We are currently testing an LDAP implementation at work and we ran into an interesting scenario. It turns out that we had a script (written in C), that parsed the ‘/etc/passwd’ file in AIX to ensure that a particular UID belonged to the appropriate user. Once we cut over to LDAP, this no longer worked since the entries are not kept in ‘/etc/passwd’ for non-system accounts. To compensate for this change with the least amount of change to the C source, I wrote a Korn Shell script that created the same output as ‘cat /etc/passwd’ using the ‘lsuser’ command in AIX. This wouldn’t work in Linux, but we only have a need in AIX at this point. In other scripts, we have been able to convert to the ‘finger -m’ command because we are only interested in users that are currently logged into the box.
To obtain the information from the ‘lsuer’ command, we first obtain a list of all accounts on the box like this:
lsuser | awk '{print $1}'
We then parse through the results of this and query each account individually:
lsuser | awk '{print $1}' | while read NAME; do lsuser -f $NAME; done
Taking this output, it’s fairly straightforward to write a script that creates the same output as ‘cat /etc/passwd’. The 2nd field is hardcoded in the output as an empty string since the O/S manipulates this value and it’s not important for this exercise.
Once a script had been written that would produce the same output, a change was made to the C source that used a ‘popen/pclose’ instead of an ‘fopen/fclose’. It took some experimenting but it finally worked, after I remembered that the ‘rm’ command in UNIX requires an ‘-f’ switch if a setuid bit is set on the source binary; otherwise the ‘are you sure?’ prompt requires user input during the execution of the ‘popen’.
