Advanced UNIX

Advanced UNIX 240-491 Special Topics in Comp. Eng. 2Semester 2, 2000-2001 • Objectives • examine a few system data files (and their C interfaces) which record user and system information 19. User and SystemInformation

Overview 1. /etc/passwd 2. /etc/group 3. Other Data Files 4. /etc/hosts 5. /etc/protocols continued

6. /etc/services 7. Login Accounting 8. The System Log: syslog 9. Process Information 10. System Information

1. /etc/passwd • The password file: root:jheVopR58x9Fx:0:1:The superuser:/:/bin/shnobody:*:65534:65534::/:stevens:3hKVD8R58r9Fx:224:100: Richard Stevens:/home/stevens:/bin/ksh : : • More details on the passwd file format: • $ man 5 passwd

Notes • root has the user ID 0 • The password is encrypted using crypt() • one-way: there is no known way to decrypt (decode) a password • nobody cannot login, but programs can run as nobody • can only access world readable or writable files

Finger • finger accesses the GECOS field: stevens:3hKVD8R58r9Fx:224:100:Richard &, B232, 555-1111, 555-2222: /home/stevens:/bin/ksh • different fields are separated by commas: • user name, office, work and home phone numbers • & is replaced by the capitalised user name

struct passwd Located in pwd.h • struct passwd{ char *pw_name; /* user name */ char *pw_passwd; /* encrypted passwd */ uid_t pw_uid; /* user ID */ uid_t pw_gid; /* group ID */ char *pw_gecos; /* comment field */ char *pw_dir; /* initial working dir */ char *pw_shell; /* initial shell */}

Get a User’s Details • #include <sys/types.h>#include <pwd.h>struct passwd *getpwuid(uid_t uid);struct passwd *getpwnam(char *name); • Return a pointer to the password structure for the specified user, or NULL on error. • For long term use, the struct should be copied, since it will be over-written on the next call.

Search the passwd file • #include <sys/types.h>#include <pwd.h>struct passwd *getpwent(void);void setpwent(void); // openvoid endpwent(void); // close • getpwent() returns a pointer if ok, NULL on error or end of file.

Search for Stupid Passwords #include <stdio.h>#include <string.h>#include <pwd.h>#include <unistd.h> /* for crypt() */int main(){ struct passwd *pw; char *cry;setpwent(); while ((pw = getpwent()) != NULL) { printf(“Trying %s\n”, pw->pw_name); : continued

if (pw->pw_passwd[0] == ‘\0’) printf(“**%s has no password\n”, pw->pw_name); else { cry = crypt(pw->pw_name, pw->pw_passwd); if (strcmp(cry, pw->passwd) == 0) printf(“##%s used as own passwd\n”, pw->pw_name); } }endpwent(); return 0;}

crypt() • #include <unistd.h>char *crypt(char *text, char *salt); • Returns a pointer to the encrypted version of the text or NULL on error. • salt is a string. crypt() takes the first two chars and treats them as a 12-bit number between 0 and 4095 to slightly modify things.

The salt is stored at the start of the encrypted password: e.g. “mi” in “miqkFWCm1fNJI” • When the encrypted password is first created, /bin/passwd uses the time of day as salt. • Salt means that the same (original) password will be encrypted in different ways on different machines.

The Shadow Password File • /etc/shadow stores encrypted password strings • only readable by root • /etc/passwd contains only ‘x’s in its password fields • This prevents password cracking by copying /etc/passwd and then using ‘guess and test’ • some crypt()’s can generate 50,000 encrypted strings/second • many passwords are very simple!

2. /etc/group $ man 5 group • Lists every group on the system, an optional password, its group ID, and the users who are members: wheel:*:0:root, racheluucp:*:10:uucpvision:AweHG67Ket4Ds:101:keith, arlinusers:*:100:

Joining Groups • /etc/group lists group users in addition to the ones who are members because of their /etc/passwd group ID. • e.g. stevens is in users because he has group ID 100 • A user can change group with newgrp • usually must be a member of that group • some groups have passwords (e.g. vision)

Accessing /etc/group • Use struct group and its operations in <grp.h>: • struct group { char *gr_name; /* group name */ char *gr_passwd; /* encrypted passwd */ int gr_gid; /* group id */ char **gr_mem; /* array of names */} • gr_mem is terminated by NULL.

Fetch Group Details • #include <sys/types.h>#include <grp.h>struct group *getgrgid(gid_t gid);struct group *getgrnam(char *name); • Return a pointer to a group structure, NULL on error. • For long term use, the structure should be copied since it is over-written on the next call.

Search the group file • #include <sys/types.h>#include <grp.h>struct group *getgrent(void);void setgrent(void); // openvoid endgrent(void); // close • getgrent() returns a pointer if ok, NULL on error.

Supplementary Group IDs • In earlier UNIXs, each user belonged to one group at a time. • change was possible with newgrp • Some UNIXs now have supplementary group IDs: • a user can belong to up to 16 additional groups • no longer need to use newgrp (so much)

Supplementary Group Functions • #include <unistd.h>int getgroups(int gidsetsize, gid_t grouplist[]);int setgroups(int ngroups, gid_t grouplist[]);int initgroups(char *username, gid_t basegid);

getgroups() returns the number of supplementary group IDs if ok, -1 on error. • Both setgroups() and initgroups() return 0 if ok, -1 on error. • initgroups() is called at login, and makes use of setgroups() to initialise a user’s supplementary group IDs by examining /etc/group.

3. Other Data Files $ man 5 <data> • Most UNIX data files have similar interfaces to those used to access/change /etc/passwd and /etc/group. • At least three ‘search’ functions: • set??() Opens the file and rewinds it. • get??() Reads next record. Returns a pointer to a struct which will be over-written on the next call. • end??() Close the file.

“Lookup a record” functions: • uses keys to identify the record of interest • e.g. user name, service ID • The next three sections illustrate these patterns used with the files: • /etc/hosts • /etc/protocols • /etc/services

4. /etc/hosts • Keeps track of the network addresses for every host on the local network. • Often incomplete since the system can also ask address servers on other machines. • Typical /etc/hosts: 127.0.0.1 localhost192.100.77.3 ratree.psu.ac.th ratree loghost192.100.77.5 ns.psu.ac.th ns203.154.130.11 ratree2.psu.ac.th ratree2

Accessing /etc/hosts • Header: <netdb.h> • C structure: hostent • Keyed lookup functions: • gethostbyname() • gethostbyaddr()

5. /etc/protocols • Stores details about network protocols supported by the system. • Fragment of /etc/protocols: tcp 6 TCP # transmission control protocol :udp 17 UDP # user datagram protocol :

Accessing /etc/protocols • Header: netdb.h • C structure: protoent • Keyed lookup functions: • getprotobyname() • getprotobynumber()

6. /etc/services • Stores details on the network services supported by the system • built on top of network protocols • Fragment of /etc/services ftp 21/tcpsmtp 25/tcp mail :irc 194/tcp # internet relay chatirc 194/udp :

Accessing /etc/services • Header: netdb.h • C structure: servent • Keyed lookup functions: • getservbyname() • getservbyport()

7. Login Accounting • /var/run/utmp • records which users are currently logged in • used by who, users, finger, ps • may be located in /var/adm/ • /var/log/wtmp • records all logins, logouts, shutdowns, reboots • used by last • may be located in /var/adm/

File Format • Both files are binary files (unlike all the previous examples). • Each record has the basic form: struct utmp { char ut_line[8]; /* ttty line: ttyp0, etc. */ char ut_name[8]; /* login name */ long ut_time; /* secs since 1st Jan 1970 */}

At login: • create a utmp struct, add to utmp and wtmp files • At logout: • entry in utmp is wiped (filled with 0s) • new entry added to wtmp, withut_name filled with ‘\0’ characters • At shutdown, reboot, time change: • special entries added to wtmp

Linux utmp & wtmp (non-standard) $ man 5 utmp • struct utmp { short ut_type; /* login type */ pid_t ut_pid; /* process pid */ char ut_line[UT_LINESIZE]; /* device name */ char ut_id[2]; /* abbrev ttyname */ time_t ut_time; /* login time */ char ut_user[UT_NAMESIZE]; /* uname */ char ut_host[UT_HOSTSIZE]; /* host nm */ long ut_addr; /* host address */ :}

String fields may end with ‘\0’ if there is enough space! • Some login types: • UT_UNKNOWN unknown • BOOT_TIME started at system boot • INIT_PROCESS started at system init • LOGIN_PROCESS login process • USER_PROCESS user-created process • DEAD_PROCESS dead (zombie)

Accessing utmp/wtmp Entries • #include <utmp.h>void utmpname(char *file);void setutent(void);void endutent(void);struct utmp *getutent(void);struct utmp *getutid(struct utmp *ut);struct utmp *getutline(struct utmp *ut);void pututline(struct utmp *ut);

utmpname() can be supplied with the default pathnames stored in _PATH_UTMP and _PATH_WTMP in <paths.h>. • getutline() is restricted to entries with login type LOGIN_PROCESS and USER_PROCESS. • Updates can only be done by root.

Example: sw.c, a simple who #include <stdio.h>#include <string.h>#include <utmp.h>#include <pwd.h>#include <time.h> /* for ctime() */int main(){ struct utmp *ut; struct passwd *pw; char name[UT_NAMESIZE+1];utmpname(“/var/run/utmp”);setutent(); :

while ((ut = getutent()) != NULL) { if (ut->ut_user[0] != ‘\0’) { strncpy(name,ut->ut_user,UT_NAMESIZE); name[UT_NAMESIZE] = ‘\0’; if ((pw = getpwnam(name)) == NULL) printf(“%s has no passwd!\n”,name); else printf(“%s %s %s %s”, name, ut->ut_line, pw->pw_gecos, ctime(&(ut->ut_time)) ); } }endutent(); return 0;}

Usage • $ swreboot has no password!runlevel has no password!LOGIN has no password!LOGIN has no password!LOGIN has no password!LOGIN has no password!LOGIN has no password!LOGIN has no password!s4210075 pts/0 ????,,, Thu Feb 15 15:56:33 2001ad pts/5 Dr.Andrew DAVISON,,, Thu Feb 15 16:00:17 2001s4010041 pts/6 MR. Kemarat CHAIYO,,, Thu Feb 15 15:32:36 2001s4010237 pts/7 MR. Paween CHOKENUKUL,,, Thu Feb 15 15:58:57 2001s4010041 pts/8 MR. Kemarat CHAIYO,,, Thu Feb 15 15:34:00 2001$

Notes • “Simple who” returns similar information to who, but also includes details about: • system processes • dead user processes

last • Displays wtmp in an understandable form. • Lists all logins, logouts, etc. since file creation. • $ lastrich ttypb mit.usa Tue Aug 19 13:19 still logged inzonk ttyp3 129.10.1.22 Tue Aug 19 13:12 - 13:14 (00:02)rich ttypa lisa.ac.th Tue Aug 19 13:11 still logged inzonk ttyp3 lenny Tue Aug 19 12:06 - 12:21 (00:14) : continued

$ last richrich ttypb mit.usa Tue Aug 19 13:19 still logged inrich ttypa foo.lisa.ac.th Tue Aug 19 13:11 still logged inrich ttyp0 goo.lisa.ac.th Mon Aug 18 11:01 - 11:45 (00:44)rich ftp mit.usa Sat Aug 16 00:03 - 00:04 (00:01) : • $ last | grep bootreboot System boot Fri Aug 15 22:15reboot System boot Fri Aug 15 15:21reboot System boot Fri Aug 4 17:24reboot System boot Fri Aug 4 15:41

$ man 8 syslogd 8. The System Log: syslog files, consoleor e-mail syslogd userprocess syslog() UDP port 514 /dev/log /dev/klog Unix domaindatagram socket Internet domaindatagram socket log() kernelroutines Kernel TCP/IP network

Logging Messages • Any program can generate log messages. • A log message should include: • the program name, a facility, a priority, and the message text • Example: login: Root LOGIN REFUSED on ttya • sent by an authorization facility (login); it is critical

Some syslog Facilities • Name Facilitykern The kernel.user Regular user processes.mail The mail system.lpr The printer system. :auth The authorization system, or programs that ask for user names and passwords (e.g. login, su, getty, ftp).

Some Syslog Priorities (levels) • Priority Meaningemerg Emergency (e.g. crash).alert Fix immediately (e.g. bad db).crit Critical (e.g. hardware error).err Ordinary error. :notice Not an error, but important. :debug Debug messages.

Configuring syslog • At system start-up, it reads the /etc/syslog.conf configuration file. • syslog.conf specifies what messages to log, and where to log them • see $ man 5 syslog.conf

General format of a syslog.conf line: facility.priority action • facility and priority can be one of the labels listed in the ealier slides (or * to mean all) • action can be: • log to a file / device / program • send message to a user • send message to all users (*) • send message to another machine

Typical syslog.conf file $ man 5 syslog.conf • kern.debug /dev/console*.err /dev/consoleauth.notice /usr/adm/messageslpr.* /usr/adm/lpd-errsauth.* root,adauth.* @catsix.coe.psu.ac.thauth.* /dev/console*.emerg *

Advanced UNIX

Advanced UNIX

Presentation Transcript

Advanced UNIX

Advanced Unix

Advanced Unix

Advanced UNIX

Advanced Unix

Advanced UNIX

Advanced UNIX

Advanced Unix

Advanced Unix

Advanced Unix

Advanced Unix

Advanced UNIX

Advanced UNIX

Advanced UNIX

Advanced UNIX

Advanced UNIX

Advanced UNIX

Advanced Unix

Advanced UNIX

Advanced UNIX

Advanced UNIX

Advanced UNIX