6.1 Introduction
Running UNIX system requires the use of a large amount of data associated with the file system, portable interface to these data files is the subject of this chapter. This chapter also describes the system identification function, the time and date functions
6.2 password file
UNIX password file system contains the following fields that contain passwd structure is defined in <pwd.h> in the
Username char * pw_name
Encrypted password char * pw_passwd
Numerical user ID uid_t pw_uid
Numerical group ID gid_t pw_gid
Comment field char * pw_gecos
The initial working directory char * pw_dir
初始shell char *pw_shell
User access class char * pw_class
Change the password the next time time_t pw_change
Account expiration time time_t pw_expire
Due to historical reasons, the password is stored in the file / etc / passwd in, and is an ASCII file.
linux, there may be the following four lines
root:x:0:0:root:/root:/bin/bash
squid:x:23:23: :/var/spool/squid:/dev/null
nobody:x:65534:65534:Nobody:/home:/bin/sh
sar:x:205:105:Stephen:/home/sar:/bin/bash
Log on these items, please note the following points:
- Usually a user named root login item whose user ID is 0
- encrypted password field contains a placeholder character (previously encrypted passwords directly on the field, but because of security issues, and now placed in another location)
- Some fields in the password file entry might be the mouth. If the encrypted password field is empty, usually it means that the user does not have the password.
-shell field contains an executable program name, which is used as a login shell of the user. If it is empty, the default value is usually / bin / sh. (Note, this field squid landed term is / dev / null. Obviously, this is a device, not
The purpose of execution, so set it to here is to prevent anyone in the name of the user logged into the system squid
- To prevent a particular user login, except / dev / null, there are several alternative methods. A common approach is to / bin / false as a login shell. It simply to unsuccessful (non-zero) state is terminated, the shell will be in such a state is determined to be false. Another common method is to use / bin / true prohibit an account. All it does is a success (0) status is terminated. Some systems provide nologin command, it prints an error message may be self-defined, and then non-zero state termination
- The purpose of the nobody user name is, so anyone can log in to the system, but the user ID (65534) and group ID (65534) does not provide any privileges. The user ID and group ID can only access everyone can read and write files
- Provide finger (1) command some UNIX systems support the additional information in the Comments field.
POSIX.1 defines only two to get password file entry function. After the given user login name or numeric user ID, these two functions will be able to query related items.
#include<pwd.h> struct passwd *getpwuid(uid_t uid); struct the passwd the getpwnam * ( const char * name); // Return Value: returns a pointer on success, or to the end of the file if the error returns NULL
getpwuid function (1) is used by the program ls, numerical map for the user login ID name it i node. When you type in the login name, getpwnam function is used by login (1) program.
If you want to view the entire password file, the following three functions can be used for this purpose
#include <pwd.h> struct the passwd the getpwent * ( void ); // Return Value: returns a pointer on success, or to the end of the file if the error returns NULL void setpwent ( void ); void endwent ( void );
When you call getpwent, it returns the next record entry in the password file. As the two functions POSIX.1 above, it returns a pointer to the structure of good password completed by it. The structure are rewritten every time this function is called. The first time the function is called, it opens each file it uses.
Function setpwent anti-Rao file it uses, endpwent then close the files. After using getpwent finished viewing the password, be sure to call endpwent close these files. getpwent know what time it is used it should open the file (for the first time when it is called), but it does not know when to shut down these documents
Example: to achieve 6_1 getpwnam function
1 #include<pwd.h> 2 #include<stddef.h> 3 #include<string.h> 4 struct passwd * getpwnam(const char *name) 5 { 6 struct passwd *ptr; 7 setpwent(); 8 while((ptr=getpwent())!=NULL) 9 if(strcmp(name,ptr->pw_name)==0) 10 break; 11 endpwent(); 12 return(ptr); //ptr is NULL if no match found 13 }
Call setpwent at the start of the program is self-protective measures, so that if the caller had previously invoked getpwent open the relevant documents, will locate relevant documents to the beginning of the file. getpwnam getpwuid after the call is completed and the relevant documents should not still open, close them so you should call endpwent
6.3 Shadow passwords
Encrypted password is treated with one-way encryption algorithm copies the user's password. So this is a one-way algorithm, we can not guess from the encrypted password to the original password. But people can guess passwords tentative way. . .
To make people attempt to do so is difficult to obtain the original data (encrypted password), and now, some systems will be stored in encrypted password file another commonly referred to in the shadow password. This file should contain at least the user name and encrypted password.
etc / shadow file fields:
User login name char * sp_namp
Encrypted password char * sp_pwdp
Since the password was last changed elapsed time int sp_lstchg
After a number of days allowed to change int sp_min
Request to change the number of days remaining int sp_max
The number of days required warning int sp_warn
The number of days remaining before the account is inactive int sp_inact
The number of days the account expires int sp_expire
Unsigned int sp_flag reserved.
Shadow password file is not an ordinary user can read only a few programs need to access an encrypted password, for example, login (1) and passwd (1), these programs are often set user ID to root program. Once you have shadow passwords, ordinary password file / etc / passwd by the user freedom to read
6.4 group files
UNIX group field that contains the file structure in the group <grp.h> as defined
/ Etc / group file fields:
Group Name char * gr_name
Encrypted password char * gr_passwd
Numerical group ID int gr_gid
Each pointer points to an array of user char ** gr_mem
Gr_mem field is an array of pointers, each pointer points to a respective user names belonging to that group. The null pointer array.
The following two can be used to view a group name or group ID value defined by the function POSIX.1
#include<grp.h> struct group *getgrgid(gid_t gid); struct group *getgrnam(const char *name); // two functions Return Value: returns a pointer if successful, NULL is returned as an error
If you need to search the entire set of files, you need to use several other functions. The following three functions are similar for the three functions of the password file
#include<grp.h> struct group *getgrent(void); // Return Value: returns a pointer on success, or to the end of the file if the error returns NULL void setgrent ( void ); void endgrent(void);
setgrent function to open group file (Should it is not already open) and anti-Rao it. getgrent function reads a record from the set of files in the event that the file has not been opened before it is opened. endgrent function closes the file group
6.5 Additional Group ID
Introduces the concept of an additional group ID, we can not only belong to the password file entry group corresponding to the group ID recorded, may be up to 16 belong to another group. Check the file permissions accordingly be amended as follows: not only the effective group ID and group ID of the process of comparing files, and also all the additional group ID and group ID of the file is compared.
Additional advantages of using a group ID is no longer explicitly set change frequently. A user can participate in multiple projects, it is also necessary to simultaneously belong to multiple groups. Such is often the case there.
In order to get and set an additional group ID, a provides the following three functions:
#include<unistd.h> int by getgroups ( int gidsetsize, gid_t, grouplist []); // Return Value: If successful additional set ID number is returned, or -1 if the error returns #include <grp.h> // ON Linux #include <unistd.h> // ON FreeBSD, Mac the X-OS, and the Solaris int setgroups(int ngroups,const gid_t grouplist[]); #include<grp.h> //on linux and solaris #include<unistd.h> //on freebsd and mac os x int initgroups ( const char * username, gid_t, basegid); // two functions Return Value: returns 0 if successful, or -1 if the error
Each additional set getgroups ID to add some grouplist the array, the array elements stored in a maximum gidsetsize. The actual number of additional group ID to fill the array returned by the function.
As a special case, should the gidsetsize is 0, the function returns the value of the number of additional groups ID, rather than the array grouplist no modification (This allows the caller to determine the length of the array grouplist, for allocation)
setgroups by Supervisor Call to set up an additional group ID table for the calling process. grouplist the group ID array, ngroups specified number of elements in the array, not be greater than the value ngroups NGROUPS_MAX
6.6 realize the difference between
In FreeBSD, the shadow password file is /etc/master.passwd, you can use special commands to edit the file, which in turn will love you generate / etc / passwd from the shadow copy of a file. In addition, it will produce a hash version of the file. /etc/pwd.db is / etc passwd hash version /, / etc / spwd.db is /etc/master.passwd hash version. These provide better performance for large systems.
But Mac OS X only uses / etc / passwd and /etc/master.passwd in single-user mode. When maintenance system, single-user mode usually means that the system does not provide any services. Multi-user mode during normal operation, ie netinfo directory service provides access to user and group account information.
Although Linux and Solaris support similar shadow password interface, but there are some subtle differences between the two. For example, gr_uid int type defined in Solaris, Linux, is defined as the long int. Another difference is that the account is not active field. Solaris will be defined as the user last logged depend on the number of days elapsed, and Linux will be defined as the number of days remaining password expired.
In many systems, user and group database with Internet Information Services (Network Information Service, NIS) to achieve. This allows administrators to edit the master copy of the database, then it is automatically distributed to all servers in the organization. The client system can contact the server to view information about users and groups hee hee. NIS + and lightweight directory access protocol (Lightweight Directory Access Protocal, LDAP) provides similar functionality. Many systems for controlling management information of each class method profile /etc/nsswitch.conf.
6.7 Other data files
In addition to the password and group files, UNIX system also uses a lot of other files. For example, BSD network software file data records of a network and services provided by the server (/ etc / services)
In general, there are at least three functions for each of the data files:
(1) get functions: to read the next record, if necessary, to open the file.
(2) set function: open the data file (if not already open), then the anti-Rao file.
(3) end function: close the corresponding data file
In addition, if the data file support some form of keyword search will provide keyword search routine with the specified record
6.8 login account information
Most UNIX systems provide the following two data files: utmp file that records each user, wtmp file currently logged into the system, it tracks each login and logout time.
struct utmp { char ut_line [ 8 ]; char ut_name [ 8 ]; long ut_time; };
When landing, login procedures add some of this type of structure, and then written to the utmp file, but also will fill it to the wtmp file. When you log off, init process the corresponding records utmp file erasure (each byte are filled with 0), and fill out a new record to the wtmp file. In the write-off record wtmp file, the ut_name field cleared. When the system restarts, and change the system time and date around, have added some special entries in wtmp file.
6.9 System identification
POSIX.1 defines the uname function, which returns information about the current host and operating system
#include<sys/utsname.h> int uname(struct utsname *name); // Return Value: Returns a non-negative value if successful, or -1 if an error
The parameter address of a transfer function reminds utsname structure, the function and structure to fill this
struct utsname{ char sysname[]; char nodename[]; char release[]; char version[]; char machine[]; };
6.10 Time and date routines
time function returns the current date and time
#include<time.h> time_h time(time_t *calptr); // Return value: If successful time value is returned, or -1 if an error
Compared with the time function, gettimeofday provides a higher resolution (up to microseconds). This is important for some applications
#include<sys/time.h> int gettimeofday(struct timeval *restrict tp,void *restrict tzp); Returns: always returns 0
gettimeofday function stored in the current time point tp timeval structure, which storage structure seconds and microseconds.
struct timeval{
time_t tv_sec;
long tv_usec;
}
localtime and gmtime calendar time conversion.
#include<time.h> struct tm *gmtime(const time *calptr); struct tm *localtime(const time_t *calptr); // two functions Return Value: a pointer to the structure tm
The difference between the localtime and gmtime are: localtime calendar time into local time, and time conversion gmtime calendar will say in international standard time, month ,,,
Mktime function as a parameter to the local time, to convert it said time_t
#include <time.h>
time_t the mktime (struct * tmptr (TM));
Return Value: returns the calendar time if successful, or -1 if the error
There are also asctime, ctime ,, mktime, strftime
Reproduced in: https: //www.cnblogs.com/wbingeek/p/3841972.html