This matches the API of Account::authenticate. The only caller to this
API is the passwd utility, which already has the new password stored as
a SecretString.
LibCore::Account::generate_passwd_file should follow
generate_shadow_file by conditionally checking for the username.
Previously, usermod's set_uid changes would not reflect in the updated
passwd file as m_uid had already been changed to the updated value.
When LibC/shadow.cpp parses shadow entries in getspent, it sets the
spwd member value to disabled (-1) if the value is empty. When
Core::Account::sync calls getspent to generate a new shadow file, it
would recieve the -1 values and write them in the shadow file. This
would cause the /etc/shadow file to be cluttered with disabled values
after any password change.
This patch checks if the spwd member value is disabled, and prints the
appropriate value to the shadow file.
The user's GID is already available via gid(), and it's not "extra", so
don't include it in extra_gids() again. Also rename the internally used
function from get_gids() to get_extra_gids() to make its purpose more
clear.
SPDX License Identifiers are a more compact / standardized
way of representing file license information.
See: https://spdx.dev/resources/use/#identifiers
This was done with the `ambr` search and replace tool.
ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt *
This is basically just for consistency, it's quite strange to see
multiple AK container types next to each other, some with and some
without the namespace prefix - we're 'using AK::Foo;' a lot and should
leverage that. :^)
(...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED)
Since all of these checks are done in release builds as well,
let's rename them to VERIFY to prevent confusion, as everyone is
used to assertions being compiled out in release.
We can introduce a new ASSERT macro that is specifically for debug
checks, but I'm doing this wholesale conversion first since we've
accumulated thousands of these already, and it's not immediately
obvious which ones are suitable for ASSERT.
If a user is missing from /etc/shadow, we used to just allow anyone to
authenticate as that user without a password.
With this patch, authentication will instead always fail.
Now that we've moved to atomic replacement of these files when altering
them, we don't need to keep them open for the lifetime of Core::Account
so just simplify this and close them when they are not needed.
Before this patch, we had a nasty race condition when changing a user's
password: there was a time window between truncating /etc/shadow and
writing out its new contents, where you could simply "su" to root
without using a password.
Instead of writing directly to /etc/passwd and /etc/shadow, we now
create temporary files in /etc and fill them with the new contents.
Those files are then atomically renamed to /etc/passwd and /etc/shadow.
Sadly, fixing this race requires giving the passwd program a lot more
privileges. This is something we can and should improve upon. :^)
