It looks like "nam" means "item" or "entry" in the context of getpwnam or getspnam. What exactly does it stand for?
It means "by name".
E.g. getpwnam -> get passwd entry by name. Contrast to getpwuid -> get passwd entry by uid.
Related
There is quite a common issue in unix world, that is when you start a process with parameters, one of them being sensitive, other users can read it just by executing ps -ef. (For example mysql -u root -p secret_pw
Most frequent recommendation I found was simply not to do that, never run processes with sensitive parameters, instead pass these information other way.
However, I found that some processes have the ability to change the parameter line after they processed the parameters, looking for example like this in processes:
xfreerdp -decorations /w:1903 /h:1119 /kbd:0x00000409 /d:HCG /u:petr.bena /parent-window:54526138 /bpp:24 /audio-mode: /drive:media /media /network:lan /rfx /cert-ignore /clipboard /port:3389 /v:cz-bw47.hcg.homecredit.net /p:********
Note /p:*********** parameter where password was removed somehow.
How can I do that? Is it possible for a process in linux to alter the argument list they received? I assume that simply overwriting the char **args I get in main() function wouldn't do the trick. I suppose that maybe changing some files in /proc pseudofs might work?
"hiding" like this does not work. At the end of the day there is a time window where your password is perfectly visible so this is a total non-starter, even if it is not completely useless.
The way to go is to pass the password in an environment variable.
I am using ubuntu 13.04.
And I wonder why I get different groups info when using id command with/without account.
when I type
$id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1),1001(user2)
but when I type
$id
uid=1000(user1) gid=1000(use1) groups=1000(user1),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
why use "id" command only cannot list my supplementary group?
by the way, following is one entry of my /etc/group :
user2:x:1001:user1
Any help ? Thank you.
Sounds like you've edited /etc/group but haven't logged off and back on again. I suggest starting a new shell, and trying id again.
I want to run a script which calls tpm_sealdata many times and I don't want to enter the SRK password each time.
In the man page I found this:
-z, --well-known
Use TSS_WELL_KNOWN_SECRET (20 zero bytes) as the SRK password.
You will not be prompted for the SRK password with this option.
However, I couldn't figure out which value I have to use as TSS_WELL_KNOWN_SECRET.
As the name of the constant implies, the value of TSS_WELL_KNOWN_SECRET is well known. It is just 20 bytes of zero.
But you don't actually need the value. The -z option does not require a value, it's just a switch to tell the program to use the well known secret. The help text you cite also states this fact.
So a call to tpm_sealdata might look like this:
tpm_sealdata -z -i data.in -o data.out
However, to use this method the SRK must have been created with the well known secret of course. When using tpm_takeownership:
tpm_takeownership -z
I'd like to get some ideas from you on how to implement that. Let me explain a little bit my problem:
Scenario:
We have a system that must have some especific ACLs set in order to run it. So, before running it would be great if I could run a sort of pre check in order to verify if everything was set correctly.
Goal:
Create a script that checks those ACLs before starting the system alerting in case one of them is wrong based in a list of files/folder and its ACLs.
Problems:
Since the getfacl result is not a simple return, the only way I found to do such checking was parsing the result and analising each piece of it, that not as elegant as I'd like it could be.
I doubt many of you had to do something ACLs check but for sure you guys can contribute to my cause :)
Thanks everybody in advance
How about using Python module pylibacl
>>> import posix1e
>>> acl1 = posix1e.ACL(file="file1.txt")
>>> print acl1
user::rw-
group::r--
other::r--
Since the getfacl result is not a simple return, the only way I found to do such checking was parsing the result and analising each piece of it, that not as elegant as I'd like it could be.
What exactly are you trying to do? If you're just comparing the result of calling getfacl to a desired ACL, it should be easy. For example, assuming that you have stored your desired ACL in a file named acl-i-want, you could do something like this:
getfacl /path > acl-i-have
if ! diff -q acl-i-have acl-i-want; then
echo "ACLs are different."
fi
Hi I'm working in a Linux environment and I'm trying to write a command that will take a path as input and output a list of all users with read access to that file/directory.
For example, if file /a/b/c is owned by userid, u, and groupid, g, with some permissions, I want this command to identify the permissions of /a and /a/b and then calculate all the users who can read c. In particular, I'm having trouble when groups get involved.
I am trying to separate identifying read access based off group into cases:
1) g matches the gid of c's parent's gid, gp, (or grandparent, etc..), in which case, any member of g can read c if gp has permission: 040, or less restrictive.
2) g is different than c's parent's gid, gp. Two subcases:
...a) userid m is a member of g (for all m in g (m does not own c)) and owns c's parent, p. Then m can read c if p has permission: 400, or less restrictive.
...b) userid m is a member of g (for all m in c's gid (m does not own c)) and does not own c's parent, p. Then m can read c if p has permission: 004 or less restrictive.
3) u owns p, in which case p needs permissions 400 or less restrictive.
By the way, I have root access on this system. I imagine I'll have to make a series of cats to /etc/group and /etc/passwd and grep for relevant info, which is fine. Also, we can consider 'stat's free in this environment (it's part of a bigger project where we already have this info).
I guess what I'm looking for is an existing solution, pseudo code, or someone to help me brainstorm an algorithm and other considerations that I'm missing. Feel free to ask clarifying questions if necessary - I know this pseudo logic here isn't the easiest to read. Thanks guys.
I think your best solution is the following:
1.) Determine permission of c.
if(b does not have a minimum of world execute bit settings) i.e. 711
return error; ( or owner && root)
// you can easily extend this check to recursively work back to /
if (c has global read permissions)
return everyone;
else if (c has group read permissions)
determine group name && return all members of said group
else (return owner && root)
2.) determining the members of said group can be done using getent. for instance:
getent group - returns all groups on the system
getent passwd - returns all users
3.) permissions can be determined with 'stat c' or something similar.
cating is flawed; use getent instead. Don't forget to check ACLs.