154442b3cSMariusz Zaborski.\" Copyright (c) 2018 Mariusz Zaborski <oshogbo@FreeBSD.org> 254442b3cSMariusz Zaborski.\" All rights reserved. 354442b3cSMariusz Zaborski.\" 454442b3cSMariusz Zaborski.\" Redistribution and use in source and binary forms, with or without 554442b3cSMariusz Zaborski.\" modification, are permitted provided that the following conditions 654442b3cSMariusz Zaborski.\" are met: 754442b3cSMariusz Zaborski.\" 1. Redistributions of source code must retain the above copyright 854442b3cSMariusz Zaborski.\" notice, this list of conditions and the following disclaimer. 954442b3cSMariusz Zaborski.\" 2. Redistributions in binary form must reproduce the above copyright 1054442b3cSMariusz Zaborski.\" notice, this list of conditions and the following disclaimer in the 1154442b3cSMariusz Zaborski.\" documentation and/or other materials provided with the distribution. 1254442b3cSMariusz Zaborski.\" 1354442b3cSMariusz Zaborski.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 1454442b3cSMariusz Zaborski.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1554442b3cSMariusz Zaborski.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1654442b3cSMariusz Zaborski.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 1754442b3cSMariusz Zaborski.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 1854442b3cSMariusz Zaborski.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 1954442b3cSMariusz Zaborski.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2054442b3cSMariusz Zaborski.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2154442b3cSMariusz Zaborski.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2254442b3cSMariusz Zaborski.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2354442b3cSMariusz Zaborski.\" SUCH DAMAGE. 2454442b3cSMariusz Zaborski.\" 25*cf037972SAlan Somers.Dd December 6, 2023 2654442b3cSMariusz Zaborski.Dt CAP_PWD 3 2754442b3cSMariusz Zaborski.Os 2854442b3cSMariusz Zaborski.Sh NAME 2954442b3cSMariusz Zaborski.Nm cap_getpwent , 3054442b3cSMariusz Zaborski.Nm cap_getpwnam , 3154442b3cSMariusz Zaborski.Nm cap_getpwuid , 3254442b3cSMariusz Zaborski.Nm cap_getpwent_r , 3354442b3cSMariusz Zaborski.Nm cap_getpwnam_r , 3454442b3cSMariusz Zaborski.Nm cap_getpwuid_r , 3554442b3cSMariusz Zaborski.Nm cap_setpassent , 3654442b3cSMariusz Zaborski.Nm cap_setpwent , 3754442b3cSMariusz Zaborski.Nm cap_endpwent , 3854442b3cSMariusz Zaborski.Nm cap_pwd_limit_cmds , 3954442b3cSMariusz Zaborski.Nm cap_pwd_limit_fields , 4054442b3cSMariusz Zaborski.Nm cap_pwd_limit_users 4154442b3cSMariusz Zaborski.Nd "library for password database operations in capability mode" 4254442b3cSMariusz Zaborski.Sh LIBRARY 4368b2ec19SMariusz Zaborski.Lb libcap_pwd 4454442b3cSMariusz Zaborski.Sh SYNOPSIS 4554442b3cSMariusz Zaborski.In libcasper.h 4654442b3cSMariusz Zaborski.In casper/cap_pwd.h 4754442b3cSMariusz Zaborski.Ft struct passwd * 4854442b3cSMariusz Zaborski.Fn cap_getpwent "cap_channel_t *chan" 4954442b3cSMariusz Zaborski.Ft struct passwd * 5054442b3cSMariusz Zaborski.Fn cap_getpwnam "cap_channel_t *chan" "const char *login" 5154442b3cSMariusz Zaborski.Ft struct passwd * 5254442b3cSMariusz Zaborski.Fn cap_getpwuid "cap_channel_t *chan" "uid_t uid" 5354442b3cSMariusz Zaborski.Ft int 5454442b3cSMariusz Zaborski.Fn cap_getpwent_r "cap_channel_t *chan" "struct passwd *pwd" "char *buffer" "size_t bufsize" "struct passwd **result" 5554442b3cSMariusz Zaborski.Ft int 5654442b3cSMariusz Zaborski.Fn cap_getpwnam_r "cap_channel_t *chan" "const char *name" "struct passwd *pwd" "char *buffer" "size_t bufsize" "struct passwd **result" 5754442b3cSMariusz Zaborski.Ft int 5854442b3cSMariusz Zaborski.Fn cap_getpwuid_r "cap_channel_t *chan" "uid_t uid" "struct passwd *pwd" "char *buffer" "size_t bufsize" "struct passwd **result" 5954442b3cSMariusz Zaborski.Ft int 6054442b3cSMariusz Zaborski.Fn cap_setpassent "cap_channel_t *chan" "int stayopen" 6154442b3cSMariusz Zaborski.Ft void 6254442b3cSMariusz Zaborski.Fn cap_setpwent "cap_channel_t *chan" 6354442b3cSMariusz Zaborski.Ft void 6454442b3cSMariusz Zaborski.Fn cap_endpwent "cap_channel_t *chan" 6554442b3cSMariusz Zaborski.Ft int 6654442b3cSMariusz Zaborski.Fn cap_pwd_limit_cmds "cap_channel_t *chan" "const char * const *cmds" "size_t ncmds" 6754442b3cSMariusz Zaborski.Ft int 6854442b3cSMariusz Zaborski.Fn cap_pwd_limit_fields "cap_channel_t *chan" "const char * const *fields" "size_t nfields" 6954442b3cSMariusz Zaborski.Ft int 7054442b3cSMariusz Zaborski.Fn cap_pwd_limit_users "cap_channel_t *chan" "const char * const *names" "size_t nnames" "uid_t *uids" "size_t nuids" 7154442b3cSMariusz Zaborski.Sh DESCRIPTION 7254442b3cSMariusz ZaborskiThe functions 7354442b3cSMariusz Zaborski.Fn cap_getpwent , 7454442b3cSMariusz Zaborski.Fn cap_getpwnam , 7554442b3cSMariusz Zaborski.Fn cap_getpwuid , 7654442b3cSMariusz Zaborski.Fn cap_getpwent_r , 7754442b3cSMariusz Zaborski.Fn cap_getpwnam_r , 7854442b3cSMariusz Zaborski.Fn cap_getpwuid_r , 7954442b3cSMariusz Zaborski.Fn cap_setpassent , 8054442b3cSMariusz Zaborski.Fn cap_setpwent , 8154442b3cSMariusz Zaborskiand 8254442b3cSMariusz Zaborski.Fn cap_endpwent 8354442b3cSMariusz Zaborskiare respectively equivalent to 8454442b3cSMariusz Zaborski.Xr getpwent 3 , 8554442b3cSMariusz Zaborski.Xr getpwnam 3 , 8654442b3cSMariusz Zaborski.Xr getpwuid 3 , 8754442b3cSMariusz Zaborski.Xr getpwent_r 3 , 8854442b3cSMariusz Zaborski.Xr getpwnam_r 3 , 8954442b3cSMariusz Zaborski.Xr getpwuid_r 3 , 9054442b3cSMariusz Zaborski.Xr setpassent 3 , 9154442b3cSMariusz Zaborski.Xr setpwent 3 , 9254442b3cSMariusz Zaborskiand 9354442b3cSMariusz Zaborski.Xr cap_endpwent 3 9454442b3cSMariusz Zaborskiexcept that the connection to the 9554442b3cSMariusz Zaborski.Nm system.pwd 9654442b3cSMariusz Zaborskiservice needs to be provided. 9754442b3cSMariusz Zaborski.Pp 9854442b3cSMariusz ZaborskiThe 9954442b3cSMariusz Zaborski.Fn cap_pwd_limit_cmds 10054442b3cSMariusz Zaborskifunction limits the functions allowed in the service. 10154442b3cSMariusz ZaborskiThe 10254442b3cSMariusz Zaborski.Fa cmds 10354442b3cSMariusz Zaborskivariable can be set to 10454442b3cSMariusz Zaborski.Dv getpwent , 10554442b3cSMariusz Zaborski.Dv getpwnam , 10654442b3cSMariusz Zaborski.Dv getpwuid , 10754442b3cSMariusz Zaborski.Dv getpwent_r , 10854442b3cSMariusz Zaborski.Dv getpwnam_r , 10954442b3cSMariusz Zaborski.Dv getpwuid_r , 11054442b3cSMariusz Zaborski.Dv setpassent , 11154442b3cSMariusz Zaborski.Dv setpwent , 11254442b3cSMariusz Zaborskior 11354442b3cSMariusz Zaborski.Dv endpwent 11454442b3cSMariusz Zaborskiwhich will allow to use the function associated with the name. 11554442b3cSMariusz ZaborskiThe 11654442b3cSMariusz Zaborski.Fa ncmds 11754442b3cSMariusz Zaborskivariable contains the number of 11854442b3cSMariusz Zaborski.Fa cmds 11954442b3cSMariusz Zaborskiprovided. 12054442b3cSMariusz Zaborski.Pp 12154442b3cSMariusz ZaborskiThe 12254442b3cSMariusz Zaborski.Fn cap_pwd_limit_fields 12354442b3cSMariusz Zaborskifunction allows limit fields returned in the structure 12454442b3cSMariusz Zaborski.Vt passwd . 12554442b3cSMariusz ZaborskiThe 12654442b3cSMariusz Zaborski.Fa fields 12754442b3cSMariusz Zaborskivariable can be set to 12854442b3cSMariusz Zaborski.Dv pw_name , 12954442b3cSMariusz Zaborski.Dv pw_passwd , 13054442b3cSMariusz Zaborski.Dv pw_uid , 13154442b3cSMariusz Zaborski.Dv pw_gid , 13254442b3cSMariusz Zaborski.Dv pw_change , 13354442b3cSMariusz Zaborski.Dv pw_class , 13454442b3cSMariusz Zaborski.Dv pw_gecos , 13554442b3cSMariusz Zaborski.Dv pw_dir , 13654442b3cSMariusz Zaborski.Dv pw_shell , 13754442b3cSMariusz Zaborski.Dv pw_expire 13854442b3cSMariusz Zaborskior 13954442b3cSMariusz Zaborski.Dv pw_fields 14054442b3cSMariusz ZaborskiThe field which was set as the limit will be returned, while the rest of the 14154442b3cSMariusz Zaborskivalues not set this way will have default values. 14254442b3cSMariusz ZaborskiThe 14354442b3cSMariusz Zaborski.Fa nfields 14454442b3cSMariusz Zaborskivariable contains the number of 14554442b3cSMariusz Zaborski.Fa fields 14654442b3cSMariusz Zaborskiprovided. 14754442b3cSMariusz Zaborski.Pp 14854442b3cSMariusz ZaborskiThe 14954442b3cSMariusz Zaborski.Fn cap_pwd_limit_users 15054442b3cSMariusz Zaborskifunction allows to limit access to users. 15154442b3cSMariusz ZaborskiThe 15254442b3cSMariusz Zaborski.Fa names 15354442b3cSMariusz Zaborskivariable allows to limit users by name and the 15454442b3cSMariusz Zaborski.Fa uids 15554442b3cSMariusz Zaborskivariable by the user number. 15654442b3cSMariusz ZaborskiThe 15754442b3cSMariusz Zaborski.Fa nnames 15854442b3cSMariusz Zaborskiand 15954442b3cSMariusz Zaborski.Fa nuids 16054442b3cSMariusz Zaborskivariables provide numbers of limited names and uids. 161*cf037972SAlan Somers.Pp 162*cf037972SAlan SomersAll of these functions are reentrant but not thread-safe. 163*cf037972SAlan SomersThat is, they may be called from separate threads only with different 164*cf037972SAlan Somers.Vt cap_channel_t 165*cf037972SAlan Somersarguments or with synchronization. 16654442b3cSMariusz Zaborski.Sh EXAMPLES 16754442b3cSMariusz ZaborskiThe following example first opens a capability to casper and then uses this 16854442b3cSMariusz Zaborskicapability to create the 16954442b3cSMariusz Zaborski.Nm system.pwd 17054442b3cSMariusz Zaborskicasper service and uses it to get a user name. 17154442b3cSMariusz Zaborski.Bd -literal 17254442b3cSMariusz Zaborskicap_channel_t *capcas, *cappwd; 17354442b3cSMariusz Zaborskiconst char *cmds[] = { "getpwuid" }; 17454442b3cSMariusz Zaborskiconst char *fields[] = { "pw_name" }; 17554442b3cSMariusz Zaborskiuid_t uid[] = { 1 }; 17654442b3cSMariusz Zaborskistruct passwd *passwd; 17754442b3cSMariusz Zaborski 17854442b3cSMariusz Zaborski/* Open capability to Casper. */ 17954442b3cSMariusz Zaborskicapcas = cap_init(); 18054442b3cSMariusz Zaborskiif (capcas == NULL) 18154442b3cSMariusz Zaborski err(1, "Unable to contact Casper"); 18254442b3cSMariusz Zaborski 18354442b3cSMariusz Zaborski/* Enter capability mode sandbox. */ 18454442b3cSMariusz Zaborskiif (cap_enter() < 0 && errno != ENOSYS) 18554442b3cSMariusz Zaborski err(1, "Unable to enter capability mode"); 18654442b3cSMariusz Zaborski 18754442b3cSMariusz Zaborski/* Use Casper capability to create capability to the system.pwd service. */ 18854442b3cSMariusz Zaborskicappwd = cap_service_open(capcas, "system.pwd"); 18954442b3cSMariusz Zaborskiif (cappwd == NULL) 19054442b3cSMariusz Zaborski err(1, "Unable to open system.pwd service"); 19154442b3cSMariusz Zaborski 19254442b3cSMariusz Zaborski/* Close Casper capability, we don't need it anymore. */ 19354442b3cSMariusz Zaborskicap_close(capcas); 19454442b3cSMariusz Zaborski 19554442b3cSMariusz Zaborski/* Limit service to one single function. */ 19654442b3cSMariusz Zaborskiif (cap_pwd_limit_cmds(cappwd, cmds, nitems(cmds))) 19754442b3cSMariusz Zaborski err(1, "Unable to limit access to system.pwd service"); 19854442b3cSMariusz Zaborski 19954442b3cSMariusz Zaborski/* Limit service to one field as we only need name of the user. */ 20054442b3cSMariusz Zaborskiif (cap_pwd_limit_fields(cappwd, fields, nitems(fields))) 20154442b3cSMariusz Zaborski err(1, "Unable to limit access to system.pwd service"); 20254442b3cSMariusz Zaborski 20354442b3cSMariusz Zaborski/* Limit service to one uid. */ 20454442b3cSMariusz Zaborskiif (cap_pwd_limit_users(cappwd, NULL, 0, uid, nitems(uid))) 20554442b3cSMariusz Zaborski err(1, "Unable to limit access to system.pwd service"); 20654442b3cSMariusz Zaborski 20754442b3cSMariusz Zaborskipasswd = cap_getpwuid(cappwd, uid[0]); 20854442b3cSMariusz Zaborskiif (passwd == NULL) 20954442b3cSMariusz Zaborski err(1, "Unable to get name of user"); 21054442b3cSMariusz Zaborski 21154442b3cSMariusz Zaborskiprintf("UID %d is associated with name %s.\\n", uid[0], passwd->pw_name); 21254442b3cSMariusz Zaborski 21354442b3cSMariusz Zaborskicap_close(cappwd); 21454442b3cSMariusz Zaborski.Ed 21554442b3cSMariusz Zaborski.Sh SEE ALSO 21654442b3cSMariusz Zaborski.Xr cap_enter 2 , 21754442b3cSMariusz Zaborski.Xr endpwent 3 , 21854442b3cSMariusz Zaborski.Xr err 3 , 21954442b3cSMariusz Zaborski.Xr getpwent 3 , 22054442b3cSMariusz Zaborski.Xr getpwent_r 3 , 22154442b3cSMariusz Zaborski.Xr getpwnam 3 , 22254442b3cSMariusz Zaborski.Xr getpwnam_r 3 , 22354442b3cSMariusz Zaborski.Xr getpwuid 3 , 22454442b3cSMariusz Zaborski.Xr getpwuid_r 3 , 22554442b3cSMariusz Zaborski.Xr setpassent 3 , 22654442b3cSMariusz Zaborski.Xr setpwent 3 , 22754442b3cSMariusz Zaborski.Xr capsicum 4 , 22854442b3cSMariusz Zaborski.Xr nv 9 229421f325eSGordon Bergling.Sh HISTORY 230421f325eSGordon BerglingThe 231421f325eSGordon Bergling.Nm cap_pwd 232421f325eSGordon Berglingservice first appeared in 233421f325eSGordon Bergling.Fx 10.3 . 23454442b3cSMariusz Zaborski.Sh AUTHORS 23554442b3cSMariusz ZaborskiThe 23654442b3cSMariusz Zaborski.Nm cap_pwd 23754442b3cSMariusz Zaborskiservice was implemented by 23854442b3cSMariusz Zaborski.An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net 23954442b3cSMariusz Zaborskiunder sponsorship from the FreeBSD Foundation. 24054442b3cSMariusz Zaborski.Pp 24154442b3cSMariusz ZaborskiThis manual page was written by 24254442b3cSMariusz Zaborski.An Mariusz Zaborski Aq Mt oshogbo@FreeBSD.org . 243