I need to check in C program wether a given login is known on the system. Is there any system function that could do this ?
So far, all I could find is getpwnam(), which answers my problem by parsing the local password database. But won't work if a user is authenticated by other means (PAM, Kerberos, ...).
I am suprised not to have found anything on that topic, because any shell is able to resolve a user's HOME while doing the tilde expansion, but how is it done? I had a look at the shell C sources, but I am a bit lost. Also, I don't have a system with network authentication handy, so I can't ktrace /bin/sh while doing a tilde expansion to see what function is called...
When a user logs in using login(1) login sets the $HOME environmental variable. The shell uses that environmental variable to find a users home directory.
AFAIK, there is no single API which will check whether a login is known to all authentication methods (local, NIS, PAM, etc.) used on a particular system.
Thanks for your answer.
That is true for the current user, who is obviously logged in. However, if I have an existing user, say bob with HOME=/home/bob, on a system, then anyone will see ~bob expanded to /home/bob in their shell. Without that bob has ever logged in (and so called login(1)), and regardless of the authentication method as far as I could experiment...
On the other hand, if bob doesn't exist, then ~bob won't expand.
So the shell knows whether a user exists or not... the question is how? :rolleyes: which I should find in the sources
If the system is PAM based then you can use pam_authenticate to verify user access (and probable existence).
Linux example: Chapter�8.�An example application
No, in general, a shell does not know whether a particular user exists or not. The operating system may know that information.
As for tilde expansion, here is the relevant section from ksh93 s+.
/*
* This routine is used to resolve ~ expansion.
* A ~ by itself is replaced with the users login directory.
* A ~- is replaced by the previous working directory in shell.
* A ~+ is replaced by the present working directory in shell.
* If ~name is replaced with login directory of name.
* If string doesn't start with ~ or ~... not found then 0 returned.
*/
static char *sh_tilde(register const char *string)
{
register char *cp;
register int c;
register struct passwd *pw;
register Namval_t *np=0;
static Dt_t *logins_tree;
if(*string++!='~')
return(NIL(char*));
if((c = *string)==0)
{
if(!(cp=nv_getval(nv_scoped(HOME))))
cp = getlogin();
return(cp);
}
if((c=='-' || c=='+') && string[1]==0)
{
if(c=='+')
cp = nv_getval(nv_scoped(PWDNOD));
else
cp = nv_getval(nv_scoped(OLDPWDNOD));
return(cp);
}
if(logins_tree && (np=nv_search(string,logins_tree,0)))
return(nv_getval(np));
if(!(pw = getpwnam(string)))
return(NIL(char*));
if(!logins_tree)
logins_tree = dtopen(&_Nvdisc,Dtbag);
if(np=nv_search(string,logins_tree,NV_ADD))
nv_putval(np, pw->pw_dir,0);
return(pw->pw_dir);
}
Thanks, this answers my question. Furthermore I was wrong, and you are right: the shell knows only for users already logged at least once on the system. I could test getpwnam() on a set of PCs running Linux with PAM authentication, it failed for PAM logins of users that never logged on the machine. Same occurred with tidlde expansion.
BTW, I understand that getpwnam() manpage is confusing : it claims that /etc/passwd is parsed. But seen the output of last(1), and the outcome of my test, I understand it is rather /var/run/wtmp...
I understand it is possible for a user to log in since login(1) relies on PAM, without that his entry is necessarily recorded in the password database. So the tilde expandion in a public shell like bash would fail in this case (as for ksh, there is no call to any pam_ function in bash-3.2, only calls to getpw* , I double-checked), but would succeed if nsswitch.conf and pam.conf lead to the same files.
Is this correct? If yes, then why isn't PAM used everywhere? Can't understand this.
This was the point of my earlier post, but sublimated.
PAM provides a stackable method for transparent scrutiny of credentials presented to the system for account, authentication and accounting.
Using PAM's own API on systems equipped with it the existence of a user account can be inferred adequately, Without, one must be able to query whatever source of information is needed to verify multiple definitions of an account and it's viability.
Some systems do without PAM by philosophy and some systems predate PAM and continue with previous methods for compatibility. Personally I find the API for PAM to be cumbersome, but far from impossible.
I've worked in a shop that continued using HP 10.x in line with progressive linux installations. In this case all that could be done was design around PAM for compatibility.
I had a look at pam(8) manpage in the meantime... It sounds complicated, at least in portability point of view. More precisely, I don't mean than PAM is not portable. But it may be not installed on a given system, or may be installed but neither configured or even not used at all. How to know? No way, except develop my application with both PAM and getpw*, and choose the right option system by system...
