sysusers: Preserve ownership and mode on /etc/passwd and friends

[elogind.git] / src / sysusers / sysusers.c

diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 4203b3e0179c5c13c23eb8e729e527ac4459ea70..c133dc5f1036b61b3dc2a8c8b22d5b1806ba5db8 100644 (file)
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -358,6 +358,7 @@ static int write_files(void) {
         _cleanup_fclose_ FILE *passwd = NULL, *group = NULL, *shadow = NULL, *gshadow = NULL;
         _cleanup_free_ char *passwd_tmp = NULL, *group_tmp = NULL, *shadow_tmp = NULL, *gshadow_tmp = NULL;
         const char *passwd_path = NULL, *group_path = NULL, *shadow_path = NULL, *gshadow_path = NULL;
+        struct stat st;
         bool group_changed = false;
         Iterator iterator;
         Item *i;
@@ -372,15 +373,17 @@ static int write_files(void) {
                 if (r < 0)
                         goto finish;
 
-                if (fchmod(fileno(group), 0644) < 0) {
-                        r = -errno;
-                        goto finish;
-                }
-
                 original = fopen(group_path, "re");
                 if (original) {
                         struct group *gr;
 
+                        if (fstat(fileno(original), &st) < 0 ||
+                            fchmod(fileno(group), st.st_mode & 07777) < 0 ||
+                            fchown(fileno(group), st.st_uid, st.st_gid) < 0) {
+                                r = -errno;
+                                goto finish;
+                        }
+
                         errno = 0;
                         while ((gr = fgetgrent(original))) {
                                 /* Safety checks against name and GID
@@ -418,6 +421,9 @@ static int write_files(void) {
                 } else if (errno != ENOENT) {
                         r = -errno;
                         goto finish;
+                } else if (fchmod(fileno(group), 0644) < 0) {
+                        r = -errno;
+                        goto finish;
                 }
 
                 HASHMAP_FOREACH(i, todo_gids, iterator) {
@@ -449,15 +455,17 @@ static int write_files(void) {
                 if (r < 0)
                         goto finish;
 
-                if (fchmod(fileno(gshadow), 0000) < 0) {
-                        r = -errno;
-                        goto finish;
-                }
-
                 original = fopen(gshadow_path, "re");
                 if (original) {
                         struct sgrp *sg;
 
+                        if (fstat(fileno(original), &st) < 0 ||
+                            fchmod(fileno(gshadow), st.st_mode & 07777) < 0 ||
+                            fchown(fileno(gshadow), st.st_uid, st.st_gid) < 0) {
+                                r = -errno;
+                                goto finish;
+                        }
+
                         errno = 0;
                         while ((sg = fgetsgent(original))) {
 
@@ -483,6 +491,9 @@ static int write_files(void) {
                 } else if (errno != ENOENT) {
                         r = -errno;
                         goto finish;
+                } else if (fchmod(fileno(gshadow), 0000) < 0) {
+                        r = -errno;
+                        goto finish;
                 }
 
                 HASHMAP_FOREACH(i, todo_gids, iterator) {
@@ -513,15 +524,17 @@ static int write_files(void) {
                 if (r < 0)
                         goto finish;
 
-                if (fchmod(fileno(passwd), 0644) < 0) {
-                        r = -errno;
-                        goto finish;
-                }
-
                 original = fopen(passwd_path, "re");
                 if (original) {
                         struct passwd *pw;
 
+                        if (fstat(fileno(original), &st) < 0 ||
+                            fchmod(fileno(passwd), st.st_mode & 07777) < 0 ||
+                            fchown(fileno(passwd), st.st_uid, st.st_gid) < 0) {
+                                r = -errno;
+                                goto finish;
+                        }
+
                         errno = 0;
                         while ((pw = fgetpwent(original))) {
 
@@ -552,6 +565,9 @@ static int write_files(void) {
                 } else if (errno != ENOENT) {
                         r = -errno;
                         goto finish;
+                } else if (fchmod(fileno(passwd), 0644) < 0) {
+                        r = -errno;
+                        goto finish;
                 }
 
                 HASHMAP_FOREACH(i, todo_uids, iterator) {
@@ -596,15 +612,17 @@ static int write_files(void) {
                 if (r < 0)
                         goto finish;
 
-                if (fchmod(fileno(shadow), 0000) < 0) {
-                        r = -errno;
-                        goto finish;
-                }
-
                 original = fopen(shadow_path, "re");
                 if (original) {
                         struct spwd *sp;
 
+                        if (fstat(fileno(original), &st) < 0 ||
+                            fchmod(fileno(shadow), st.st_mode & 07777) < 0 ||
+                            fchown(fileno(shadow), st.st_uid, st.st_gid) < 0) {
+                                r = -errno;
+                                goto finish;
+                        }
+
                         errno = 0;
                         while ((sp = fgetspent(original))) {
 
@@ -629,6 +647,9 @@ static int write_files(void) {
                 } else if (errno != ENOENT) {
                         r = -errno;
                         goto finish;
+                } else if (fchmod(fileno(shadow), 0000) < 0) {
+                        r = -errno;
+                        goto finish;
                 }
 
                 lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY);
@@ -1835,7 +1856,7 @@ int main(int argc, char *argv[]) {
 
         umask(0022);
 
-        r = label_init(NULL);
+        r = mac_selinux_init(NULL);
         if (r < 0) {
                 log_error("SELinux setup failed: %s", strerror(-r));
                 goto finish;