usermod: make fail_exit the reverse of the locking in open_files

author Pat Riehecky <riehecky@fnal.gov>

Tue, 10 Mar 2026 13:30:49 +0000 (08:30 -0500)

committer Alejandro Colomar <foss+github@alejandro-colomar.es>

Mon, 16 Mar 2026 23:49:08 +0000 (00:49 +0100)
author Pat Riehecky <riehecky@fnal.gov>
Tue, 10 Mar 2026 13:30:49 +0000 (08:30 -0500)
committer Alejandro Colomar <foss+github@alejandro-colomar.es>
Mon, 16 Mar 2026 23:49:08 +0000 (00:49 +0100)
diff --git a/src/usermod.c b/src/usermod.c

index 33c0ee53bbc372b08ce2b818290b9c68711067e0..ba01186227803239c57fb68ab6607636ba129308 100644 (file)
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -666,13 +666,22 @@ NORETURN
  static void
  fail_exit (int code, bool process_selinux)
  {
-       if (gr_locked) {
-               if (gr_unlock (process_selinux) == 0) {
-                       fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
-                       SYSLOG(LOG_ERR, "failed to unlock %s", gr_dbname());
+#ifdef ENABLE_SUBIDS
+       if (sub_gid_locked) {
+               if (sub_gid_unlock (process_selinux) == 0) {
+                       fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
+                       SYSLOG(LOG_ERR, "failed to unlock %s", sub_gid_dbname());
+                       /* continue */
+               }
+       }
+       if (sub_uid_locked) {
+               if (sub_uid_unlock (process_selinux) == 0) {
+                       fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
+                       SYSLOG(LOG_ERR, "failed to unlock %s", sub_uid_dbname());
                         /* continue */
                 }
         }
+#endif                         /* ENABLE_SUBIDS */
  #ifdef SHADOWGRP
         if (sgr_locked) {
                 if (sgr_unlock (process_selinux) == 0) {
@@ -682,6 +691,13 @@ fail_exit (int code, bool process_selinux)
                 }
         }
  #endif
+       if (gr_locked) {
+               if (gr_unlock (process_selinux) == 0) {
+                       fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
+                       SYSLOG(LOG_ERR, "failed to unlock %s", gr_dbname());
+                       /* continue */
+               }
+       }
         if (spw_locked) {
                 if (spw_unlock (process_selinux) == 0) {
                         fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
@@ -696,22 +712,6 @@ fail_exit (int code, bool process_selinux)
                         /* continue */
                 }
         }
-#ifdef ENABLE_SUBIDS
-       if (sub_uid_locked) {
-               if (sub_uid_unlock (process_selinux) == 0) {
-                       fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
-                       SYSLOG(LOG_ERR, "failed to unlock %s", sub_uid_dbname());
-                       /* continue */
-               }
-       }
-       if (sub_gid_locked) {
-               if (sub_gid_unlock (process_selinux) == 0) {
-                       fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
-                       SYSLOG(LOG_ERR, "failed to unlock %s", sub_gid_dbname());
-                       /* continue */
-               }
-       }
-#endif                         /* ENABLE_SUBIDS */
  
  #ifdef WITH_AUDIT
         audit_logger (AUDIT_USER_MGMT,
author	Pat Riehecky <riehecky@fnal.gov>
	Tue, 10 Mar 2026 13:30:49 +0000 (08:30 -0500)
committer	Alejandro Colomar <foss+github@alejandro-colomar.es>
	Mon, 16 Mar 2026 23:49:08 +0000 (00:49 +0100)