|
Home > Archive > Unix Shell > October 2005 > Editing a passwd file safely
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Editing a passwd file safely
|
|
| danson 2005-10-25, 7:48 am |
| Hi,
Looking to edit a passwd file but obviously this file can change so
that when you save it you overwrite any changes.
Thinking about this quickly the procedure I can think of would be to
right two functions:
edpasswd.sh passwd
------------------
cp passwd passwd.old
cp passwd passwd.edit
pico passwd.edit
cppasswd.sh passwd.edit passwd
------------------------------
if (! diff passwd passwd.old)
then
#no changes have been made
cp passwd.edit passwd;
else
echo "passwd has changed since edit.";
fi
I somehow doubt that is standard practice though - how do you experts
handle this?
Daniel
| |
| Eric Moors 2005-10-25, 7:48 am |
|
> Looking to edit a passwd file but obviously this file can change so
> that when you save it you overwrite any changes.
>
> Thinking about this quickly the procedure I can think of would be to
> right two functions:
>
> edpasswd.sh passwd
> ------------------
> cp passwd passwd.old
> cp passwd passwd.edit
> pico passwd.edit
>
> cppasswd.sh passwd.edit passwd
> ------------------------------
> if (! diff passwd passwd.old)
> then
> #no changes have been made
> cp passwd.edit passwd;
> else
> echo "passwd has changed since edit.";
> fi
>
>
> I somehow doubt that is standard practice though - how do you experts
> handle this?
Not implying any expert-ness, but I'd use vipw (in util-linux)
Eric
| |
| danson 2005-10-25, 5:53 pm |
| ahh -- never heard of that tool, excellent.
one question - if you are in a vipw session and a user changes his
password will he be told that he can't because the password file is
locked? or will his change be stored by vipw and written once the file
is saved and released?
i tried this just now and it looks like the password change is written
and when vipw saves and exits it overwrites the changes losing the
user's new updated password.
| |
| Eric Moors 2005-10-25, 5:53 pm |
| danson wrote:
> ahh -- never heard of that tool, excellent.
> one question - if you are in a vipw session and a user changes his
> password will he be told that he can't because the password file is
> locked? or will his change be stored by vipw and written once the file
> is saved and released?
>
> i tried this just now and it looks like the password change is written
> and when vipw saves and exits it overwrites the changes losing the
> user's new updated password.
Hmm, never had that problem as I use shadow passwords.
But unless whatever other program is aware of the lock, it will overwrite,
and changes will be lost.
Eric
| |
| Ian Wilson 2005-10-25, 5:53 pm |
| danson wrote:
> ahh -- never heard of that tool, excellent.
> one question - if you are in a vipw session and a user changes his
> password will he be told that he can't because the password file is
> locked? or will his change be stored by vipw and written once the file
> is saved and released?
>
> i tried this just now and it looks like the password change is written
> and when vipw saves and exits it overwrites the changes losing the
> user's new updated password.
>
I think it may be safer to use dedicated command line tools for
modifying the contents of /etc/passwd etc.
man usermod
man useradd
man userdel
That way you don't need to hold /etc/passwd open in an editor for
minutes at a time.
| |
| Kenny McCormack 2005-10-25, 5:53 pm |
| In article <djlia4$4ss$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com>,
Ian Wilson <scobloke2@infotop.co.uk> wrote:
>danson wrote:
>
>I think it may be safer to use dedicated command line tools for
>modifying the contents of /etc/passwd etc.
>
>man usermod
>man useradd
>man userdel
>
>That way you don't need to hold /etc/passwd open in an editor for
>minutes at a time.
I don't disagree. In day-to-day administration, these tools should be used.
(But do note that 'vipw' is, shall we say, "almost standard")
Unfortunately, every once in a very great while, it is necessary to make
massive changes, that cannot be done in a meta-language (which is what
these "dedicated tools" amount to) - and have to be done either in an
editor or in a scripting language. In those (very rare) cases, you'd like
to be safe.
But, of course, the real problem is that in Unix, all locking is optional
(aka, co-operative), so the net effect is that unless all the tools are
correctly written, slippage is possible. Now, I would have thought that
the standard 'passwd' command would have been correctly written - that is,
to honor the lock placed by 'vipw', but I guess it doesn't surprise me too
much to find otherwise.
| |
| Michael Paoli 2005-10-30, 2:48 am |
| The UNIX/LINUX/BSD locking conventions on /etc/passwd and /etc/shadow
(or their equivalents) vary by OS flavor, and even by particular
releases.
On can use tools that will handle the locking, e.g.:
useradd
usermod
userdel
vipw
If one needs to do the manipulation more directly, one can determine
the
cooperative locking convention, and follow and use it. Be sure to
avoid
race conditions (e.g. on many flavors, there isn't a way to safely
create a lock file of type ordinary file from the shell, without race
conditions, however it can be done in C or Perl, and from the shell,
one can create a lock directory without a race condition, and as an
effective work-around.
E.g., if on one's flavor and release, one finds that vipw invokes vi
(by default) on /etc/passwd.tmp, if one does some testing, one may find
that if one does:
mkdir /etc/passwd.tmp
that then blocks changes to /etc/passwd through the customary means, so
one could then safely change /etc/passwd, and then rmdir
/etc/passwd.tmp
once the changes to /etc/passwd have been completed.
Locking conventions vary, e.g., some systems may use:
/etc/ptmp
for shadow some use /etc/stmp - but on some systems, visudo uses that.
TCB files tend to have a locking convention of same pathname as file,
but with -t appended.
Some systems provide and document library calls for doing
locking and/or changing specifically on these files.
Your mileage can and probably will vary.
danson wrote:
> Looking to edit a passwd file but obviously this file can change so
> that when you save it you overwrite any changes.
|
|
|
|
|