From 791c53c01d465d506092dc5e57f6afec730a6546 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Tue, 1 Jul 2025 16:01:20 +0200 Subject: [PATCH] src/chgpasswd.c: chroot or prefix SELinux file context Do not process SELinux file context during file closure when chroot or prefix options are selected. Signed-off-by: Iker Pedrosa --- src/chgpasswd.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/src/chgpasswd.c b/src/chgpasswd.c index e2a95fd21..27338561f 100644 --- a/src/chgpasswd.c +++ b/src/chgpasswd.c @@ -39,6 +39,12 @@ #include "string/strcmp/streq.h" #include "string/strtok/stpsep.h" +/* + * Structures + */ +struct option_flags { + bool chroot; +}; /* * Global variables @@ -71,11 +77,11 @@ static bool gr_locked = false; /* local function prototypes */ NORETURN static void fail_exit (int code); NORETURN static void usage (int status); -static void process_flags (int argc, char **argv); +static void process_flags (int argc, char **argv, struct option_flags *flags); static void check_flags (void); static void check_perms (void); static void open_files (void); -static void close_files (void); +static void close_files (struct option_flags *flags); /* * fail_exit - exit with a failure code after unlocking the files @@ -150,7 +156,7 @@ usage (int status) * * It will not return if an error is encountered. */ -static void process_flags (int argc, char **argv) +static void process_flags (int argc, char **argv, struct option_flags *flags) { int c; #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) @@ -188,6 +194,7 @@ static void process_flags (int argc, char **argv) md5flg = true; break; case 'R': /* no-op, handled in process_root_flag () */ + flags->chroot = true; break; #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) case 's': @@ -378,18 +385,21 @@ static void open_files (void) /* * close_files - close and unlock the group databases */ -static void close_files (void) +static void close_files (struct option_flags *flags) { + bool process_selinux; + + process_selinux = !flags->chroot; #ifdef SHADOWGRP if (is_shadow_grp) { - if (sgr_close (true) == 0) { + if (sgr_close (process_selinux) == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ())); fail_exit (1); } - if (sgr_unlock (true) == 0) { + if (sgr_unlock (process_selinux) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ @@ -398,14 +408,14 @@ static void close_files (void) } #endif - if (gr_close (true) == 0) { + if (gr_close (process_selinux) == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); fail_exit (1); } - if (gr_unlock (true) == 0) { + if (gr_unlock (process_selinux) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ @@ -429,6 +439,7 @@ int main (int argc, char **argv) struct group newgr; bool errors = false; intmax_t line = 0; + struct option_flags flags; log_set_progname(Prog); log_set_logfd(stderr); @@ -445,7 +456,7 @@ int main (int argc, char **argv) process_root_flag ("-R", argc, argv); - process_flags (argc, argv); + process_flags (argc, argv, &flags); OPENLOG (Prog); @@ -628,7 +639,7 @@ int main (int argc, char **argv) fail_exit (1); } - close_files (); + close_files (&flags); nscd_flush_cache ("group"); sssd_flush_cache (SSSD_DB_GROUP); -- 2.47.3