|
|
#include <sys/types.h> #include <sys/security.h> #include <sys/audit.h> #include <prot.h>struct pr_passwd *getprpwent ()
struct pr_passwd *getprpwuid (uid) int uid;
struct pr_passwd *getprpwnam (name) char *name;
void setprpwent ()
void endprpwent ()
int putprpwnam (name, pr) char *name; struct pr_passwd *pr;
The getprpwent, getprpwuid and getprpwnam routines each returns a pointer to an object with the following structure containing the broken-out fields of a line in the protected password database. Only entries in the database dealing with users are scanned.
Before using getprpwent, call the set_auth_parameters(S) routine. This routine is documented on the identity(S) manual page.
Each line in the database contains a pr_passwd structure, declared in the <prot.h> header file:
struct pr_passwd { /* Fields associated with this user */ struct pr_field ufld; /* Flags associated with this user */ struct pr_flag uflg; /* Fields associated with system */ struct pr_field sfld; /* Flags associated with system */ struct pr_flag sflg; };struct pr_field { /* Identity: */ /* uses 8 character maximum from utmp */ char fd_name[9]; /* uid associated with name above */ ushort fd_uid; /* Encrypted password, 8 characters max */ char fd_encrypt[14]; /* user type - see user_type */ mask_t fd_type[AUTH_TYPEVEC_SIZE]; /* if a pseudo -user, the user behind it */ char fd_owner[9]; /* nice value with which to login */ /* command privilege vector */ int fd_nice; mask_t fd_cprivs[AUTH_CPRIVVEC_SIZE]; /* system privilege vector */ mask_t fd_sprivs[SEC_SPRIVVEC_SIZE]; /* audit control */ mask_t fd_auditcntl[AUTH_AUDITMASKVEC_SIZE]; /* audit disposition */ mask_t fd_auditdisp[AUTH_AUDITMASKVEC_SIZE]; /* Password maintenance parameters: */ /* min time between pswd changes */ time_t fd_min; /* maximum length of password */ int fd_maxlen; /* expiration time duration in secs */ time_t fd_expire; /* account death time duration in secs */ time_t fd_lifetime; /* last successful change */ time_t fd_schange; /* last unsuccessful change */ time_t fd_uchange; /* who can change this user's password */ ushort fd_pswduser; /* can user pick his own passwords? */ char fd_pick_pwd; /* can user get pswds generated for him? */ char fd_gen_pwd; /* should generated pswds be restricted? */ char fd_restrict; /* is user allowed to have a null password? */ char fd_nullpw;
/* Login parameters: */ /* last successful login */ time_t fd_slogin; /* tty of last successful login */ char fd_suctty[12]; /* last unsuccessful login */ time_t fd_ulogin; /* tty of last unsuccessful login */ char fd_unsuctty[12]; /* consecutive unsuccessful logins */ short fd_nlogins; /* maximum unsuccessful login tries allowed */ ushort fd_max_tries; /* unconditionally lock account? */ char fd_lock;
/* System parameters: */ /* require a password on single user shell? */ char fd_standpswd; /* system security class */ mask_t fd_secclass[AUTH_SECCLASSVEC_SIZE]; };
struct pr_flag { unsigned /* Identity: */ fg_name:1, /* Is fd_name set? */ fg_uid:1, /* Is fd_uid set? */ fg_encrypt:1, /* Is fd_encrypt set? */ fg_type:1, /* Is fd_type set? */ fg_owner:1, /* Is fd_owner set? */ fg_nice:1, /* Is fd_nice set? */ fg_cprivs:1, /* Is fd_sprivs set? */ fg_sprivs:1, /* Is fd_sprivs set? */ fg_auditcntl:1, /* Is fd_auditcntl set? */ fg_auditdisp:1, /* Is fd_auditdisp set? */
/* Password maintenance parameters: */ fg_min:1, /* Is fd_min set? */ fg_maxlen:1, /* Is fd_maxlen set? */ fg_expire:1, /* Is fd_expire set? */ fg_lifetime:1, /* Is fd_lifetime set? */ fg_schange:1, /* Is fd_schange set? */ fg_uchange:1, /* Is fd_fchange set? */ fg_pswduser:1, /* Is fd_pswduser set? */ fg_pick_pwd:1, /* Is fd_pick_pwd set? */ fg_gen_pwd:1, /* Is fd_gen_pwd set? */ fg_restrict:1, /* Is fd_restrict set? */ fg_nullpw:1, /* Is fd_nullpw set? */
/* Login parameters: */ fg_slogin:1, /* Is fd_slogin set? */ fg_suctty: 1, /* is fd_suctty set ? */ fg_unsuctty: 1, /* is fd_unsuctty set ? */ fg_ulogin:1, /* Is fd_ulogin set? */ fg_nlogins:1, /* Is fd_nlogins set? */ fg_max_tries:1, /* Is fd_max_tries set? */ fg_lock:1, /* Is fd_lock set? */
fg_standpswd:1, /* Is fd_standpswd set? */ fg_secclass:1; /* Is fd_secclass set? */ };
Because these structures are declared in <prot.h>, it is not necessary to redeclare them.
When the getprpwent routine is first called, it returns a pointer to the first user pr_passwd structure in the database. Thereafter, it returns a pointer to the next user pr_passwd structure in the database. So, successive calls can be used to search the entire database. Note that entries without a corresponding entry in the /etc/passwd file are skipped. The entries are scanned in the order they appear in /etc/passwd.
getprpwent(S) truncates the encrypted password string (u_pwd) in the protected password entry, so that a comparison of the value returned by bigcrypt(S) (described on the getpasswd(S) manual page) succeeds if the password would have matched on the first (u_pwseg * 8) cleartext characters.
For the purposes of checking passwords, this is transparent to the application. To provide backward compatibility to applications and allow u_pwseg to be reduced and then increased again without losing information, it is important that the stored encrypted password (set using putprpwnam(S) when the password is changed) not be truncated.
So that the sequence of getprpwent, putprpwnam does not truncate the stored password when u_pwseg is smaller than the password in the entry, the operating system stores the original stored value of u_pwd. putprpwnam restores u_pwd to this saved value if the new value matches the truncated saved value.
The getprpwuid routine searches from the beginning of the database until a numerical user ID matching the argument uid is found. getprpwuid returns a pointer to the particular pr_passwd structure in which the argument uid was found.
Like getprpwuid, the getprpwnam routine searches from the beginning of the database file until a login name matching the argument name is found. getprpwnam returns a pointer to the particular pr_passwd structure in which the argument name was found.
The setprpwent routine resets the file pointer to the beginning of the protected password files to allow repeated searches. The endprpwent routine closes the protected password files when processing is complete.
The putprpwnam
routine puts a new or replaced protected password entry
pr with key name into the protected password database.
If the uflg.fg_name
structure member is 0, the requested entry
is deleted from the protected password database.
The putprpwnam
routine locks the database for all update operations,
and performs an endprpwent after the update or failed attempt.
These routines assume one name per user ID and one user ID per name. Otherwise, the sequential search loops between the first two instances of a multiple user ID.
These routines are also included in libsocket. The libsocket version provides the same functionality described here, in addition to providing the NIS support. Link with libsocket using cc ... -lsocket to get the additional NIS (Network Information Service) functionality.