COHERENT manpages
This page displays the COHERENT manpage for shadow [File that holds restricted passwords].
List of available manpages
Index
shadow -- System Administration File that holds restricted passwords /etc/shadow COHERENT stores information in file /etc/passwd. This file identifies each user, gives her home directory, default shell, and base group. It must be universally readable so that it can be used by programs like ls, which must translate user-identification numbers into login identifiers. In general, this system works well; however, it does create a hole in system security. If users' encrypted passwords are kept in /etc/passwd, which is universally readable, a ``cracker'' can read the passwords, decypher some of them with brute-force methods, and then log in as the users whose passwords she cracked. To plug that hole in system security, UNIX implemented the method of ``shadow'' passwords. In this scheme, a user's login information is still kept in /etc/passwd; however, the encrypted passwords (plus supplemental information) is kept in the file /etc/shadow, which can be read only by a process with root-level permissions. The shadow password file contains one entry per user. Each user identified in /etc/shadow must have an entry in /etc/passwd. The opposite is not true, but a user described in /etc/passwd who does not have an entry in /etc/shadow cannot log into your system. Each entry in /etc/shadow is laid out exactly the same as file /etc/passwd. At present, the COHERENT implementation of login uses only the name and password fields. For details, see the Lexicon entry for passwd. Reading /etc/shadow COHERENT includes four functions with which a program can read the shadow- password file /etc/shadow: endspent() Close /etc/shadow after reading from it. getspent() Read the next record from /etc/shadow. If a process has not yet read /etc/shadow, it returns the first record. getspnam() Return the first record for the user with a given login identifier. setspent() Return the seek pointer for /etc/shadow to the beginning of the file. Functions getspent() and getspnam() return a pointer to an object with structure spwd, which gives an analogue for each field in /etc/shadow. This structure is defined in header file <shadow.h>. For details on this structure, see the Lexicon entry for shadow.h. See Also Administering COHERENT, login, shadow.h Notes For details of how the program login uses shadow passwords, see its entry in the Lexicon.