Add Book to My BookshelfPurchase This Book Online

Chapter 8 - Users and Groups

UNIX Systems Programming for SVR4
David A. Curry
 Copyright © 1996 O'Reilly & Associates, Inc.

The Shadow Password File
As mentioned previously, each user's encrypted password used to be stored in the password file, /etc/passwd. However, in recent years it has been recognized that this can be a security problem. Because the password file must be readable by everyone (programs such as ls and finger make use of it), it is possible for an unscrupulous user to write a program that attempts to guess each user's password by trying all possible combinations. Because the encrypted password is there in the file for all to see, the bad guy's program can simply encrypt each guess until it finds a matching string.
The solution to this problem is to recognize that the encrypted password is only needed by programs run with superuser permissions for the purposes of performing user authentication. The encrypted password string can be taken out of the password file, and stored in another file that is readable only by the superuser. This file is usually called a shadow password file. Most newer UNIX systems offer shadow password files, and a public domain set of functions is available for those systems that do not. The format of the shadow password file varies from vendor to vendor. The discussion in this section uses the format and functions provided by SVR4.
In SVR4, as in some other vendor's versions, the shadow password file also stores information for implementing password aging. The idea is to force each user to change his or her password periodically (say, every three months) so that even if an attacker gains access to the shadow password file, the knowledge will not be useful forever. Password aging has its pros and cons, and it is not our purpose to debate them here. Suffice it to say that, at least in SVR4, the use of password aging is optional.
Like the password file, the shadow password file, /etc/shadow, contains lines of colon-separated fields, one line per user. The include file shadow.h describes these fields for programs with the struct spwd structure, which contains at least the following members:
    struct spwd {
        char    *sp_namp;
        char    *sp_pwdp;
        long     sp_lstchg;
        long     sp_min;
        long     sp_max;
        long     sp_warn;
        long     sp_inact;
        long     sp_expire;
        unsigned long     sp_flag;
    };
The meanings of the fields are:
sp_namp
The user's login name.
sp_pwdp
A 13-character encrypted password for the user, a lock string (*LK*) indicating that the login is not accessible, or the empty string, indicating that the login may be accessed without providing a password.
sp_lstchg
The number of days between January 1, 1970 and the date that the password was last changed. This field is part of the password aging implementation, and may be blank if password aging is not in use.
sp_min
The minimum number of days required between password changes. This is provided to prevent a user from defeating the password aging system by changing her password to something new (the passwd program will not allow “changing” your password to the current password) and then immediately changing it back.
sp_max
The maximum number of days that the current password is valid.
sp_warn
The number of days before the current password expires that the user is warned of its expiration. This is an important part of password aging, because people typically cannot think up a good password without prior notice. Some password aging systems that do not warn users ahead of time that they will need to change their passwords have been plagued with easily-guessed passwords.
sp_inact
The number of days of inactivity allowed for this user. The idea here is to disable (lock) accounts that have been inactive for more than this number of days, so that an attacker cannot make use of the account (which nobody would notice, since the owner is not using it).
sp_expire
An absolute date (in UNIX time format) after which the login may no longer be used.
sp_flag
This field is not currently used.
The functions used to read the shadow password file are similar to those used for reading the regular password file, described above:
    #include <shadow.h>
    struct spwd *getspnam(const char *name);
    struct spwd *fgetspent(FILE *fp);
    struct spwd *getspent(void);
    void setspent(void);
    void endspent(void);
The getspnam function searches the shadow password file for an entry with a login name field that matches name. The getspent function returns the next shadow password file entry on each call; fgetspent reads an alternate shadow password file. All three of these functions return a pointer to a struct spwd structure with the fields of the entry broken out, or the constant NULL if the entry cannot be found or the end of the file is encountered.
The fgetspent function is not available in HP-UX 10.x.
The setspent and endspent functions are used, respectively, to open and rewind the shadow password file, or close the shadow password file.
Because the shadow password file is readable only by the superuser, all of these functions will fail if the calling program is not running with superuser permissions.
On other systems, the shadow password file is handled in different ways. One popular method is for the getpwent function and its counterparts to check the effective user ID of the calling program—if it is the superuser, the pw_passwd field in the struct passwd structure is filled in from the shadow file; otherwise it is left empty.

Previous SectionNext Section
Books24x7.com, Inc © 2000 –  Feedback