account: Use lckpwdf() to protect passwd files

Glibc provides convenient lock functions to protect passwd and shadow files.
This commit makes use of them for any write operation.

Read access is still unprotected for the time being for performance reasons.

https://fedorahosted.org/openlmi/ticket/205

1 files changed, 10 insertions, 0 deletions

diff --git a/src/account/LMI_IdentityProvider.c b/src/account/LMI_IdentityProvider.c
index df3ffe7..dbd7b02 100644
--- a/src/account/LMI_IdentityProvider.c
+++ b/src/account/LMI_IdentityProvider.c
@@ -18,6 +18,7 @@
  * Authors: Roman Rakus <rrakus@redhat.com>
  */
 
+#include <shadow.h>
 #include <konkret/konkret.h>
 #include "LMI_Identity.h"
 
@@ -172,14 +173,21 @@ static CMPIStatus LMI_IdentityDeleteInstance(
     struct lu_ent *lue = NULL;
     char *errmsg = NULL;
     CMPIrc rc = CMPI_RC_OK;
+    int pwdlockres;
 
     LMI_Identity_InitFromObjectPath(&identity, _cb, cop);
     instance_id = identity.InstanceID.chars;
     id = atol(rindex(instance_id, ':') + 1);
 
+    pwdlockres = lckpwdf();
+    if (pwdlockres != 0)
+        warn("Cannot acquire passwd file lock\n");
+
     luc = lu_start(NULL, 0, NULL, NULL, lu_prompt_console_quiet, NULL, &error);
     if (!luc)
       {
+        if (pwdlockres == 0)
+            ulckpwdf();
         KReturn2(_cb, ERR_FAILED,
                  "Unable to initialize libuser: %s\n", lu_strerror(error));
       }
@@ -227,6 +235,8 @@ static CMPIStatus LMI_IdentityDeleteInstance(
 fail:
     lu_ent_free(lue);
     lu_end(luc);
+    if (pwdlockres == 0)
+        ulckpwdf();
     if (errmsg) {
         CMPIString *errstr = CMNewString(_cb, errmsg, NULL);
         free(errmsg);