[Gambas-user] Program to use different group rights

Rolf-Werner Eilert rwe-sse at osnanet.de
Mon Nov 26 13:02:09 CET 2018


Let me add this:

I just found two solutions:

1. Commandline:

if su -c true "$USER"; then
   echo "Correct password"
fi

How would I read the exit code if in a Gambas shell?

2. PAM call. This example is in Ruby, but very much like Gambas. BUT it 
needs a Ruby library called rpam, so if there is nothing comparable in 
Gambas...

It boils down to this line:

if Rpam.auth(username, password, service: 'system-auth')

So I would prefer the first way, but I need to know how to read exit 
codes from a shell.

Regards
Rolf


Am 26.11.2018 um 12:12 schrieb Bruce:
> Well, the first thing to note is that /etc/shadow should contain one way 
> encrypted information only. So I don't see how you could possibly see 
> anything relevant in it?
> 
> Sure, if you cat that file (as a root user) you will see some (possibly) 
> ASCII strings that represent the passwords - but you can't "un-decrypt" 
> them. AFAIK.
> 
> As regards your second para, the "shadow" group (AFAICR) is very 
> protected. No user, or especially an executable program "should" be able 
> to get access. The only way I know is for the executable to obtain 
> priviledge access via a runtime login as  a "root" level user.
> 
> Re para 3: From memory, (bad at the best of times), there are at least a 
> few system calls that let you:
> - compare an encrypted passkey to the relevant value to the ...
> - currently (kernel level) known value for that passkey.
> - here's the rub, I can't remember whether that is actually obtained 
> from a read of the shadow file or whether it's something in ring 0 memory?
> 
> So bascically, trying to use /etc/shadow passkey authentication in user 
> space is a no-no.
> 
> AFAICR!
> 
> I don't know exactly what your end goal is but I don't think you're on 
> the right track.
> 
> B
> 
> On 11/26/18 9:16 PM, Rolf-Werner Eilert wrote:
>> When a program needs to read from a file which could actually only be 
>> read if member of a special group, how would this be achieved?
>>
>> I found that in order to read from /etc/shadow, a program needs to be 
>> member of the group "shadow". But when I start a password management 
>> program (in GUI) as an ordinary user, this program will be member of 
>> my own group only.
>>
>> So how would such a program be able to read my hash from /etc/shadow 
>> to verify if I type the right old password first? The new password 
>> could be sent to passwd to form and save a new hash, but how to read 
>> the old one first?
>>
>> Maybe someone here knows how this is achieved.
>>
>> Regards
>> Rolf
>>
>> ----[ Gambas mailing-list is hosted by https://www.hostsharing.net ]----
> 
> ----[ Gambas mailing-list is hosted by https://www.hostsharing.net ]----
> 
> 



More information about the User mailing list