* [gentoo-user] Users in passwd/shadow
@ 2007-09-30 2:30 Bertram Scharpf
2007-10-01 1:15 ` Dan Farrell
0 siblings, 1 reply; 4+ messages in thread
From: Bertram Scharpf @ 2007-09-30 2:30 UTC (permalink / raw
To: gentoo-user
Hi,
I'm fetching the users from the files '/etc/passwd' and
'/etc/shadow'. (I use a simple Ruby script.)
def users fn ; File.open fn do |f| f.map { |l| l[ /^[^:]*/] } end ; end
pw = users "/etc/passwd"
sh = users "/etc/shadow"
Now I detect there are users in passwd that don't have a
shadow entry and even shadowed users that don't appear in
passwd:
> pw - sh
=> ["man", "smmsp", "portage", "cvs"]
> sh - pw
=> ["games", "guest", "cvsd"]
Does this have any meaning or is it a bug?
Bertram
--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] Users in passwd/shadow
2007-09-30 2:30 [gentoo-user] Users in passwd/shadow Bertram Scharpf
@ 2007-10-01 1:15 ` Dan Farrell
2007-10-01 7:47 ` Bertram Scharpf
0 siblings, 1 reply; 4+ messages in thread
From: Dan Farrell @ 2007-10-01 1:15 UTC (permalink / raw
To: gentoo-user
On Sun, 30 Sep 2007 04:30:11 +0200
Bertram Scharpf <lists@bertram-scharpf.de> wrote:
> Hi,
>
>
> I'm fetching the users from the files '/etc/passwd' and
> '/etc/shadow'. (I use a simple Ruby script.)
>
> def users fn ; File.open fn do |f| f.map { |l| l[ /^[^:]*/] } end ;
> end
>
> pw = users "/etc/passwd"
> sh = users "/etc/shadow"
>
> Now I detect there are users in passwd that don't have a
> shadow entry...
that makes sense, because some users aren't allowed to log in. For
example:
| man:x:13:15:man:/usr/share/man:/bin/false
the man user can't log in. the shell is /bin/false.
> and even shadowed users that don't appear in
> passwd:
>
> > pw - sh
> => ["man", "smmsp", "portage", "cvs"]
> > sh - pw
> => ["games", "guest", "cvsd"]
now that I can't explain. But I have games and guest myself, although
I don't use CVS. So my guess is it's not a bug and you've not been
hacked.
> Does this have any meaning or is it a bug?
>
> Bertram
>
>
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] Users in passwd/shadow
2007-10-01 1:15 ` Dan Farrell
@ 2007-10-01 7:47 ` Bertram Scharpf
2007-10-01 21:37 ` Dan Farrell
0 siblings, 1 reply; 4+ messages in thread
From: Bertram Scharpf @ 2007-10-01 7:47 UTC (permalink / raw
To: gentoo-user
Hi,
Am Sonntag, 30. Sep 2007, 20:15:06 -0500 schrieb Dan Farrell:
> On Sun, 30 Sep 2007 04:30:11 +0200
> Bertram Scharpf <lists@bertram-scharpf.de> wrote:
> > Now I detect there are users in passwd that don't have a
> > shadow entry...
> that makes sense, because some users aren't allowed to log in. For
> example:
> | man:x:13:15:man:/usr/share/man:/bin/false
> the man user can't log in. the shell is /bin/false.
I detected it because there is a warning message in case
there is _no_ shadow entry. Instantiating an _empty_ shadow
entry makes it disappear:
myhost ~ # su - man
su: Authentication service cannot retrieve authentication
info.
(Ignored)
myhost ~ # su - portage
su: Authentication service cannot retrieve authentication
info.
(Ignored)
myhost ~ # vi /etc/shadow
myhost ~ # grep portage /etc/shadow
portage:!:13784:0:99999:7:::
myhost ~ # su - portage
myhost ~ # echo $?
1
myhost ~ #
Bertram
--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] Users in passwd/shadow
2007-10-01 7:47 ` Bertram Scharpf
@ 2007-10-01 21:37 ` Dan Farrell
0 siblings, 0 replies; 4+ messages in thread
From: Dan Farrell @ 2007-10-01 21:37 UTC (permalink / raw
To: gentoo-user
On Mon, 1 Oct 2007 09:47:37 +0200
Bertram Scharpf <lists@bertram-scharpf.de> wrote:
> Hi,
>
> Am Sonntag, 30. Sep 2007, 20:15:06 -0500 schrieb Dan Farrell:
> > On Sun, 30 Sep 2007 04:30:11 +0200
> > Bertram Scharpf <lists@bertram-scharpf.de> wrote:
> > > Now I detect there are users in passwd that don't have a
> > > shadow entry...
> > that makes sense, because some users aren't allowed to log in. For
> > example:
> > | man:x:13:15:man:/usr/share/man:/bin/false
> > the man user can't log in. the shell is /bin/false.
>
> I detected it because there is a warning message in case
> there is _no_ shadow entry. Instantiating an _empty_ shadow
> entry makes it disappear:
>
> myhost ~ # su - man
> su: Authentication service cannot retrieve authentication
> info.
> (Ignored)
> myhost ~ # su - portage
> su: Authentication service cannot retrieve authentication
> info.
> (Ignored)
> myhost ~ # vi /etc/shadow
> myhost ~ # grep portage /etc/shadow
> portage:!:13784:0:99999:7:::
> myhost ~ # su - portage
> myhost ~ # echo $?
> 1
> myhost ~ #
>
>
> Bertram
>
>
You cannot 'su' to that user because they don't have authentication
info. In other words, a missing password is not the same as an empty
password.
I wonder if you could run a program as a particular user if they only
had authentication info in shadow? I am guessing not, since they
wouldn't have an associated uid, group, and so on. But, if possible,
it would explain the situation.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-10-01 21:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-09-30 2:30 [gentoo-user] Users in passwd/shadow Bertram Scharpf
2007-10-01 1:15 ` Dan Farrell
2007-10-01 7:47 ` Bertram Scharpf
2007-10-01 21:37 ` Dan Farrell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox