 } elsif (m/^(no|)group\s+([-+.0-9a-zA-Z*?]+)$/) {
645 $yes= $1 eq 'no' ? 0 : 1;
647 @groupglobs=() if $_ eq '*';
651 unshift @groupglobs, [ $_, $yes ];
653 } elsif (m/^user\s+(\S+)$/) {
655 } elsif (m/^user\s+(\S+)\s+remote\=(\S+)$/) {
657 } elsif (m/^nouser\s+(\S+)$/) {
659 } elsif (m/^users\s+(\d+)\-(\d+)$/) {
660 $tmin= $1; $tmax= $2; $except= $3;
662 for $k (keys %rempasswd) {
663 $tuid= $rempasswd{$k}->[2];
664 next if $tuid<$1 or $tuid>$2;
667 } elsif (m/^addhere$/) {
669 die "$configfile:$.: unknown directive\n";
673 die "$configfile:$.: missing \`end', or read error\n";