Password and Shadow - Unix User Accounts Information( Notes by baif )

baif

2. Password and Shadow - Unix User Accounts Information
4.         Reading Notes by baif, 2004, Jan 18th.
6. 1. Database files
7.         1.1 Format of the Password File
8.         1.2 Format of the Shadow File
9.         1.3 Function crpyt()
10. 2. What Can We do...
11.         2.1  Shell
12.         2.2  Getting Accounts Infourmantion with C
13.        
14.         To get more, refer to: 1.Linux Shadow Password HOWTO, 2.Unix Programming
15.                        
16.        
17.        
18. 1. Database files
20.         Unix/Linux's user accounts information were stored
21.         in the following files:
23.        /etc/passwd - user account information
24.        /etc/shadow - secure user account information
25.        
26.         drped from
27.         Linux Shadow Password HOWTO
28.         [url]http://www.linux.org/docs/ldp/howto/Shadow-Password-HOWTO.html[/url]
31. 1.1 Format of the Password File
33. A non-shadowed /etc/passwd file has the following format:
34.        
35.         username：passwd:UID:GID:full_name:directory:shell
37. Where:
39. username    The user (login) name
40. passwd      The encoded password
41. UID         Numerical user ID
42. GID         Numerical default group ID
43. full_name   The user's full name - Actually this field is called the GECOS
44.                 (General Electric Comprehensive Operating System) field and
45.                 can store information other than just the full name.
46.                 The Shadow commands and manual pages refer to this field as the comment field.
47. directory   User's home directory (Full pathname)
48. shell       User's login shell (Full Pathname)
51. For example:
52. username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh
55. Where Np is the salt and ge08pfz4wuk is the encoded password. The encoded salt/password could just
56. as easily have been kbeMVnZM0oL7I and the two are exactly the same password. There are 4096 possible
57. encodings for the same password.
58.   (The example password in this case is 'password', a really bad password).
60. Once the shadow suite is installed, the /etc/passwd file would instead contain:
62.         username:x:503:100:Full Name:/home/username:/bin/sh
65. The x in the second field in this case is now just a place holder. The format of the /etc/passwd file
66. really didn't change, it just no longer contains the encoded password. This means that any program
67. that reads the /etc/passwd file but does not actually need to verify passwords will still operate
68. correctly.
70. The passwords are now relocated to the shadow file (usually /etc/shadow file).
74. 1.2 Format of the Shadow File
76. The /etc/shadow file contains the following information:
77.        
78.         username：passwd:last:may:must:warn:expire:disable:reserved
81. Where:
83. username    The User Name
84. passwd      The Encoded password
85. last        Days since Jan 1, 1970 that password was last changed
86. may         Days before password may be changed
87. must        Days after which password must be changed
88. warn        Days before password is to expire that user is warned
89. expire      Days after password expires that account is disabled
90. disable     Days since Jan 1, 1970 that account is disabled
91. reserved    A reserved field
93. The previous example might then be:
94.        
95.         username:Npge08pfz4wuk:9479:0:10000::::
97. 1.3 Function crpyt()
99. From the crypt(3) manual page:
101. "crypt is the password encryption function. It is based on the Data Encryption Standard algorithm
102. with variations intended (among other things) to discourage use of hardware implementations of a
103. key search. "
106. [The] key is a user's typed password. [The encoded string is all NULLs]
108. [The] salt is a two-character string chosen from the set [a-zA-Z0-9./].
109. This string is used to perturb the algorithm in one of 4096 different ways.
112. By taking the lowest 7 bit[s] of each character of the key, a 56-bit key is obtained. This 56-bit
113. key is used to encrypt repeatedly a constant string (usually a string consisting of all zeros).
114. The returned value points to the encrypted password, a series of 13 printable ASCII characters
115. (the first two characters represent the salt itself). The return value points to static data whose
116. content is overwritten by each call.
118. 2. What Can We do...
120. 2.1  Shell
122. Some commands about accounts' operations
124. User account operating:
126. adduser: Creating new Users without option -D.
127. userdel: Modifies the system account files, deleting all entries that refer to login. The named user must exist.
129. Modifies the system account files in manual way:
131. vipw: invork the command with -s option Modify the file /etc/shadow,
132.       invork without -s will modify /etc/passwd.
133. chfn: Change the "finger name"(GECOS domain).
134. chsh: Change the default Shell for specified account.
135. passwd: Change the passwords of specified account.
137. 2.2 Getting Accounts Infourmantion with C
139. So, C provides some functions to read Unix accounts informantion. The information were stroed in files: passwd and shadow.
141. First
142.     We should know about the definition of struct passwd in the <pwd.h> header, which includes at least the following members:
144. struct passwd
145. {
146.     char    *pw_name   /* user's login name */
147.     uid_t    pw_uid    /* numerical user ID */
148.     gid_t    pw_gid    /* numerical group ID */
149.     char    *pw_dir    /* initial working directory */
150.     char    *pw_shell  /* program to use as shell */
151.     /* The gid_t and uid_t types are defined as described in <sys/types.h> */
152. }
154. Seconed
155.     We can get the structure by the following two funtions for request entry:
157.     struct passwd * getpwnam(const char *); /* IT'S getpwnam(), NOT getpwname() */
158.     struct passwd * getpwuid(uid_t);
160.   The getpwnam() function searches the user database for an entry with a matching UserName, WHILE the getpwuid() funtion searches
161.     with maching UID.
162.   Those functions return pointers to a struct passwd with a matching entry if FOUND. A null pointer is returned if the requested
163.     entry is NOT found, or an ERORR occurs. On error, errno is set to indicate the error.
164.   Applications wishing to check for error situations should set errno to 0 before calling. To get more about error checking ,please
165.     turn to Manual.
167.     Example:
168. __________________________________________________________________
169. #include <stdio.h>
170. #include <pwd.h>
171. #include <limits.h>
172. #include <sys/types.h>
173. /* WITHOUT ERORR CHECKING */
174. char * getuserhomedir_byun (char *user)
175. {
176.     static char homedir[_POSIX_PATH_MAX]; /* defined in limits.h */
177.     struct passwd *pws;
179.     pws = getpwnam (user);
180.     if (!pws)
181.         return;
182.     strcpy (homedir, pws->pw_dir);
183.         return homedir;
184. }
186. char * getuserhomedir_byuid(uid_t uid) /* uid_t is defined in sys/types.h */
187. {   
188.     static char homedir[_POSIX_PATH_MAX];
189.     struct passwd * pws;
190.             
191.     pws = getpwuid(uid);
192.     if(!pws)
193.         return;
194.     strcpy(homedir, pws->pw_dir);
195.         return homedir;
196.     }
198. int main (void)
199. {
200.     printf("The user baif's home directory: %s\n", getuserhomedir_byun ("baif"));
201.     printf("Currnet process' UID is %d .The related home directory is %s\n", getuid(), getuserhomedir_byuid(getuid()) );
202. }
203. ____________________________________________________________________
206. Third
207.     We can scan the user database by:
209.     struct passwd *getpwent(void);
210.     void           endpwent(void);
211.     void           setpwent(void);
213.   The getpwent() function returns a pointer to a structure containing the broken-out fields of an entry in the user database.
214.   
215.     Each entry in the user database contains a passwd structure. When first called, getpwent() returns a pointer to a passwd
216.     structure containing the first entry in the user database. Thereafter, it returns a pointer to a passwd structure
217.     containing the next entry in the user database. Successive calls can be used to search the entire user database.
218.     If an end-of-file or an error is encountered on reading, getpwent() returns a null pointer.
219.     The setpwent() function effectively rewinds the user database to allow repeated searches.
220.     The endpwent() function may be called to close the user database when processing is complete.
222.   In aother words, they are working just like files operations function, fgets(), fclose(),reset(). Can you follow me :P ?
223.   
224.     Successive callings of the getpent() will get a entry one by one(line by line in the user database file). The endpwent() will
225.     call the system function to close the database file in crrect way, while the setpwent() will re-open the database file.
226.     These interfaces need not be reentrant.
228.     Example:
229. __________________________________________________________________
230. #include <stdio.h>
231. #include <pwd.h>
232. #include <limits.h>
233. #include <sys/types.h>
234. /* WITHOUT ERORR CHECKING */
236. /* Finds the hightest uid in passwd file and sets the nextued global variable to the next number. */
237. void inituid(void)
238. {
239.     struct passwd * entry;
240.     uid_t netxtuid = 0; /* uid_t is deifned in sys/types.h */
241.     printf("Scanning for next available uid... \r");
242.     fflush(stdout);
243.     while ( (entry = getpwent()) )
244.         if ( (entry->pw_uid > nextuid) &&
245.                 (entry->pw_uid < 32767) )   /* Compensate for broken systems */
246.         nextuid = entry->pw_uid;
247.         endpwent();
248.         nextuid++;
249.         printf("The next uid will be %d%-20c.\n", nextuid, '.');
250.         
251. }
252. int main(void)
253. {
254.     inituid();
255. }
256. __________________________________________________________________
259.     Others:
260.     int getpwnam_r(const char *, struct passwd *, char *, size_t, struct passwd **);
261.     int getpwuid_r(uid_t, struct passwd *, char *,size_t, struct passwd **);
263.     To get more, please refer to Manual.

复制代码

baif

不太熟练， sorry~

还是麻烦一下版主了。