From a82b1ab12d1f433c7f0e9bfc6e952cf511de8045 Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 23 Jan 2012 14:13:43 -0500 Subject: Be more careful when creating and removing a user, to only alter a user if it really matches the passwd entry. Fixes #2066 pw usershow likes to ignore what you want even with -n and if the user is numeric and doesn't exist, it fetches by uid. Can cause major problems if you try to remove a numeric user. --- etc/inc/auth.inc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 1338e13..c7dc638 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -396,12 +396,13 @@ function local_user_set(& $user) { } /* read from pw db */ - $fd = popen("/usr/sbin/pw usershow {$user_name} 2>&1", "r"); + $fd = popen("/usr/sbin/pw usershow -n {$user_name} 2>&1", "r"); $pwread = fgets($fd); pclose($fd); + $userattrs = explode(":", trim($pwread)); /* determine add or mod */ - if (!strncmp($pwread, "pw:", 3)) { + if (($userattrs[0] != $user['name']) || (!strncmp($pwread, "pw:", 3))) { $user_op = "useradd -m -k /etc/skel -o"; } else { $user_op = "usermod"; @@ -454,8 +455,19 @@ function local_user_del($user) { if ($user['uid'] != 0) $rmhome = "-r"; + /* read from pw db */ + $fd = popen("/usr/sbin/pw usershow -n {$user['name']} 2>&1", "r"); + $pwread = fgets($fd); + pclose($fd); + $userattrs = explode(":", trim($pwread)); + + if ($userattrs[0] != $user['name']) { + log_error("Tried to remove user {$user['name']} but got user {$userattrs[0]} instead. Bailing."); + return; + } + /* delete from pw db */ - $cmd = "/usr/sbin/pw userdel {$user['name']} {$rmhome}"; + $cmd = "/usr/sbin/pw userdel -n {$user['name']} {$rmhome}"; if($debug) log_error("Running: {$cmd}"); -- cgit v1.1