User and password
User and password functions are used to verify passwords and provide password control.
getfullname
Description
The getfullname() function retrieves the full name of the specified user. This information is taken from the gecos field of /etc/passwd on the policy server host or the password map in NIS.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = getfullname([user]);
Arguments
| user | Optional. The name of the user ID for which a full name is retrieved. The value of the runuser variable is used when this argument is not specified. |
Return values
The full name of the user as specified in the gecos field of /etc/passwd or the NIS password map. An error is returned if the user is null or invalid.
Example
In the example, result is assigned the full name of the runuser.
result = getfullname();
Example
In this example, result is assigned the full name of user1.
result = getfullname("user1");
getgroup
Description
The getgroup() function retrieves the first occurrence of the group name that is associated with the GID to which the specified user belongs. This information is taken from the gecos field of /etc/passwd on the policy server host or the password map in NIS.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = getgroup([user]);
Arguments
| user | Optional. The name of the user for which the group should be retrieved. If this argument is not specified, the value of the runuser variable is used. |
Return values
If the user is found, result contains the first occurrence of the group name that is associated with the GID to which the specified user belongs as found in /etc/passwd or the NIS password map. An error is returned if the user is null or invalid.
Example
In this example, if SysAdm001 is found, result contains the first occurrence of the group name that is associated with the GID to which the specified user belongs.
result = getgroup("SysAdm001");
getgrouppasswd
Description
The getgrouppasswd() function prompts first for a user (member of the specified group) then for the password of that user.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = getgrouppasswd(group[, prompt[, attempts]]);
Arguments
| group | Required. The name of the group for which a username and password must be entered. |
| prompt | Optional. The password prompt that is displayed to the user. If a prompt is not provided, then the following default prompt is displayed: Enter the username and group of someone in the group. |
| attempts | Optional. Number of attempts that the user gets to enter the correct password. If the user does not enter the correct password in the specified number of attempts, then the task request is rejected. If the number of attempts is not specified, then the default value of 3 is used. |
Return values
| true | Password matched the user password. |
| false | Password did not match the user password. |
Example
In this example, a user has one attempt to enter a correct username and password for a member of the HelpDeskUsers group. If the correct password in not entered in one attempt, then result contains 0. If the correct password is entered in one attempt, then result contains 1.
result = getgrouppasswd("HelpDeskUsers", "Please enter HelpDesk Password:", 1);
getgroups
Description
The getgroups() function retrieves a list of all groups to which the specified user belongs. This information is taken from the /etc/groups file on the policy server host or the group map in NIS.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = getgroups([user]);
Arguments
| user | Optional. The name of the user for which the secondary group names should be retrieved. If this argument is not specified, then the value of the runuser variable is used. |
Return values
A list of character strings that contains all of the groups that the user belongs to. An error is returned if the user is invalid or null.
Example
result = getgroups(runuser);
gethome
Description
The gethome() function retrieves the home directory for the specified user. This information is obtained from the home directory field of /etc/passwd or the NIS password map.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = gethome([user]);
Arguments
| user | Optional. The name of the user for which home directory information should be retrieved. If this argument is not specified, then the value of the runuser variable is used. |
Return values
A string that contains the specified user’s home directory from the home directory field of /etc/password or the NIS map. If the user is not found, then result contains a blank string.
Example
result = gethome("JSmith");
In this example, the home directory for the user JSmith is returned in result. For example, /home/JSmith.
getshell
Description
The getshell() function retrieves the default login shell of the specified user. This information is obtained from the shell field of /etc/passwd or the NIS password map.
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = getshell([user]);
Arguments
| user | Optional. The name of the user for which shell information should be retrieved. If the user is not specified, then the value of the runuser variable is used. |
Return values
A string that contains the default login shell for the specified user from the shell field of /etc/password or the password NIS map. If the username is not found or is invalid, then the policy is rejected with an error code.
Example
In this example, the default shell information for the account JSmith is returned in result. For example, /bin/sh.
result = getshell("JSmith");
getstringpasswd
Description
The getstringpasswd() function prompts the user for a password and compares the answer against the previously encrypted password.
The user’s failure to provide the correct password does not automatically result in a rejection of the secured task request. The policy should examine the result of the getstringpasswd() function and respond accordingly.
Syntax
result = getstringpasswd(encryptedpassword\[, prompt [, attempts]]);
Arguments
| encryptedpassword | Required. An encrypted password, which can be generated by pbpasswd. The clear text form of this password is the password that the user is expected to enter. |
| prompt | Optional. A user prompt that describes the desired password. If none is specified, then the default prompt Password: is used. |
| attempts | Optional. Number of attempts the user gets to specify the correct password. The default value for attempts is 3. |
Return values
| true | The answer matched the password. |
| false | The answer did not match the password. |
Example
In this example, result contains true if the user enters the correct Backup Task Password. If the correct password is not entered in two attempts, the function sets result to false.
result = getstringpasswd(<encrypted string>, "Please enter the Backup Task Password: ", 2);
result = submitconfirmuser(user, "Please enter the user's password:", 3);
if (result != 1) {
reject;
}
getuid
Description
The getuid() function returns the user ID number for the specified user. This information is taken from the gecos field of /etc/passwd on the policy server host or the password map in NIS.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = getuid([user]);
Arguments
| user | Optional. The name of the user for which a user ID number should be returned. If this argument is not specified, then the value of the runuser variable is used. |
Return values
result contains the uid of the specified user of /etc/passwd or the NIS password map. An error is returned if the user is null or invalid.
Example
result = getuid("root");
getuserpasswd
Description
The getuserpasswd() function prompts the user for the password that belongs to the specified user on the policy server. The password is not echoed to the screen as it is typed.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Note
The user’s failure to provide the correct password does not automatically result in a rejection of the secured task request. The policy should examine the result of the getuserpasswd() function and respond accordingly.
Syntax
result = getuserpasswd(user[, prompt[, attempts[, name, time]]]);
Arguments
| user | Required. The user whose password must be entered. |
| prompt | Optional. The prompt to display to the user. |
| attempts | Optional. The number of attempts that the user has to enter the correct password. The default value for attempts is 3. |
| name | Optional. The name of a file or persistent variable whose age/expiration determines the re-authentication grace period. If the value starts with a dollar sign ($), it is treated as a persistent variable, otherwise it is treated as a filename. If name is specified, the time parameter (below) is required. |
| time | Required if name argument (above) is specified). The time/expiry date (number of seconds) after which a prompt is forced. getuserpasswd() returns true without prompting the user for a password if one of the following is true: - The file defined by the name argument exists, and has not been modified in the last time seconds. - The persistent variable defined by the name argument exists and its expiry date, defined by time, has not been exceeded. |
Return values
| true | Password matched. |
| false | Password did not match. |
Example
In this example, result contains true if the user enters the password for the runuser. If the correct password is not entered in three attempts, then the function sets result to false.
result = getuserpasswd(runuser, "Please enter " + runuser _ "'s Password:");
Example
In this example, the file /opt/pbul/gp001 is created at initial successful user authentication and for 5 minutes (300 seconds) thereafter, the user is not prompted for a password as long as the file is not modified.
getuserpasswd(user, "Passwd for "+user+": ", 3, "/opt/pbul/gp001", 300);
For more information, see submitconfirmuser, runconfirmuser, getstringpasswd, and Persistent variables.
ingroup
Description
The ingroup() function determines whether the specified user is a member of the specified group.
Syntax
result = ingroup(user, group);
Arguments
| users | Required. A username. |
| group | Required. A group name. |
Return values
| true | User is a member of group. |
| false | User is not a member of group or the user or group is null or invalid. |
Example
In this example, result contains an integer value 1 if user1 belongs to the group admgroup.
result contains an integer value 0 if user1 does not belong to group admgroup.
result = ingroup("user1", "admgroup");
submitconfirmuser
Description
The submitconfirmuser() function controls whether or not a user must enter a password before the current task request is accepted. When this function is set, the user submitting the request is prompted for the password that is associated with the submit host username set in this function.
The user’s failure to provide the correct password does not automatically result in a rejection of the secured task request. The policy should examine the result of the submitconfirmuser() function and respond accordingly.
Syntax
result = submitconfirmuser(user\[, prompt\[, attempts[, name, time]]]);
Arguments
| user | Required. A string that contains a username that exists on the submit host. |
| prompt | Optional. The prompt text for the password. The default is Enter password for . |
| attempts | Optional. The number of attempts that the user has to enter the correct password. The default value for attempts is 3. |
| name | Optional. The name of a persistent variable whose expiration determines the reauthenticate grace period. The value must start with a dollar sign ($), otherwise no grace period is set and submitconfirmuser()automatically prompts for a password. If name is specified, the time parameter (below) is required. |
| time | Required if name argument (above) is specified). The expiry date (number of seconds) after which a prompt is forced. submitconfirmuser() returns true without prompting the user for a password if the persistent variable, defined by the name argument, exists and its expiry date, defined by time, has not been exceeded. |
Return values
| true | Password matched. |
| false | Password did not match. |
Example
In this example, the prompt "Please enter the user’s password:" is displayed and the user is allowed three login attempts.
result = submitconfirmuser(user, "Please enter the user's password:", 3);
if (result != 1) {
reject;
}
Updated 5 days ago