LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   Login and password program for linux from scrach, suggestion's welcomed. (https://www.linuxquestions.org/questions/programming-9/login-and-password-program-for-linux-from-scrach-suggestions-welcomed-78533/)

Tarts 08-03-2003 05:06 AM
Login and password program for linux from scrach, suggestion's welcomed.
 
Login2:

Code:
#define _XOPEN_SOURCE
#define EXIT_SUCCESS 0
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <time.h>

void wait(int seconds)
{
        clock_t endtime = clock() + seconds * CLOCKS_PER_SEC;
        while ((clock() < endtime));
}

int main()
{
        char *password, read[100], salt[] = "$1$8Hlk7DfS";
        FILE *file;
        if ((file  = fopen("/etc/pssword", "r")) == NULL)
        {
                printf("\nFile doesn't exist, run 'pssword' first.\n");  //'/etc/pssword' will exsist or it will use
                                                                        //'/etc/shadow' the way it should once i figure
                                                                        //out how or someone know's and help's out.
                exit(-1);
        }
        password = (char *) malloc(100);
        if (fgets(read, sizeof(read), file) == NULL)
        {
                printf("\nNo password for %s exist's, try running 'pssword' as root.\n", getlogin());
                free(password);
                  exit(-1);
        }
        do
        {
                printf("\nPlease enter your password.\n");
                printf("\nPassword:");
                    scanf("%s", password);
                strcpy(password, crypt(password, salt));  //This seem's like a problem, if 'password' doesnt meet the
                                                          //requirements then it's copied to as many time's as it doesnt.
                                                          //This program need's to be compiled with the '-lcrypt' option
                                                          //to utilize the GNU des library for the 'crypt()' function.
                if (strcmp(password, read) < 0 || strcmp(password, read) > 0)
                {
                        wait(2);
                        printf("\nPassword incorrect\n");
                }
        }
        while (strcmp(password, read) < 0 || strcmp(password, read) > 0);
        wait(2);
        printf("\n%s successfully logged in!\n", getlogin());
        if (fclose(file) == EOF)
        {
                printf("\nUnable to close file.\n");
                free(password);
                exit(-1);
        }
        free(password);
        return EXIT_SUCCESS;
}
I've been coding for 2 1/2 year's off and on, the most use for pointer's i've
found so far is what you see above. I was wondering if the way is use 'password' above correct, it work's, but is it correct? This next question does'nt really belong here, but what's the degugger called in linux, i use slackware, i was hoping that if no one here used slackware that there was a debugger that is in most distros that would also be in slackware.
Thank's!
One more thing, this program isn't done yet so if you see something that doesn't make sense, what can i say, it's just a project. :)

Tarts 08-03-2003 05:12 AM
pssword2:

Code:
#define _XOPEN_SOURCE
#define EXIT_SUCCESS 0
#define MAX_PASS_LENGTH 15
#define MIN_PASS_LENGTH 6
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <time.h>

void wait(int seconds)
{
        clock_t endtime = clock() + seconds * CLOCKS_PER_SEC;
        while ((clock() < endtime));
}

int main()
{
        char *password, write[100], salt[] = "$1$8Hlk7DfS";
        FILE *file;
        if ((file = fopen("/etc/pssword", "w+")) == NULL)
        {
                printf("\nUnable to create '/etc/pssword', only root can change or create the password.\n"); //At present
                                                                                                    //you have to be root.
                exit(-1);
          }
        password = (char *) malloc(100);
        do
        {
                printf("\nPlease input a password no more than 15 charactors, no less than 6.\n");
                printf("Password:");
                scanf("%s", password);
                wait(2);
                if (strlen(password) < MIN_PASS_LENGTH)
                {
                        wait(2);
                        printf("\nThe password has to be greater than 6 charactors, try again.\n");
                }
                else if (strlen(password) > MAX_PASS_LENGTH)
                {
                        wait(2);
                        printf("\nthe password need's to be less than 15 charactor's, try again.\n");
                }
        }
        while (strlen(password) < MIN_PASS_LENGTH || strlen(password) > MAX_PASS_LENGTH);
        strcpy(write, crypt(password, salt)); //This program need's to be compiled with the '-lcrypt' option to utilize
        if (fputs(write, file) == EOF)        //the GNU des library for the 'crypt()' function.
        {
                printf("\nUnable to write to file.\n");
                free(password);
                exit(-1);
        }
        if (fclose(file) == EOF)
        {
                printf("\nUnable to close file.\n");
                free(password);
                exit(-1);
        }
        free(password);
        return EXIT_SUCCESS;
}
This is the password program, i'm almost completely satisfied with it so far.

kev82 08-03-2003 05:48 AM
your login program will currently accept input from a pipe and just keeps looping until the correct password is entered so you can basically pipe the system dictionary to it - not good.

scanf is a very bad way to do input as it does no bounds checking and echoes its ouput to the screen.

i think you should zero the password array at the start of each iteration of the do loop just to be safe.

as soon as you can you need to dump the root privaleges.

what does your wait do that sleep doesnt? also theres a library function called wait so perhaps a different name or make it static.

thats all i can see off the top of my head, sorry if ive read anything incorrectly i just gave it a quick glance.

oh and the most likely installed debugger will be gdb.

Tarts 08-03-2003 06:19 AM
Quote:
Originally posted by kev82
your login program will currently accept input from a pipe and just keeps looping until the correct password is entered so you can basically pipe the system dictionary to it - not good.
Ok i didn't know that, what would be a possible solution? And also what could happen if someone did that. System dictionary?Can you explain?

Quote:
scanf is a very bad way to do input as it does no bounds checking and echoes its ouput to the screen.
Any suggestion's on a function, one that doesn't output to stdout?

Quote:
i think you should zero the password array at the start of each iteration of the do loop just to be safe.
It's a pointer, so i don't think i have to worry about it. (See post 1)

Quote:
as soon as you can you need to dump the root privaleges.
I didn't know their where any, i just knew that root had to run both program's because root own's the '/etc' directory, so if that's a root privlege then i know what your talking about, if not can you explain?

Quote:
oh and the most likely installed debugger will be gdb.
Great! Thank's.

kev82 08-03-2003 06:47 AM
the system dictionary contains a big list of words, so cat system_dict | login_program would try all the words in the system dictionary against the password until it found a match or reached the end. this can be fixed by using a better input method

there is a function getpass in the std c library but according to the man page it is obselete and i cant find its replacement so i guess the way to go is low level terminal io. have a look here: http://www.gnu.org/manual/glibc-2.2....nal-Modes.html

i didnt mean the permissions of the executable, i meant the running permissions. i agree it has to be run as root to read /etc/passwd but after that you can drop some privilages - see below.

there will always be some vulnerability in your code that someone hasnt found yet. so its better to be running as a non root user when they find it. basically only be root when you need to. the functions to change this are setuid/seteuid/getuid/geteuid and there group equivelents.

Tarts 08-03-2003 07:40 AM
Quote:
Originally posted by kev82
the system dictionary contains a big list of words, so cat system_dict | login_program would try all the words in the system dictionary against the password until it found a match or reached the end. this can be fixed by using a better input method
I'll look into that, albeit i'm still a bit confused.

Quote:
there is a function getpass in the std c library but according to the man page it is obselete and i cant find its replacement so i guess the way to go is low level terminal io. have a look here: http://www.gnu.org/manual/glibc-2.2....nal-Modes.html
Thank's for the link! :) I've seen low level i/o before, i'll check out that site in detail.
Quote:
i didnt mean the permissions of the executable, i meant the running permissions. i agree it has to be run as root to read /etc/passwd but after that you can drop some privilages - see below.
My program use's '/etc/pssword', i can see how you got that mixed up though,

Quote:
there will always be some vulnerability in your code that someone hasnt found yet. so its better to be running as a non root user when they find it. basically only be root when you need to. the functions to change this are setuid/seteuid/getuid/geteuid and there group equivelents.
Valuble info! Thank's alot kev82.


All times are GMT -5. The time now is 12:57 PM.