2

My application creates a rudimentary ACL and communicates this to a Kernel Module. The ACL contains a list of UID/GID. The checks on these IDs are custom and on top of what the system already provides.

Now if the root/user changes UID/GID the ACL needs to be refreshed. Is there a way to get notification in an application whenever UID/GID changes e.g. through usermod command? Right now the platform is Linux but we could be porting this to other platforms as well(AIX/Solaris)

ghostkadost
  • 502
  • 4
  • 14

4 Answers4

1

On Linux, inotify does what you want. On other systems, try FAM.

Frédéric Hamidi
  • 258,201
  • 41
  • 486
  • 479
  • Please CMIIW but I think inotify would send a notification only when the UID/GID of a file/directory is changed. I want this notification to arrive when somebody uses `usermod` or similar command. i.e. even before any changes on the file system are made. – ghostkadost Mar 14 '11 at 07:24
  • @ghostkadost, you're correct, inotify and co. will only notify you when the file attributes change. You seem to want to be notified when the privileges granted to the users change. I'd suggest you put that requirement in your question, so further answers will be on-topic (I don't have an answer to that, I don't know if it's possible). – Frédéric Hamidi Mar 14 '11 at 07:28
  • Thanks for replying. I have made minor modifications. Hopefully my intent is a bit clearer now. – ghostkadost Mar 14 '11 at 11:20
1

I'd say there is no way to reliably detect a change in the UID/Username mapping, especially when you go cross-platform. The user database may reside in NIS, NIS+, or nowadays, LDAP. They might be integrating their UNIX/Linux systems with a Windows Server running Active Directory, or they might be using something more obscure like Hesoid. I know of no way to receive any automatic feedback from these various databases. But also, any good book on UNIX Administration will tell you to not change these mappings, or at the very least, if you must, don't ever re-use a UID. Don't forget, the filesystem whether it's using standard POSIX permissions or POSIX ACLs will also be storing UIDs that won't be getting updates if an Administrator decides to change the UID for a user. The Kernel and filesystem both treat a specific UID as a specific user, regardless of their username. I really don't think you need to bother with the case of an Administrator changing UIDs for a user, it's likely to be too error prone for everyone.

Also, a quick look at NTFS on Windows will reveal that it also stores the equivalent of a UID called SID, it'a a long number used to represent a user and Windows does not provide or expect you to be changing the mapping of that SID to a specific Username. The SID is what the NT Kernel uses internally, not a username. If I open up the Security tab on a file, for a split second I may see numbers until Windows is able to query the Active Directory Controller and give convenient usernames to those numbers. Ultimately, it's the SID, not username that uniquely identifies the user.

penguin359
  • 1,289
  • 13
  • 26
0

One possible way (triggered from Frédéric's reply) is that I could possibly set a inotify/(dnotify gasp! for older kernels) operation on /etc/passwd because that file will always change for at least any change in local user privileges. Trouble is how to do this in NIS environment.

ghostkadost
  • 502
  • 4
  • 14
0

In the typical Unix security model, you should only care about the numerical value for GID/UID, not the mapping between human-readable string and numeric value. As that seems to be the case, have you carefully considered what you are trying to accomplish? Maybe it would be better to pass the name or a name/id tuple, instead of just the id?

Vatine
  • 20,782
  • 4
  • 54
  • 70