[Pkg-shadow-devel] [PATCH] Allow deleting the group even if it is the primary group of a user

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jun 15 15:10:59 UTC 2015 

Quoting jesse (jesse at mbuki-mvuki.org):
> From: "Jesse W. Hathaway" <jesse at mbuki-mvuki.org>
> 
> This is helpful when using configuration management tools such as
> Puppet, where you are managing the groups in a central location and you
> don't need this safeguard.

Seems like this would generally be a bad idea, i.e. if the policy in
the central location is actually broken it would be better to catch
this earlier rather than later, whereas if it's not broken it should
be possible to cause all users with that primary group to first be
deleted.  Since it is guarded by -f I'll say

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

but I'll point out that I'd expect people doing remote admin to just end
up always adding -f bc they saw it in an online post somewhere.

> diff --git a/src/groupdel.c b/src/groupdel.c
> index da99347..d613a66 100644
> --- a/src/groupdel.c
> +++ b/src/groupdel.c
> @@ -60,6 +60,7 @@ const char *Prog;
>  
>  static char *group_name;
>  static gid_t group_id = -1;
> +static bool check_group_busy = true;
>  
>  #ifdef	SHADOWGRP
>  static bool is_shadow_grp;
> @@ -96,6 +97,7 @@ static /*@noreturn@*/void usage (int status)
>  	                Prog);
>  	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
>  	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
> +	(void) fputs (_("  -f, --force                   delete group even if it is the primary group of a user\n"), usageout);
>  	(void) fputs ("\n", usageout);
>  	exit (status);
>  }
> @@ -321,7 +323,7 @@ static void process_flags (int argc, char **argv)
>  		{NULL, 0, NULL, '\0'}
>  	};
>  
> -	while ((c = getopt_long (argc, argv, "hR:",
> +	while ((c = getopt_long (argc, argv, "hfR:",
>  	                         long_options, NULL)) != -1) {
>  		switch (c) {
>  		case 'h':
> @@ -329,6 +331,9 @@ static void process_flags (int argc, char **argv)
>  			/*@notreached@*/break;
>  		case 'R': /* no-op, handled in process_root_flag () */
>  			break;
> +		case 'f':
> +			check_group_busy = false;
> +			break;
>  		default:
>  			usage (E_USAGE);
>  		}
> @@ -465,7 +470,9 @@ int main (int argc, char **argv)
>  	/*
>  	 * Make sure this isn't the primary group of anyone.
>  	 */
> -	group_busy (group_id);
> +	if (check_group_busy) {
> +		group_busy (group_id);
> +	}
>  
>  	/*
>  	 * Do the hard stuff - open the files, delete the group entries,
> 
> _______________________________________________
> Pkg-shadow-devel mailing list
> Pkg-shadow-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel

More information about the Pkg-shadow-devel mailing list