Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Jan 2004 11:22:20 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Gabor Esperon <gesperon@yahoo.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Fwd: About *pwent() functions
Message-ID:  <20040122112220.GC42056@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <20040122053545.66503.qmail@web11508.mail.yahoo.com>
References:  <20040121224749.GB36113@happy-idiot-talk.infracaninophile.co.uk> <20040122053545.66503.qmail@web11508.mail.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--VV4b6MQE+OnNyhkM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jan 21, 2004 at 09:35:45PM -0800, Gabor Esperon wrote:
>=20
> --- Matthew Seaman <m.seaman@infracaninophile.co.uk>
> wrote:

> > There aren't functions to add user accounts via a C
> > api in the
> > standard FreeBSD system libraries.  There are
> > various applications
> > that will do the job for you -- pw(8) is probably
> > the best choice --
> > and it shouldn't be too hard to fork(2) and
> > execve(2) it
> > with an appropriate set of command line arguments.
>=20
> I am implementing a PAM module that authenticate and
> create a user on demand according to some parameters
> and PAM modules not allow file execution.

This sounds like an incredibly bad idea to me: user authentication
should be kept completely separate from user account creation.
Otherwise, the possibility exists that J. Random Hacker could trick
your system into creating an account for himself, and use it for
nefarious purposes.

Having said that, I'm also pretty sure that someone will have written
PAM modules that do that sort of thing.  I've seen discussion of
modules that create the account home directory on first use, given
that the UID exists in a network database.  Perhaps a bit of searching
the net is in order.
=20
> > Or if you know that you're using the local password
> > file, then you can
> > write code that locks master.passwd, appends a line
> > with the correct
> > data, unlocks it and runs pwd_mkdb(8).
>=20
> Yes I'm using the local password file. Which APIs
> should i use to implement pwd_mkdb(8)?

Ah.  If you can't run pw(8), then you can't run pwd_mkdb(8) either.
That's the program that processes the /etc/master.passwd file to
generate all of /etc/passwd, /etc/master.passwd.db and /etc/passwd.db.
The '.db' files are Berkely DB format hashed lookup tables: see
dbopen(3), but quite honestly reinventing pwd_mkdb(8) as a C api would
be a bit un-unixlike.  Better to work on spawning the necessary
programs from your module.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--VV4b6MQE+OnNyhkM
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAD7JsdtESqEQa7a0RAoBhAJ4+FSX/wrz1sMxW2qLqdwCVWxJ9ggCfZ61x
4l9NczAXCGIVNIPcXDo3YsQ=
=UnTq
-----END PGP SIGNATURE-----

--VV4b6MQE+OnNyhkM--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040122112220.GC42056>