I'll see how many more of Shadow's authorization/accounts commandline tools I can cover this morning...
After initializing internationalization, some vars & SysConf id validates the count of commandline args (possibly ouputting usage), retrieves the process's user & group IDs followed by the corresponding password/group entries outputting them if non-NULL, possibly iterates over the user's groups looking up & outputting each of them, & cleans up.
After initializing LibShadow & validating at least 2 commandline args are given newuidmap looks up the PID for the first argument, opens its /proc/ directory, finds the user's password entry, performs validations, parses remaining commandline args as ranges, validates each of those ranges, & outputs them to the proc dir's uid_map file.
newgidmap works very similarly!
Unless the command's disabled, after initializing LibShadow & internationalization grpunconv has a special -R case.
Then it parses the remaining -h commandline flag, checks that /etc/gshadow is present & can be opened under a lock, & linear-scans that file to find the entry to overwrite setting the password.
After init'ing i18n logout might fork if the debug flag is set, initializes logging & LibShadow, & repeatedly iterates over the utmp[x] file checking if they're allowed to be logged in at this time. If not it forks, sends a message to their terminal, killing their process, & syslogging.
Add comment