[TriLUG] questions about /etc/passwd

Mike Mueller mjm-58 at mindspring.com
Fri Sep 13 17:56:55 EDT 2002 

On Friday 13 September 2002 17:20, Ed Hill wrote:
> On Fri, 2002-09-13 at 12:53, Mike Mueller wrote:
> > I think that some of the entries in /etc/passwd are used for
> > authentication but I haven't made the connection yet.  For example,
> > shutdown and halt are in the file but they have no executables associated
> > with them:
> >
> > find / -user shutdown -ls
> >
> > But /etc/pam.d/shutdown  is evidence that authentication is being done.
> >
> > Is the entry point for PAM authentication the /etc/passwd file?
>
> Perhaps I'm missing your point, but the users "shutdown" and "halt" do
> (though not in the sense that you meant earlier) have executables
>
> associated with them.  The associated executables are the login shells:
> > > shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
> > > halt:x:7:0:halt:/sbin:/sbin/halt
>
> specified by the /etc/passwd file which are "/sbin/shutdown" and
> "/sbin/halt".  So if you became the user "shutdown", you would
> automatically execute the /sbin/shutdown program as your "login shell".

I checked ownership of shutdown:

[mike01 at laptop temp]$ ls /usr/bin/shutdown
/usr/bin/shutdown@
[mike01 at laptop temp]$ ls -l /usr/bin/shutdown
lrwxrwxrwx    1 root     root           13 Feb  3  2002 /usr/bin/shutdown -> 
consolehelper*
[mike01 at laptop temp]$ ls -l /usr/bin/consolehelper
-rwxr-xr-x    1 root     root        20616 Sep 17  2001 
/usr/bin/consolehelper*
[mike01 at laptop temp]$ ls /sbin/shutdown
/sbin/shutdown*
[mike01 at laptop temp]$ ls -l /sbin/shutdown
-rwxr-xr-x    1 root     root        15484 Aug 22  2001 /sbin/shutdown*

I am not sure how one would become the "shutdown" user since it has a splat 
in the passwd field of /etc/shadow.  shutdown is owned by root so having +s 
set on the shutdown executable would result in setuid being root.  Maybe the 
source code to shutdown will shed more light on what is going on.  My 
suspicion is that shutdown uses the PAM API to authenticate the user making 
the call to shutdown.

Aha!  I did "man consolehelper" and it discusses using PAM authentication.

-- 
mueller, mike

The larger purpose of the economic order, including Wall Street, is to 
support the material conditions for human existence, not to undermine and 
destabilize them.

-Editorial, The Nation, August 19, 2002

More information about the TriLUG mailing list