user account logon from python

[Philippe C. Martin]

Hi,

I am attempting to write a linux logon manager with python.

Can python access login APIs (which module ?) or do I need to write a
wrapper ?

Regards,

Philippe

 

[jepler]

"login APIs" vary widely from system to system.

Classic Unix systems use calls like getpwent and crypt to check passwords, and
then call setuid, setgid and setgroups to set the identity of the user who is
logging in. These are all available in stock Python, check the library
reference for more details. Other login-time activities, like writing utmp
entries, may not be directly available in stock Python modules.

Many modern Linux systems use something called 'pam' for login-related
activities, and there seems to be something called 'python-pam' out there, but
I've never used it.

Graphical login managers have their own additional requirements, such as
starting and stopping the X server, managing the X authentication information,
etc.

Jeff

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDcN4AJd01MZaTXX0RAhH4AJ4msijvQ12vnkGPfyb0cR6EjLHObACgikfI
qkOTC0vQi4F5Gq/a/wyzKQU=
=3nXm
-----END PGP SIGNATURE-----

 

[Philippe C. Martin]

That helps a lot, thanks.

Regards,

Philippe

 

[Philippe C. Martin]

Jeff,

1- I cannot find getpwent in the documentation
2- crypt will not work if the system does not have shadow pw
3- Even as root I get "Operation not permitted" using setuid and setgid ...
but I assume it is because I cannot get 1 and/or 2 to work.

Can you direct me to some link that would explain the actual procedure ?

Thanks,

Regards,

Philippe

 

[Philippe C. Martin]

getting there, this sequence creates a file with the correct uid and gid

test_user_ids = 504
print os.setreuid(test_user_ids,0)
print os.setregid(test_user_ids,0)
print os.setuid(test_user_ids)
print os.setgid(test_user_ids)

print os.getuid()
f = open("/tmp/toto","w")
f.write("titi")
f.close()

 

[Mike Meyer]

Jeff,

1- I cannot find getpwent in the documentation

getpwent is a Unix library call. For python, you want the pwd

2- crypt will not work if the system does not have shadow pw

Rubbish. crypt doesn't know anything about passord files. It just
knows how to encrypt a password. It's up to you to get the password
attempt from the user, and the encrypted password from the password
file (or the shadow password file). The pwd module doesn't deal with
shadow passwords. Maybe you meant "system does have shadow pw". But
it's pwd that doesn't work, not crypt - and that depends on the
system. For instance:

bhuda% cat tp.py
#!/usr/bin/env python

import pwd, os

p = pwd.getpwnam(os.environ['USER'])
print p[1]
bhuda% ./tp.py
*

But:

bhuda# ./tp.py
$1$cKJbUtaY$y.e7GRjo8ePxgiBzskyRX0

I.e. - as me, the pwd routines won't return passwords. As root, it
returns the encrypted password.

3- Even as root I get "Operation not permitted" using setuid and setgid ...
but I assume it is because I cannot get 1 and/or 2 to work.

They shouldn't have anything to do with it. Are you sure the process
is running as root? For instance, most modern Unices won't honor the
the setuid bit on script executables. You have to write a setuidj
wrapper that runs the interpreter with the appropriate privileges.

<mike

 

[Philippe C. Martin]

Hi Mike,

getpwent is a Unix library call. For python, you want the pwd
module. The docs are <URL: http://docs.python.org/lib/module-pwd.html >.

I must be blind but still do not see it - do you mean getpwnam ?

Rubbish. crypt doesn't know anything about passord files. It just
knows how to encrypt a password. It's up to you to get the password
attempt from the user, and the encrypted password from the password
file (or the shadow password file). The pwd module doesn't deal with
shadow passwords. Maybe you meant "system does have shadow pw". But
it's pwd that doesn't work, not crypt - and that depends on the
system. For instance:

I meant that the code form the documentation fails on the "raise", with the
error "Sorry, currently no support for shadow passwords"

What should I understand ?

import os


import crypt, getpass, pwd

def login():
username = raw_input('Python login: ')
cryptedpasswd = pwd.getpwnam(username)[1]
print cryptedpasswd
if cryptedpasswd:
if cryptedpasswd == 'x' or cryptedpasswd == '*':
raise "Sorry, currently no support for shadow passwords"
cleartext = getpass.getpass()
return crypt.crypt(cleartext, cryptedpasswd) == cryptedpasswd
else:
return 1

bhuda% cat tp.py
#!/usr/bin/env python

import pwd, os

p = pwd.getpwnam(os.environ['USER'])
print p[1]
bhuda% ./tp.py
*

But:

bhuda# ./tp.py
$1$cKJbUtaY$y.e7GRjo8ePxgiBzskyRX0

I.e. - as me, the pwd routines won't return passwords. As root, it
returns the encrypted password.

3- Even as root I get "Operation not permitted" using setuid and setgid
... but I assume it is because I cannot get 1 and/or 2 to work.

They shouldn't have anything to do with it. Are you sure the process
is running as root? For instance, most modern Unices won't honor the
the setuid bit on script executables. You have to write a setuidj
wrapper that runs the interpreter with the appropriate privileges.

<mike

Thanks and regards,

Philippe

 

[Mike Meyer]

Hi Mike,

I must be blind but still do not see it - do you mean getpwnam ?

Sorry, I wasn't clear about it. getpwent is a Unix call that lets you
walk through all the entries in the password file. The equivalent in
the pwd module is getpwall. For your usage, you probably want
getpwnam.

I meant that the code form the documentation fails on the "raise", with the
error "Sorry, currently no support for shadow passwords"
What should I understand ?

Right. You meant the example fails if the system does have a shadow
password system.

There are two alternatives: One, you're not running as root, and the
system works like FreeBSD (where my example was run), whose pwd
library transparently handles the shadow password file, filling in
real passwords iff you're root. In that case, running as root will
solve the problem.

Two, your system has a different API for dealing with the shadow
password file. You'll either have to wrap that API, or parse the
shadow password file yourself. Either way, you'll have to run as root
to access the real password information.

<mike

 

[Marc 'BlackJack' Rintsch]

I am attempting to write a linux logon manager with python.

Have you considered looking at the sources of xdm/gdm/kdm/... to see how
they solve the problems you have?

Ciao,
Marc 'BlackJack' Rintsch