1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
|
// Copyright 2010 Jonas mg
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package user
import (
"fmt"
"os"
"reflect"
"strings"
)
type gshadowField int
// Field names for shadowed group database.
const (
GS_NAME gshadowField = 1 << iota
GS_PASSWD
GS_ADMIN
GS_MEMBER
GS_ALL
)
func (f gshadowField) String() string {
switch f {
case GS_NAME:
return "Name"
case GS_PASSWD:
return "Passwd"
case GS_ADMIN:
return "Admin"
case GS_MEMBER:
return "Member"
}
return "ALL"
}
// A GShadow represents the format of the shadowed information for a group account.
type GShadow struct {
// Group name. (Unique)
//
// It must be a valid group name, which exist on the system.
Name string
// Hashed password
//
// If the password field contains some string that is not a valid result of
// crypt, for instance "!" or "*", users will not be able to use a unix
// password to access the group (but group members do not need the password).
//
// The password is used when an user who is not a member of the group wants
// to gain the permissions of this group (see "newgrp(1)").
//
// This field may be empty, in which case only the group members can gain
// the group permissions.
//
// A password field which starts with a exclamation mark means that the
// password is locked. The remaining characters on the line represent the
// password field before the password was locked.
//
// This password supersedes any password specified in '/etc/group'.
password string
// Group administrator list
//
// It must be a comma-separated list of user names.
//
// Administrators can change the password or the members of the group.
// Administrators also have the same permissions as the members (see below).
AdminList []string
// Group member list
//
// It must be a comma-separated list of user names.
//
// Members can access the group without being prompted for a password.
// You should use the same list of users as in /etc/group.
UserList []string
}
// NewGShadow returns a new GShadow.
func NewGShadow(username string, members ...string) *GShadow {
return &GShadow{
Name: username,
UserList: members,
}
}
func (gs *GShadow) filename() string { return fileGShadow }
func (gs *GShadow) String() string {
return fmt.Sprintf("%s:%s:%s:%s\n",
gs.Name, gs.password, strings.Join(gs.AdminList, ","), strings.Join(gs.UserList, ","))
}
// parseGShadow parses the row of a group shadow.
func parseGShadow(row string) (*GShadow, error) {
fields := strings.Split(row, ":")
if len(fields) != 4 {
return nil, rowError{fileGShadow, row}
}
return &GShadow{
fields[0],
fields[1],
strings.Split(fields[2], ","),
strings.Split(fields[3], ","),
}, nil
}
// == Lookup
//
// lookUp parses the shadowed group line searching a value into the field.
// Returns nil if it isn't found.
func (*GShadow) lookUp(line string, f field, value interface{}) interface{} {
_field := f.(gshadowField)
_value := value.(string)
allField := strings.Split(line, ":")
arrayField := make(map[int][]string)
arrayField[2] = strings.Split(allField[2], ",")
arrayField[3] = strings.Split(allField[3], ",")
// Check fields
var isField bool
if GS_NAME&_field != 0 && allField[0] == _value {
isField = true
} else if GS_PASSWD&_field != 0 && allField[1] == _value {
isField = true
} else if GS_ADMIN&_field != 0 && checkGroup(arrayField[2], _value) {
isField = true
} else if GS_MEMBER&_field != 0 && checkGroup(arrayField[3], _value) {
isField = true
} else if GS_ALL&_field != 0 {
isField = true
}
if isField {
return &GShadow{
allField[0],
allField[1],
arrayField[2],
arrayField[3],
}
}
return nil
}
// LookupGShadow looks up a shadowed group by name.
func LookupGShadow(name string) (*GShadow, error) {
entries, err := LookupInGShadow(GS_NAME, name, 1)
if err != nil {
return nil, err
}
return entries[0], err
}
// LookupInGShadow looks up a shadowed group by the given values.
//
// The count determines the number of fields to return:
// n > 0: at most n fields
// n == 0: the result is nil (zero fields)
// n < 0: all fields
func LookupInGShadow(field gshadowField, value string, n int) ([]*GShadow, error) {
checkRoot()
iEntries, err := lookUp(&GShadow{}, field, value, n)
if err != nil {
return nil, err
}
// == Convert to type GShadow
valueSlice := reflect.ValueOf(iEntries)
entries := make([]*GShadow, valueSlice.Len())
for i := 0; i < valueSlice.Len(); i++ {
entries[i] = valueSlice.Index(i).Interface().(*GShadow)
}
return entries, err
}
// == Editing
//
// Add adds a new shadowed group.
// If the key is not nil, generates a hashed password.
//
// It is created a backup before of modify the original file.
func (gs *GShadow) Add(key []byte) (err error) {
loadConfig()
gshadow, err := LookupGShadow(gs.Name)
if err != nil {
if _, ok := err.(NoFoundError); !ok {
return
}
}
if gshadow != nil {
return ErrGroupExist
}
if gs.Name == "" {
return RequiredError("Name")
}
// Backup
if err = backup(fileGShadow); err != nil {
return
}
db, err := openDBFile(fileGShadow, os.O_WRONLY|os.O_APPEND)
if err != nil {
return
}
defer func() {
e := db.close()
if e != nil && err == nil {
err = e
}
}()
if key != nil {
gs.password, _ = config.crypter.Generate(key, nil)
} else {
gs.password = "*" // Password disabled.
}
_, err = db.file.WriteString(gs.String())
return
}
|
