From 4e1f674c41724dd96ad2c3a0c02ac9f6666697ba Mon Sep 17 00:00:00 2001 From: ed neville Date: Mon, 27 Mar 2023 20:23:03 +0100 Subject: [PATCH] run_parts for groupadd and groupdel run_parts currently exists in useradd and userdel, this commit mirrors the functionality with groupadd and groupdel Hook for group{add,del} to include killing processes that have group membership that would no longer exist to avoid membership ID reuse. --- .../groupdel-pre.d/01-kill_group_procs.sh | 26 +++++++++++++++++++ src/groupadd.c | 11 ++++++++ src/groupdel.c | 11 ++++++++ 3 files changed, 48 insertions(+) create mode 100644 etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh diff --git a/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh b/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh new file mode 100644 index 00000000..10db5279 --- /dev/null +++ b/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +GROUPID=`awk -F: '$1 == "'"${SUBJECT}"'" { print $3 }' /etc/group` + +if [ "${GROUPID}" = "" ]; then + exit 0 +fi + +for status in /proc/*/status; do + # either this isn't a process or its already dead since expanding the list + [ -f "$status" ] || continue + + tbuf=${status%/status} + pid=${tbuf#/proc/} + case "$pid" in + "$$") continue;; + [0-9]*) :;; + *) continue + esac + + grep -q '^Groups:.*\b'"${GROUPID}"'\b.*' "/proc/$pid/status" || continue + + kill -9 "$pid" || echo "cannot kill $pid" 1>&2 +done + diff --git a/src/groupadd.c b/src/groupadd.c index 31142101..2eda1c68 100644 --- a/src/groupadd.c +++ b/src/groupadd.c @@ -34,6 +34,7 @@ #include "sgroupio.h" #endif #include "shadowlog.h" +#include "run_part.h" /* * exit status values @@ -603,6 +604,11 @@ int main (int argc, char **argv) check_perms (); + if (run_parts ("/etc/shadow-maint/groupadd-pre.d", group_name, + "groupadd")) { + exit(1); + } + #ifdef SHADOWGRP is_shadow_grp = sgr_file_present (); #endif @@ -621,6 +627,11 @@ int main (int argc, char **argv) grp_update (); close_files (); + if (run_parts ("/etc/shadow-maint/groupadd-post.d", group_name, + "groupadd")) { + exit(1); + } + nscd_flush_cache ("group"); sssd_flush_cache (SSSD_DB_GROUP); diff --git a/src/groupdel.c b/src/groupdel.c index fdccf5e1..bae4367b 100644 --- a/src/groupdel.c +++ b/src/groupdel.c @@ -32,6 +32,7 @@ #include "sgroupio.h" #endif #include "shadowlog.h" +#include "run_part.h" /* * Global variables */ @@ -461,6 +462,11 @@ int main (int argc, char **argv) group_busy (group_id); } + if (run_parts ("/etc/shadow-maint/groupdel-pre.d", group_name, + "groupdel")) { + exit(1); + } + /* * Do the hard stuff - open the files, delete the group entries, * then close and update the files. @@ -471,6 +477,11 @@ int main (int argc, char **argv) close_files (); + if (run_parts ("/etc/shadow-maint/groupdel-post.d", group_name, + "groupdel")) { + exit(1); + } + nscd_flush_cache ("group"); sssd_flush_cache (SSSD_DB_GROUP);