checking SHADOW passwords

Thomas Wouters thomas at xs4all.net
Wed Mar 29 11:20:38 EST 2000 

On Tue, Mar 28, 2000 at 07:27:12PM -0800, Pete Shinners wrote:

> > > I'm not sure it works with shadow password.
> > It doesn't.

Actually, on our BSDI systems, it does. see below.

> urgh. well i'm guessing now i'll have to look this
> up in the C libraries. if i find the library call
> to make my best move is to wrap the call into a
> python extension?

> actually, does anyone know if i can even get at the shadowed
> passwords without ROOT access? i'm suddenly afraid all hope
> is lost...

Nope, shadow passwords are by definition not accessible by non-root
accounts. The whole idea about shadow password files is that they make the
password invisible to non-root accounts :-) As for the implementation, this
differs per OS :( BSDI returns the password when the getpw*() functions are
called by root, and a placeholder string if they aren't. So, on our BSDI
systems, if you run python as root, and do a pwd.getpwnam() or
pwd.getpwuid(), you do see the passwords, where you expect them to be. If
you run it as non-root, you see '*' or 'x' or some such.

But Linux and (at least) Solaris work entirely different :) They implement a
new set of library calls, 'getspent', 'getspnam', 'setspent', 'endspent',
etc. for retrieving shadow information, as well as a new struct, struct
spwd, for holding that info. From what i can see, both implementations are
identical. I dont know and can't check about other UNIX flavours, sorry :)

My RedHat linux box has a lot of information on shadow passwords in the
Shadow-Password-HOWTO, in /usr/doc/HOWTO, which is also included in the
shadow-utils package (/usr/doc/shadow-utils-<version>/HOWTO)

It might be prudent to add the getsp*() functions (used by linux and
solaris, at least, to get shadow information) to the pwd module, when they
are available... but I'm not sure if there's a good way to find this stuff
out. And maybe this has already been discussed, before, and the answer is
'no', or 'yes, but noone has done the work yet.' ;)

But, even with these separate functions, you *still* need to be root to get
at the shadow info. So i guess you will have to work around it.

Paranoid-ly y'rs,
-- 
Thomas Wouters <thomas at xs4all.net>

Hi! I'm a .signature virus! copy me into your .signature file to help me spread!

More information about the Python-list mailing list