Name
accdb_shadow - The Shadow back-end Description
Upon each successful call to q_open(), the module reads backends/../vetc/libaccdb/shadow (or /etc/libaccdb/shadow if the former is not found) to pull its defaults from there. That configuration file uses key=value pairs to define something. Following keys are recognized (others will be ignored):
Sysctl interface
The int q_sysctl(unsigned int, ...) function of the Shadow back-end supports some more sysctls, mostly used for debugging. They are:
These can be used to alter the names of the DB files at run-time. The database files currently open will not be changed, so the first time the new database files are used, is on the next call to q_open(). Database storage architecture
Within the Shadow user management, account data is spread over four files, /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow. In the past (pre-1990 or so), there were only the first two files, as confidental data found in today's /etc/shadow was stored in /etc/passwd and gshadow probably did not exist at all, not even in group. /etc/passwd is a textual file, comprising zero or more users, each separated by newline. In each line, fields are separated by a colon (:). The different fields are:
In a typical shadow system, the 2nd field is always replaced by an "x", which indicates to look into /etc/shadow for the password instead. Access to the shadow file is restricted to mode 0640(root,shadow). Any fields after the command interpreter are marked as reserved. The ACCDB Shadow back-end preserves them for your pleasure. The GECOS field itself can have multiple fields, separated by comma (,). You can freely assign any text to it, though it is normally used to store the name of the user there. Other details added there are Room Number, Work Phone, Home Phone and Other. An other document says that the initial values for nice, umask and ulimit can be set there, but usually no application will use these fields nowadays. SparkUI for example stores the XUID in the 2nd GECOS field. If the Command Interpreter field is empty, it is interpreted as /bin/sh, however the empty string is to be preserved. The /etc/shadow file is also composed of newlines and colons:
Issues
When two applications write to the Shadow back-end, only the one who is flushed last wins. If each applications adds one user, say test1 and test2, respectively, only one of these users will be present afterwards. This is because test1 will not be in the memory image where test2 resides. However, writing to the ACCDB is way more rare than reading from it, so this should hardly be a problem. I do not see a way how I could solve this issue (at the Shadow level), but you can use SLANED and the SLANE back-end to get around this. To round it up a bit, at least the password files are locked correctly so that your entries will not get mixed up due to simultaenous access from multiple processes.
|