The Linux Programming Interface
Users And Groups
(01)使用者和組
Every user has a unique login name and an associated numeric user identifier (UID). Users can belong to one or more groups. Each group also has a unique name and a group identifier(GID).
(02) /etc/passwd檔案
放有使用者名稱,登入ID等資訊。
(03) 密碼檔案 /etc/shadow
The shadow password file, /etc/shadow, was devised as a method of preventing such attacks.
(04) /etc/group
組函數檔案夾
(05)擷取使用者和組資訊
#include <pwd.h>
struct passwd *getpwnam(const char *name);
struct passwd *getpwuid(uid_t uid);
Given a login name in name, the getpwnam() function returns a pointer to a structure of the following type, containing the corresponding information from the password record:
struct passwd { char *pw_name;/* Login name (username) */ char *pw_passwd;/* Encrypted password */ uid_t pw_uid;/* User ID */ gid_t pw_gid;/* Group ID */ char *pw_gecos;/* Comment (user information) */ char *pw_dir;/* Initial working (home) directory */ char *pw_shell;/* Login shell */};
(06) getpwnam, getpwuid, getgrnam, getgrgid舉例
通過uid 得到name, 通過name 得到uid,還有組。
#include <pwd.h>#include <grp.h>#include <ctype.h>#include "ugid_functions.h"/* Declares functions defined here *//* Return name corresponding to 'uid', or NULL on error */char * userNameFromId(uid_t uid) {struct passwd *pwd;pwd = getpwuid(uid);return (pwd == NULL) ? NULL : pwd->pw_name;}/* Return UID corresponding to 'name', or -1 on error */uid_t userIdFromName(const char *name) {struct passwd *pwd;uid_t u;char *endptr;if (name == NULL || *name == '\0')return -1;u = strtol(name, &endptr, 10)if (*endptr == '\0')return u;pwd = getpwnam(name);if (pwd == NULL)return -1;return pwd->pw_uid;}/* Return name corresponding to 'gid', or NULL on error */char *groupNameFromId(git_t gid) {struct group *grp;grp = getgrpid(gid);return (grp == NULL) ? NULL : grp->gr_name;}/* Return GID corresponding to 'name', or -1 on error */gid_t groupIdFromName(const char *name) {struct group *grp;gid_t g;char *endptr;if (name == NULL || *name == '\0')return -1;g = strtol(name, &endptr, 10)if (*endptr == '\0')return g;grp = getgrnam(name);if (grp == NULL)return -1; return grp->gr_gid;}
(07)得到所有的資訊
#include <pwd.h>#include <stdio.h>int main() { struct passwd *pwd; while ((pwd = getpwent()) != NULL) printf("%-8s %5ld\n", pwd->pw_name, (long) pwd->pw_uid); return 0;}
輸出:
wang@wang:~/Documents/tlpi-dist/users_groups$ ./getall
root 0
daemon 1
bin 2
sys 3
sync 4
games 5
man 6
lp 7
mail 8
news 9
uucp 10
proxy 13
www-data 33
backup 34
list 38
irc 39
gnats 41
nobody 65534
systemd-timesync 100
systemd-network 101
systemd-resolve 102
systemd-bus-proxy 103
syslog 104
_apt 105
messagebus 106
uuidd 107
lightdm 108
whoopsie 109
avahi-autoipd 110
avahi 111
dnsmasq 112
colord 113
speech-dispatcher 114
hplip 115
kernoops 116
pulse 117
rtkit 118
saned 119
usbmux 120
wang 1000
(08) 組
The getgrent(), setgrent(), and endgrent() functions perform analogous tasks fro the group file.
(09)驗證登入,結果是沒有許可權。
#define _BSD_SOURCE/* Get getpass() declaration from <unisstd.h> */#include <limits.h>#include <pwd.h>#include <shadow.h>#include "tlpi_hdr.h"#define _XOPEN_SOURCE /* See feature_test_macros(7) */#include <unistd.h>int main(int argc, char *argv[]) {char *username, *password, *encrypted, *p;struct passwd *pwd;struct spwd *spwd;Boolean authOk;size_t len;long lnmax;lnmax = sysconf(_SC_LOGIN_NAME_MAX);if (lnmax == -1)lnmax = 256;username = malloc(lnmax);if (username == NULL)errExit("malloc");printf("Username: ");fflush(stdout);if (fgets(username, lnmax, stdin) == NULL)exit(EXIT_FAILURE);len = strlen(username);if (username[len - 1] == '\n')username[len - 1] = '\0';pwd = getpwnam(username);if (pwd == NULL)fatal("couldn't get password record");spwd = getspnam(username);if (pwd == NULL)fatal("couldn't get password record");spwd = getspnam(username);if (spwd == NULL && errno == EACCES)fatal("no permission to read shadow password file");/* If there is a shadow password record, use the shadow password */if (spwd != NULL)pwd->pw_passwd = spwd->sp_pwdp;password = getpass("Password: ");/* Encrypt password and erase cleartext version immediately */encrypted = crypt(password, pwd->pw_passwd);for (p = password; *p != '\0';)*p++ = '\0';if (encrypted == NULL)errExit("crypt");authOk = strcmp(encrypted, pwd->pw_passwd) == 0;if (!authOk) {printf("Incorrect password\n");exit(EXIT_FAILURE);}printf("Successfully authenticated: UID=%ld\n", (long) pwd->pw_uid);/* Now do authenticated work ... */exit(EXIT_SUCCESS);}有些悲催的輸出:
wang@wang:~/Documents/tlpi-dist/lib$ ./check_password
Username: wang
ERROR: no permission to read shadow password file
(10)總結
Each user has a unique login name and an associated numeric user ID. Users can belong to one or more groups, each of which also has a unique name and an associated numeric numeric identifier. The primary purpose of these identifiers is to establish ownership of various system resources (e.g., files) and permissions for accessing them.
A user's name and ID are defined in the /etc/passwd file, which also contains others information about the user. A user's group membership are defined by fields in the /etc/passwd/ and /etc/group files. A furher file, /etc/shadow, which can be read only by privileged processes, is used to separate the sensitive password information from the publicly available user information in /etc/passwd. Various library functions are provided for retrieving information from each of these files.
The crypt() function encrypts a passwd in the same manner as the standard login program, which is useful for program that need to authenticate users.
(11)習題