checking SHADOW passwords
Thomas Wouters
thomas at xs4all.net
Wed Mar 29 11:20:38 EST 2000
On Tue, Mar 28, 2000 at 07:27:12PM -0800, Pete Shinners wrote:
> > > I'm not sure it works with shadow password.
> > It doesn't.
Actually, on our BSDI systems, it does. see below.
> urgh. well i'm guessing now i'll have to look this
> up in the C libraries. if i find the library call
> to make my best move is to wrap the call into a
> python extension?
> actually, does anyone know if i can even get at the shadowed
> passwords without ROOT access? i'm suddenly afraid all hope
> is lost...
Nope, shadow passwords are by definition not accessible by non-root
accounts. The whole idea about shadow password files is that they make the
password invisible to non-root accounts :-) As for the implementation, this
differs per OS :( BSDI returns the password when the getpw*() functions are
called by root, and a placeholder string if they aren't. So, on our BSDI
systems, if you run python as root, and do a pwd.getpwnam() or
pwd.getpwuid(), you do see the passwords, where you expect them to be. If
you run it as non-root, you see '*' or 'x' or some such.
But Linux and (at least) Solaris work entirely different :) They implement a
new set of library calls, 'getspent', 'getspnam', 'setspent', 'endspent',
etc. for retrieving shadow information, as well as a new struct, struct
spwd, for holding that info. From what i can see, both implementations are
identical. I dont know and can't check about other UNIX flavours, sorry :)
My RedHat linux box has a lot of information on shadow passwords in the
Shadow-Password-HOWTO, in /usr/doc/HOWTO, which is also included in the
shadow-utils package (/usr/doc/shadow-utils-<version>/HOWTO)
It might be prudent to add the getsp*() functions (used by linux and
solaris, at least, to get shadow information) to the pwd module, when they
are available... but I'm not sure if there's a good way to find this stuff
out. And maybe this has already been discussed, before, and the answer is
'no', or 'yes, but noone has done the work yet.' ;)
But, even with these separate functions, you *still* need to be root to get
at the shadow info. So i guess you will have to work around it.
Paranoid-ly y'rs,
--
Thomas Wouters <thomas at xs4all.net>
Hi! I'm a .signature virus! copy me into your .signature file to help me spread!
More information about the Python-list
mailing list