Adv. UNIX: info/191 Advanced UNIX v Objectives –examine a few system data files (and their C interfaces) which record user and system information Special Topics in Comp. Eng. 2 Semester 2, User and System Information
Adv. UNIX: info/192 Overview 1. /etc/passwd 2. /etc/group 3. Other Data Files 4. /etc/hosts 5. /etc/protocols continued
Adv. UNIX: info/ /etc/services 7. Login Accounting 8. The System Log: syslog 9. Process Information 10. System Information
Adv. UNIX: info/ /etc/passwd v The password file: root:jheVopR58x9Fx:0:1:The superuser:/:/bin/sh nobody:*:65534:65534::/: stevens:3hKVD8R58r9Fx:224:100: Richard Stevens:/home/stevens:/bin/ksh : : More details on the passwd file format: –$ man 5 passwd
Adv. UNIX: info/195 Notes root has the user ID 0 The password is encrypted using crypt() –one-way: there is no known way to decrypt (decode) a password nobody cannot login, but programs can run as nobody –can only access world readable or writable files
Adv. UNIX: info/196 Finger finger accesses the GECOS field: stevens:3hKVD8R58r9Fx:224:100: Richard &, B232, , : /home/stevens:/bin/ksh –different fields are separated by commas: u user name, office, work and home phone numbers –& is replaced by the capitalised user name
Adv. UNIX: info/197 struct passwd v v struct passwd{ char *pw_name;/* user name */ char *pw_passwd;/* encrypted passwd */ uid_t pw_uid;/* user ID */ uid_t pw_gid;/* group ID */ char *pw_gecos;/* comment field */ char *pw_dir;/* initial working dir */ char *pw_shell;/* initial shell */ } Located in pwd.h
Adv. UNIX: info/198 Get a User’s Details v #include #include struct passwd *getpwuid(uid_t uid); struct passwd *getpwnam(char *name); Return a pointer to the password structure for the specified user, or NULL on error. v For long term use, the struct should be copied, since it will be over-written on the next call.
Adv. UNIX: info/199 Search the passwd file v #include #include struct passwd *getpwent(void); void setpwent(void); // open void endpwent(void); // close getpwent() returns a pointer if ok, NULL on error or end of file.
Adv. UNIX: info/1910 Search for Stupid Passwords #include #include #include #include /* for crypt() */ int main() { struct passwd *pw; char *cry; setpwent(); while ((pw = getpwent()) != NULL) { printf(“Trying %s\n”, pw->pw_name); : continued
Adv. UNIX: info/1911 if (pw->pw_passwd[0] == ‘\0’) printf(“**%s has no password\n”, pw->pw_name); else { cry = (pw->pw_name, pw->pw_passwd); if (strcmp(cry, pw->passwd) == 0) printf(“##%s used as own passwd\n”, pw->pw_name); } } ; return 0; } if (pw->pw_passwd[0] == ‘\0’) printf(“**%s has no password\n”, pw->pw_name); else { cry = crypt(pw->pw_name, pw->pw_passwd); if (strcmp(cry, pw->passwd) == 0) printf(“##%s used as own passwd\n”, pw->pw_name); } } endpwent(); return 0; }
Adv. UNIX: info/1912 crypt() #include char *crypt(char *text, char *salt); Returns a pointer to the encrypted version of the text or NULL on error. salt is a string. crypt() takes the first two chars and treats them as a 12-bit number between 0 and 4095 to slightly modify things.
Adv. UNIX: info/1913 v The salt is stored at the start of the encrypted password: e.g. “mi” in “miqkFWCm1fNJI” When the encrypted password is first created, /bin/passwd uses the time of day as salt. v Salt means that the same (original) password will be encrypted in different ways on different machines.
Adv. UNIX: info/1914 The Shadow Password File /etc/shadow stores encrypted password strings –only readable by root –/etc/passwd contains only ‘ x ’s in its password fields This prevents password cracking by copying /etc/passwd and then using ‘guess and test’ –some crypt() ’s can generate 50,000 encrypted strings/second –many passwords are very simple!
Adv. UNIX: info/ /etc/group v Lists every group on the system, an optional password, its group ID, and the users who are members: wheel:*:0:root, rachel uucp:*:10:uucp vision:AweHG67Ket4Ds:101:keith, arlin users:*:100: $ man 5 group
Adv. UNIX: info/1916 Joining Groups /etc/group lists group users in addition to the ones who are members because of their /etc/passwd group ID. –e.g. stevens is in users because he has group ID 100 A user can change group with newgrp –usually must be a member of that group –some groups have passwords (e.g. vision )
Adv. UNIX: info/1917 Accessing /etc/group Use struct group and its operations in : v struct group { char *gr_name; /* group name */ char *gr_passwd; /* encrypted passwd */ int gr_gid; /* group id */ char **gr_mem; /* array of names */ } gr_mem is terminated by NULL.
Adv. UNIX: info/1918 Fetch Group Details v #include #include struct group *getgrgid(gid_t gid); struct group *getgrnam(char *name); Return a pointer to a group structure, NULL on error. v For long term use, the structure should be copied since it is over-written on the next call.
Adv. UNIX: info/1919 Search the group file #include #include struct group *getgrent(void); void setgrent(void); // open void endgrent(void); // close getgrent() returns a pointer if ok, NULL on error.
Adv. UNIX: info/1920 Supplementary Group IDs v In earlier UNIXs, each user belonged to one group at a time. –change was possible with newgrp v Some UNIXs now have supplementary group IDs: –a user can belong to up to 16 additional groups –no longer need to use newgrp (so much)
Adv. UNIX: info/1921 Supplementary Group Functions v #include int getgroups(int gidsetsize, gid_t grouplist[]); int setgroups(int ngroups, gid_t grouplist[]); int initgroups(char *username, gid_t basegid);
Adv. UNIX: info/1922 getgroups() returns the number of supplementary group IDs if ok, -1 on error. Both setgroups() and initgroups() return 0 if ok, -1 on error. initgroups() is called at login, and makes use of setgroups( ) to initialise a user’s supplementary group IDs by examining /etc/group.
Adv. UNIX: info/ Other Data Files Most UNIX data files have similar interfaces to those used to access/change /etc/passwd and /etc/group. v At least three ‘search’ functions: –set??() Opens the file and rewinds it. –get??() Reads next record. Returns a pointer to a struct which will be over-written on the next call. –end??() Close the file. $ man 5
Adv. UNIX: info/1924 v “Lookup a record” functions: –uses keys to identify the record of interest –e.g. user name, service ID v The next three sections illustrate these patterns used with the files: –/etc/hosts –/etc/protocols –/etc/services
Adv. UNIX: info/1925 v Keeps track of the network addresses for every host on the local network. v Often incomplete since the system can also ask address servers on other machines. Typical /etc/hosts : localhost ratree.psu.ac.th ratree loghost ns.psu.ac.th ns ratree2.psu.ac.th ratree2 4. /etc/hosts
Adv. UNIX: info/1926 Accessing /etc/hosts Header: Header: C structure: hostent v Keyed lookup functions: –gethostbyname() –gethostbyaddr()
Adv. UNIX: info/ /etc/protocols v Stores details about network protocols supported by the system. Fragment of /etc/protocols : tcp 6 TCP # transmission control protocol : udp 17 UDP # user datagram protocol :
Adv. UNIX: info/1928 Accessing /etc/protocols Header: netdb.h C structure: protoent v Keyed lookup functions: –getprotobyname() –getprotobynumber()
Adv. UNIX: info/ /etc/services v Stores details on the network services supported by the system –built on top of network protocols Fragment of /etc/services ftp21/tcp smtp25/tcpmail : irc194/tcp# internet relay chat irc194/udp :
Adv. UNIX: info/1930 Accessing /etc/services Header: netdb.h C structure: servent v Keyed lookup functions: –getservbyname() –getservbyport()
Adv. UNIX: info/ Login Accounting /var/run/utmp –records which users are currently logged in –used by who, users, finger, ps –may be located in /var/adm/ /var/log/wtmp –records all logins, logouts, shutdowns, reboots –used by last –may be located in /var/adm/
Adv. UNIX: info/1932 File Format v Both files are binary files (unlike all the previous examples). v Each record has the basic form: struct utmp { char ut_line[8]; /* ttty line: ttyp0, etc. */ char ut_name[8]; /* login name */ long ut_time; /* secs since 1st Jan 1970 */ }
Adv. UNIX: info/1933 v At login: –create a utmp struct, add to utmp and wtmp files v At logout: –entry in utmp is wiped (filled with 0s) –new entry added to wtmp, with ut_name filled with ‘\0’ characters v At shutdown, reboot, time change: –special entries added to wtmp
Adv. UNIX: info/1934 Linux utmp & wtmp (non-standard) v v struct utmp { short ut_type; /* login type */ pid_t ut_pid; /* process pid */ char ut_line[UT_LINESIZE]; /* device name */ char ut_id[2]; /* abbrev ttyname */ time_t ut_time; /* login time */ char ut_user[UT_NAMESIZE]; /* uname */ char ut_host[UT_HOSTSIZE]; /* host nm */ long ut_addr; /* host address */ : } $ man 5 utmp
Adv. UNIX: info/1935 String fields may end with ‘\0’ if there is enough space! v Some login types: –UT_UNKNOWN unknown –BOOT_TIME started at system boot –INIT_PROCESS started at system init –LOGIN_PROCESS login process –USER_PROCESS user-created process –DEAD_PROCESS dead (zombie)
Adv. UNIX: info/1936 Accessing utmp/wtmp Entries v v #include void utmpname(char *file); void setutent(void); void endutent(void); struct utmp *getutent(void); struct utmp *getutid(struct utmp *ut); struct utmp *getutline(struct utmp *ut); void pututline(struct utmp *ut);
Adv. UNIX: info/1937 utmpname() can be supplied with the default pathnames stored in _PATH_UTMP and _PATH_WTMP in. getutline() is restricted to entries with login type LOGIN_PROCESS and USER_PROCESS. Updates can only be done by root.
Adv. UNIX: info/1938 Example: sw.c, a simple who #include #include #include #include #include /* for ctime() */ int main() { struct utmp *ut; struct passwd *pw; char name[UT_NAMESIZE+1]; utmpname(“/var/run/utmp”); setutent(); :
Adv. UNIX: info/1939 while ((ut = ()) != NULL) { if (ut->ut_user[0] != ‘\0’) { strncpy(name,ut->ut_user,UT_NAMESIZE); name[UT_NAMESIZE] = ‘\0’; if ((pw = getpwnam(name)) == NULL) printf(“%s has no passwd!\n”,name); else printf(“%s %s %s %s”, name, ut->ut_line, pw->pw_gecos, ctime(&(ut->ut_time)) ); } } (); return 0; } while ((ut = getutent()) != NULL) { if (ut->ut_user[0] != ‘\0’) { strncpy(name,ut->ut_user,UT_NAMESIZE); name[UT_NAMESIZE] = ‘\0’; if ((pw = getpwnam(name)) == NULL) printf(“%s has no passwd!\n”,name); else printf(“%s %s %s %s”, name, ut->ut_line, pw->pw_gecos, ctime(&(ut->ut_time)) ); } } endutent(); return 0; }
Adv. UNIX: info/1940 Usage v $ sw reboot has no password! runlevel has no password! LOGIN has no password! LOGIN has no password! LOGIN has no password! LOGIN has no password! LOGIN has no password! LOGIN has no password! s pts/0 ????,,, Thu Feb 15 15:56: ad pts/5 Dr.Andrew DAVISON,,, Thu Feb 15 16:00: s pts/6 MR. Kemarat CHAIYO,,, Thu Feb 15 15:32: s pts/7 MR. Paween CHOKENUKUL,,, Thu Feb 15 15:58: s pts/8 MR. Kemarat CHAIYO,,, Thu Feb 15 15:34: $
Adv. UNIX: info/1941 “Simple who ” returns similar information to who, but also includes details about: –system processes –dead user processes Notes
Adv. UNIX: info/1942 last Displays wtmp in an understandable form. v Lists all logins, logouts, etc. since file creation. $ last rich ttypbmit.usa Tue Aug 19 13:19 still logged in zonkttyp Tue Aug 19 13: :14 (00:02) rich ttypalisa.ac.thTue Aug 19 13:11 still logged in zonk ttyp3lennyTue Aug 19 12: :21 (00:14) : continued
Adv. UNIX: info/1943 $ last rich rich ttypbmit.usaTue Aug 19 13:19 still logged in rich ttypafoo.lisa.ac.th Tue Aug 19 13:11 still logged in rich ttyp0goo.lisa.ac.th Mon Aug 18 11: :45 (00:44) rich ftpmit.usaSat Aug 16 00: :04 (00:01) : $ last | grep boot reboot System boot Fri Aug 15 22:15 reboot System boot Fri Aug 15 15:21 reboot System boot Fri Aug 4 17:24 reboot System boot Fri Aug 4 15:41
Adv. UNIX: info/ The System Log: syslog syslogd user process /dev/log UDP port 514 /dev/klog kernel routines Unix domain datagram socket Internet domain datagram socket TCP/IP network syslog() files, console or Kernel log() $ man 8 syslogd
Adv. UNIX: info/1945 Logging Messages v Any program can generate log messages. v A log message should include: –the program name, a facility, a priority, and the message text v Example: login: Root LOGIN REFUSED on ttya –sent by an authorization facility ( login ); it is critical
Adv. UNIX: info/1946 Some syslog Facilities NameFacility kern The kernel. user Regular user processes. mail The mail system. lpr The printer system. : auth The authorization system, or programs that ask for user names and passwords (e.g. login, su, getty, ftp ).
Adv. UNIX: info/1947 Some Syslog Priorities (levels) PriorityMeaning emerg Emergency (e.g. crash). alert Fix immediately (e.g. bad db). crit Critical (e.g. hardware error). err Ordinary error. : notice Not an error, but important. : debug Debug messages.
Adv. UNIX: info/1948 Configuring syslog At system start-up, it reads the /etc/syslog.conf configuration file. syslog.conf specifies what messages to log, and where to log them –see $ man 5 syslog.conf
Adv. UNIX: info/1949 General format of a syslog.conf line: facility.priorityaction facility and priority can be one of the labels listed in the ealier slides (or * to mean all) action can be: –log to a file / device / program –send message to a user –send message to all users (*) –send message to another machine
Adv. UNIX: info/1950 Typical syslog.conf file v v kern.debug/dev/console *.err/dev/console auth.notice/usr/adm/messages lpr.*/usr/adm/lpd-errs auth.*root,ad auth.*/dev/console *.emerg* $ man 5 syslog.conf
Adv. UNIX: info/1951 Some critical auth messages ProgramMessage ProgramMessage halthalted by loginROOT LOGIN REFUSED ON [FROM ] loginREPEATED LOGIN FAILURES ON [FROM ] suBAD SU ON
Adv. UNIX: info/1952 Some notice auth messages ProgramMessage ProgramMessage datedate set by loginROOT LOGIN [FROM ] su on
Adv. UNIX: info/1953 The syslog() Function v v #include void openlog(char *ident, int option, int facility); void syslog(int priority, char *format,...); void closelog(void); $ man 3 syslog
Adv. UNIX: info/1954 Some openlog() Options OptionMeaning LOG_CONS If syslogd is ‘down’, send the message to the console. LOG_PID Log the process ID. LOG_PERROR Print to stderr as well. :
Adv. UNIX: info/1955 Some openlog() Facilities FacilityMeaning LOG_USER User-process message. LOG_MAIL Mail system. LOG_LPR Printer system. LOG_AUTH An authorization program. :
Adv. UNIX: info/1956 Some syslog() Priorities PriorityMeaning LOG_EMERG Emergency LOG_ALERT Alert LOG_CRIT Critical LOG_ERR Error : LOG_NOTICE Notice : LOG_DEBUG Debug
Adv. UNIX: info/1957 Examples v Postscript printer program: openlog(“lprps”, LOG_PID, LOG_LPR); syslog(LOG_ERR, “open error for %s”, filename); Without the openlog() call: syslog(LOG_ERR | LOG_LPR, “open error for %s”, filename); combined priority and facility
Adv. UNIX: info/1958 UNIX logger logger –can specify facility, priority, identifier –intended for logging in non-interactive shell scripts –simple version: logger [-p priority] [message] v e.g. $ logger System Rebooted $ logger -p auth.notice
Adv. UNIX: info/ Process Information lastcomm –displays information on previously executed commands –examples: $ lastcomm $ lastcomm ad $ lastcomm ftp $ lastcomm ad ftp $ lastcomm --strict-match --user ad --command ftp
Adv. UNIX: info/1960 Example $ lastcomm cronFroot??0.08 secs Mon Sep 19 15:06 datemartinttyp70.02 secs Mon Sep 19 15:06 shsmithttyp30.05 secs Mon Sep 19 15:04 cshngttypf3.45 secs Mon Sep 19 14:53 calculus Dchavez ttyq80.95 secs Mon Sep 19 15:09 moreXng ttypf0.17 secs Mon Sep 19 15:03 ruptimemartin console 0.14 secs Mon Sep 19 15:03 mailSroot ttyp00.95 secs Fri Sep 16 10:46 : Not working on calvin; fine on fivedots
Adv. UNIX: info/1961 On linux, lastcomm examines the binary file /var/account/pacct v The letter flags meaning: S command was run by superuser; F command ran after a fork; D command terminated with a core dump; X command was terminated with a signal (e.g. a control-c).
Adv. UNIX: info/1962 Accessing /var/account/pacct Use : #define ACCT_COMM 16 struct acct { char ac_comm[ACCT_COMM]; /* cmd */ time_t ac_utime; /* user time */ time_t ac_stime;/* sys time */ time_t ac_etime;/* elapsed time */ time_t ac_btime;/* begin time */ uid_t ac_uid;/* user ID */ gid_t ac_gid;/* group ID */ dev_t ac_tty;/* dev. no. */ char ac_flag;/* flags */ : $ man 5 acct
Adv. UNIX: info/1963 ac_flag Bit Values v Bit ConstantMeaning ASU Command was run by superuser. AFORK Command ran after a fork. ACORE Command terminated with a core dump. AXSIG Command was terminated with a signal (e.g. a control-c).
Adv. UNIX: info/1964 Example: slc.c, a Simple lastcomm #include #include #include #include #define ACC “/var/account/pacct” int main() { struct acct ac; FILE *fp; if ((fp = fopen(ACC,”rb”)) == NULL){ printf(“Cannot open %s\n”, ACC); exit(1); } : continued Works on fivedots
Adv. UNIX: info/1965 while ((fread(&ac, sizeof(struct acct), 1, fp) == 1) printf(“%10s %5d %c%c%c%c %s”, ac.ac_comm, ac.ac_uid, ac.ac_flag & ACORE ? ‘D’ : ‘ ‘, ac.ac_flag & AXSIG ? ‘X’ : ‘ ‘, ac.ac_flag & AFORK ? ‘F’ : ‘ ‘, ac.ac_flag & ASU ? ‘S’ : ‘ ‘, ctime(&(ac.ac_btime)) ); fclose(fp); return 0; } while ((fread(&ac, sizeof(struct acct), 1, fp) == 1) printf(“%10s %5d %c%c%c%c %s”, ac.ac_comm, ac.ac_uid, ac.ac_flag & ACORE ? ‘D’ : ‘ ‘, ac.ac_flag & AXSIG ? ‘X’ : ‘ ‘, ac.ac_flag & AFORK ? ‘F’ : ‘ ‘, ac.ac_flag & ASU ? ‘S’ : ‘ ‘, ctime(&(ac.ac_btime)) ); fclose(fp); return 0; }
Adv. UNIX: info/1966 Usage (on fivedots) v $./slc | more accton 0 S Thu Feb 15 06:25: acct 0 Thu Feb 15 06:25: acct 0 Thu Feb 15 06:25: date 0 Thu Feb 15 06:25: tr 0 Thu Feb 15 06:25: apache 0 F Thu Feb 15 06:25: :
Adv. UNIX: info/ System Information #include int uname(struct utsname *name); v Return info. on the current host and OS; returns non-negative value if ok, -1 on error. UNIX interface: uname $ uname --all
Adv. UNIX: info/1968 struct utsname v v struct utsname { char sysname[SYS_NMLN]; /* OS name */ char nodename[SYS_NMLN]; /* node name */ char release[SYS_NMLN]; /* OS release */ char version[SYS_NMLN]; /* OS version */ char machine[SYS_NMLN]; /* hdwr name */ char domainname[SYS_NMLN]; } $ man 2 uname