Displaying a user's group memberships

I need to capture a user's group memberships for further processing in a 
Perl script. The user's username is passed to the script via the command 
line and captured with ARGV. From there, I want to determine the group 
memberships (much like executing `groups` from the command line) and run 
those through a loop for processing.

I seem to be having a problem locating a function that will do this. 
I've looked at several and tried a couple, but either I'm doing 
something wrong or I'm using the wrong functions. All of the ones I've 
tried are part of getgr*.

I'm very new to Perl so maybe I'm just looking for the wrong terms or 
something. I've googled and searched perldoc.perl.org.

Can anyone offer any suggestions or point me in the right direction?

Thanks, in advance, for your help!

~ Tom
0
tom71713
12/18/2006 11:50:57 PM
perl.beginners 29388 articles. 4 followers. Follow

28 Replies
355 Views

Similar Articles

[PageSpeed] 54
Get it on Google Play
Get it on Apple App Store

On Mon, Dec 18, 2006 at 04:50:57PM -0700, Tom Smith wrote:
> I need to capture a user's group memberships for further processing in a 
> Perl script. The user's username is passed to the script via the command 
> line and captured with ARGV. From there, I want to determine the group 
> memberships (much like executing `groups` from the command line) and run 
> those through a loop for processing.
> 
> I seem to be having a problem locating a function that will do this. 
> I've looked at several and tried a couple, but either I'm doing 
> something wrong or I'm using the wrong functions. All of the ones I've 
> tried are part of getgr*.
> 
> I'm very new to Perl so maybe I'm just looking for the wrong terms or 
> something. I've googled and searched perldoc.perl.org.
> 
> Can anyone offer any suggestions or point me in the right direction?
> 
> Thanks, in advance, for your help!

A simple solution that comes immediately to mind is to iteratively check
for the user's name in lines of the /etc/group file, and grab the first
field (before the first colon) of each line that matches.  This'll give
you a list of groups.  There are likely other, more elegant solutions to
the problem, but that's the first that springs to mind.

It'd require some regex use for matching, and either a regex or split()
to separate the first field.  It should be extremely simple to write
with only basic understanding of the language and very simple
understanding of Perl regex syntax, but I'm not providing code so that I
don't just do your work for you.  Let us know if you have any problems
with the concepts.

relevant perldocs:
  perldoc perlre
  perldoc -f split
  perldoc perlintro

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
"The measure on a man's real character is what he would do
if he knew he would never be found out." - Thomas McCauley
0
perrin
12/19/2006 12:16:01 AM
Tom Smith wrote:
> I need to capture a user's group memberships for further processing in a
> Perl script. The user's username is passed to the script via the command
> line and captured with ARGV. From there, I want to determine the group
> memberships (much like executing `groups` from the command line) and run
> those through a loop for processing.
> 
> I seem to be having a problem locating a function that will do this.
> I've looked at several and tried a couple, but either I'm doing
> something wrong or I'm using the wrong functions. All of the ones I've
> tried are part of getgr*.
> 
> I'm very new to Perl so maybe I'm just looking for the wrong terms or
> something. I've googled and searched perldoc.perl.org.
> 
> Can anyone offer any suggestions or point me in the right direction?

Something like this should get you started:

my %user;

# get the group name from /etc/passwd
while ( my @pw = getpwent ) {
    push @{ $user{ $pw[ 0 ] } }, scalar getgrgid $pw[ 3 ];
    }

# get other group names from /etc/group
while ( my @gr = getgrent ) {
    push @{ $user{ $_ } }, $gr[ 0 ] for split q/ /, $gr[ 3 ];
    }

my $name = shift;  # get the name from the command line

if ( exists $user{ $name } && @{ $user{ $name } } ) {
    print "$name is a member of the groups: @{$user{$name}}.\n";
    }




John
-- 
Perl isn't a toolbox, but a small machine shop where you can special-order
certain sorts of tools at low cost and in short order.       -- Larry Wall
0
krahnj
12/19/2006 1:26:53 AM
--------------050500080701010909040900
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Chad Perrin wrote:
> On Mon, Dec 18, 2006 at 04:50:57PM -0700, Tom Smith wrote:
>   
>> I need to capture a user's group memberships for further processing in a 
>> Perl script. The user's username is passed to the script via the command 
>> line and captured with ARGV. From there, I want to determine the group 
>> memberships (much like executing `groups` from the command line) and run 
>> those through a loop for processing.
>>
>> I seem to be having a problem locating a function that will do this. 
>> I've looked at several and tried a couple, but either I'm doing 
>> something wrong or I'm using the wrong functions. All of the ones I've 
>> tried are part of getgr*.
>>
>> I'm very new to Perl so maybe I'm just looking for the wrong terms or 
>> something. I've googled and searched perldoc.perl.org.
>>
>> Can anyone offer any suggestions or point me in the right direction?
>>
>> Thanks, in advance, for your help!
>>     
>
> A simple solution that comes immediately to mind is to iteratively check
> for the user's name in lines of the /etc/group file, and grab the first
> field (before the first colon) of each line that matches.  This'll give
> you a list of groups.  There are likely other, more elegant solutions to
> the problem, but that's the first that springs to mind.
>
> It'd require some regex use for matching, and either a regex or split()
> to separate the first field.  It should be extremely simple to write
> with only basic understanding of the language and very simple
> understanding of Perl regex syntax, but I'm not providing code so that I
> don't just do your work for you.  Let us know if you have any problems
> with the concepts.
>
> relevant perldocs:
>   perldoc perlre
>   perldoc -f split
>   perldoc perlintro
>   

Thank Chad (and John) for your input on this. I thought I'd post the 
portion of the script that I was trying to work out to see if there's 
room for improvement. This should work on any *nix system. The format of 
the command is simple: `test.pl username`, where username is a real 
username on the system in question. Here's the script:

test.pl:
#!/usr/bin/env perl

use strict;
use warnings;

# Determine which Linux groups the user belongs to.
open(FILE,'</etc/group') or die "Can't open /etc/group.";

my @memberof;
while ($_ = <FILE>) {
        if($_ =~ /$ARGV[0]/) {
                my @groups = split(/:/,$_);
                push(@memberof,$groups[0]);
        }
}

close FILE;

print "\n@memberof\n\n";


So is there a better way to do this, or perhaps a cleaner way?


Thanks again for your help!

~ Tom

--------------050500080701010909040900--
0
tom71713
12/20/2006 10:14:18 PM
On Wed, Dec 20, 2006 at 03:14:18PM -0700, Tom Smith wrote:
> 
> Thank Chad (and John) for your input on this. I thought I'd post the 
> portion of the script that I was trying to work out to see if there's 
> room for improvement. This should work on any *nix system. The format of 
> the command is simple: `test.pl username`, where username is a real 
> username on the system in question. Here's the script:

You're welcome.


> 
> test.pl:
> #!/usr/bin/env perl
> 
> use strict;
> use warnings;
> 
> # Determine which Linux groups the user belongs to.
> open(FILE,'</etc/group') or die "Can't open /etc/group.";

You probably want to use the $! variable to provide more information
when your script dies on an error.  Thus, the above code might be
modified to look like this:

  open(FILE, '</etc/group') or die "Can't open /etc/group: $!";


> 
> my @memberof;
> while ($_ = <FILE>) {
>        if($_ =~ /$ARGV[0]/) {
>                my @groups = split(/:/,$_);
>                push(@memberof,$groups[0]);
>        }
> }
> 
> close FILE;
> 
> print "\n@memberof\n\n";
> 
> 
> So is there a better way to do this, or perhaps a cleaner way?

The way you did it seems to work just fine.  There are other ways to do
it, of course (TIMTOWTDI and all that), but which you choose might
depend more on context than one being necessarily better than others.
If for some reason a functional approach (no side-effects) is desirable,
for instance, you might iterate through the file's contents inside a
subroutine, and use perhaps a foreach loop to push() return values into
the array when you call the subroutine.  Depending on what else your
program is going to do, this might yield greater reusability of code,
but if that's not a concern for this script it really doesn't matter.
For something as quick as looking up a single user's group memberships,
resource footprint and processor time aren't really a concern.

I guess this is a long-winded way of saying "It depends, but what you
did looks okay to me."


-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
"It's just incredible that a trillion-synapse computer could actually
spend Saturday afternoon watching a football game." - Marvin Minsky
0
perrin
12/20/2006 11:10:06 PM
On 12/20/2006 04:14 PM, Tom Smith wrote:
> [...]
> So is there a better way to do this, or perhaps a cleaner way?
> 
> 
> Thanks again for your help!
> 
> ~ Tom
> 

use strict;
use warnings;
$_ = `id $ARGV[0]`;
s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";



0
mumia
12/20/2006 11:52:06 PM
Tom Smith wrote:
> 
> Thank Chad (and John) for your input on this. I thought I'd post the
> portion of the script that I was trying to work out to see if there's
> room for improvement. This should work on any *nix system. The format of
> the command is simple: `test.pl username`, where username is a real
> username on the system in question. Here's the script:
> 
> test.pl:
> #!/usr/bin/env perl
> 
> use strict;
> use warnings;
> 
> # Determine which Linux groups the user belongs to.
> open(FILE,'</etc/group') or die "Can't open /etc/group.";
>  
> my @memberof;
> while ($_ = <FILE>) {
>        if($_ =~ /$ARGV[0]/) {

Say that you have two users 'ron' and 'ronald'.  If $ARGV[0] contains 'ron'
then this will get you the group names for *both* 'ron' *and* 'ronald' (and
any other group names where the string 'ron' is found.)


>                my @groups = split(/:/,$_);
>                push(@memberof,$groups[0]);
>        }
> }
> 
> close FILE;
> 
> print "\n@memberof\n\n";
> 
> 
> So is there a better way to do this, or perhaps a cleaner way?

Since you are only reading from /etc/group you are not picking up the primary
group stored in /etc/passwd.



John
-- 
Perl isn't a toolbox, but a small machine shop where you can special-order
certain sorts of tools at low cost and in short order.       -- Larry Wall
0
krahnj
12/21/2006 1:28:46 AM
Mumia W. wrote:
> On 12/20/2006 04:14 PM, Tom Smith wrote:
>> [...]
>> So is there a better way to do this, or perhaps a cleaner way?
>>
>>
>> Thanks again for your help!
>>
>> ~ Tom
>>
>
> use strict;
> use warnings;
> $_ = `id $ARGV[0]`;
> s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";

I'm not trying to be argumentative or say that this is "wrong"... But 
does anyone else agree with this? If so, why is this way better than the 
pure Perl way?
0
tom71713
12/21/2006 6:42:41 AM
Mumia W. wrote:
> On 12/20/2006 04:14 PM, Tom Smith wrote:
>> [...]
>> So is there a better way to do this, or perhaps a cleaner way?
> 
> use strict;
> use warnings;
> $_ = `id $ARGV[0]`;
> s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";

print $1 if `groups $ARGV[0] 2>/dev/null` =~ /$ARGV[0]\s*:\s*(.+)/;



John
-- 
Perl isn't a toolbox, but a small machine shop where you can special-order
certain sorts of tools at low cost and in short order.       -- Larry Wall
0
krahnj
12/21/2006 6:47:25 AM
On 12/21/2006 12:42 AM, Tom Smith wrote:
> Mumia W. wrote:
>>
>> use strict;
>> use warnings;
>> $_ = `id $ARGV[0]`;
>> s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";
> 
> I'm not trying to be argumentative or say that this is "wrong"... But 
> does anyone else agree with this? If so, why is this way better than the 
> pure Perl way?
> 

I should have put a smiley in my post :-)


0
mumia
12/21/2006 7:48:38 AM
Tom Smith schreef:
> Mumia W.:

>> use strict;
>> use warnings;
>> $_ = `id $ARGV[0]`;
>> s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";
>
> I'm not trying to be argumentative or say that this is "wrong"... But
> does anyone else agree with this? If so, why is this way better than
> the pure Perl way?

TIMTOWTDI. On the shell machines of my provider (FreeBSD) the "id"
approach will work, and the "/etc/group" one won't.

-- 
Affijn, Ruud

"Gewoon is een tijger."

0
rvtol
12/21/2006 8:24:51 AM
On Thu, Dec 21, 2006 at 09:24:51AM +0100, Dr.Ruud wrote:
> Tom Smith schreef:
> > Mumia W.:
> 
> >> use strict;
> >> use warnings;
> >> $_ = `id $ARGV[0]`;
> >> s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";
> >
> > I'm not trying to be argumentative or say that this is "wrong"... But
> > does anyone else agree with this? If so, why is this way better than
> > the pure Perl way?
> 
> TIMTOWTDI. On the shell machines of my provider (FreeBSD) the "id"
> approach will work, and the "/etc/group" one won't.

I don't think that has anything to do with it being FreeBSD.  I'm typing
this from a FreeBSD machine, and it works just fine.

Of course, if you're going to call out of the Perl script to the id
utility, you may as well skip the Perl script entirely and just enter
this at the shell prompt:

  id -Gn username

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
"The ability to quote is a serviceable
substitute for wit." - W. Somerset Maugham
0
perrin
12/21/2006 8:57:07 AM
On Wed, Dec 20, 2006 at 10:47:25PM -0800, John W. Krahn wrote:
> Mumia W. wrote:
> > On 12/20/2006 04:14 PM, Tom Smith wrote:
> >> [...]
> >> So is there a better way to do this, or perhaps a cleaner way?
> > 
> > use strict;
> > use warnings;
> > $_ = `id $ARGV[0]`;
> > s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";
> 
> print $1 if `groups $ARGV[0] 2>/dev/null` =~ /$ARGV[0]\s*:\s*(.+)/;

According to the manpage for groups on FreeBSD Release 6.1, it's
deprecated in favor of the id utility -- and with the -Gn switches, it
works identically to the groups command.  Just thought I'd mention.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
"The ability to quote is a serviceable
substitute for wit." - W. Somerset Maugham
0
perrin
12/21/2006 8:59:10 AM
On Wed, Dec 20, 2006 at 05:28:46PM -0800, John W. Krahn wrote:
> Tom Smith wrote:
> > 
> > Thank Chad (and John) for your input on this. I thought I'd post the
> > portion of the script that I was trying to work out to see if there's
> > room for improvement. This should work on any *nix system. The format of
> > the command is simple: `test.pl username`, where username is a real
> > username on the system in question. Here's the script:
> > 
> > test.pl:
> > #!/usr/bin/env perl
> > 
> > use strict;
> > use warnings;
> > 
> > # Determine which Linux groups the user belongs to.
> > open(FILE,'</etc/group') or die "Can't open /etc/group.";
> >  
> > my @memberof;
> > while ($_ = <FILE>) {
> >        if($_ =~ /$ARGV[0]/) {
> 
> Say that you have two users 'ron' and 'ronald'.  If $ARGV[0] contains 'ron'
> then this will get you the group names for *both* 'ron' *and* 'ronald' (and
> any other group names where the string 'ron' is found.)

Good point.  I'm surprised I missed that.  Let this be a lesson to Tom
and others who may follow: testing your code is important.  To solve the
problem, you may want to ensure that your $ARGV[0] is anchored to the
beginning of the string and immediately followed by a colon when doing
your regex matching.


> 
> 
> >                my @groups = split(/:/,$_);
> >                push(@memberof,$groups[0]);
> >        }
> > }
> > 
> > close FILE;
> > 
> > print "\n@memberof\n\n";
> > 
> > 
> > So is there a better way to do this, or perhaps a cleaner way?
> 
> Since you are only reading from /etc/group you are not picking up the primary
> group stored in /etc/passwd.

Singling out the primary group wasn't a requirement for the Perl script,
as far as I recall.  If I'm mistaken, then yeah, you might want to check
/etc/passwd for the primary group.  If not, you'll get the primary group
along with the rest of them from /etc/group (but it won't be identified
as any different from the rest of them).

At least, that's how it works here.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
"The first rule of magic is simple. Don't waste your time waving your
hands and hopping when a rock or a club will do." - McCloctnick the Lucid
0
perrin
12/21/2006 9:03:50 AM
On Thu, Dec 21, 2006 at 01:48:38AM -0600, Mumia W. wrote:
> On 12/21/2006 12:42 AM, Tom Smith wrote:
> >Mumia W. wrote:
> >>
> >>use strict;
> >>use warnings;
> >>$_ = `id $ARGV[0]`;
> >>s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";
> >
> >I'm not trying to be argumentative or say that this is "wrong"... But 
> >does anyone else agree with this? If so, why is this way better than the 
> >pure Perl way?
> >
> 
> I should have put a smiley in my post :-)

Whew.  I was considering mentioning that appeared rather more obfuscated
than Tom's example.  Clever, though.

Of course, in both cases, I might mention that you can eliminate a \n in
a printed string by using the -l option in the shebang line.  For your
example, though, I guess the \n just adds to the "snoopy swearing"
appearance that seems to be your aim.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
unix virus: If you're using a unixlike OS, please forward
this to 20 others and erase your system partition.
0
perrin
12/21/2006 9:08:11 AM
Chad Perrin schreef:
> Dr.Ruud:

>> TIMTOWTDI. On the shell machines of my provider (FreeBSD) the "id"
>> approach will work, and the "/etc/group" one won't.
>
> I don't think that has anything to do with it being FreeBSD.

That was and is also what I don't think. I only mentioned it because OP
mentioned "This should work on any *nix system".


> I'm typing this from a FreeBSD machine, and it works just fine.

So some security layer is not implemented at your end. I don't know
which is implemented here, there are several ways to do something
similar.


> Of course, if you're going to call out of the Perl script to the id
> utility, you may as well skip the Perl script entirely and just enter
> this at the shell prompt:
>
>   id -Gn username

That depends on what OP needs to do with the result. It could be part of
a larger Perl script that is doing other stuff as well.

-- 
Affijn, Ruud

"Gewoon is een tijger."

0
rvtol
12/21/2006 10:23:15 AM
Chad Perrin wrote:
> On Wed, Dec 20, 2006 at 05:28:46PM -0800, John W. Krahn wrote:
>> 
>> Since you are only reading from /etc/group you are not picking up the primary
>> group stored in /etc/passwd.
> 
> Singling out the primary group wasn't a requirement for the Perl script,
> as far as I recall.  If I'm mistaken, then yeah, you might want to check
> /etc/passwd for the primary group.  If not, you'll get the primary group
> along with the rest of them from /etc/group (but it won't be identified
> as any different from the rest of them).
> 
> At least, that's how it works here.

According to the FreeBSD group(5) man page[1]:

<QUOTE>
                   A user is automatically in a group if that group was speci-
     fied in their /etc/passwd entry and does not need to be added to that
     group in the group file.
</QUOTE>

And on my current system (SuSE 9.3) that is the case as well, which is why I
said that you have to get the primary group from the /etc/passwd file.



[1]
http://www.freebsd.org/cgi/man.cgi?query=group&apropos=0&sektion=5&manpath=FreeBSD+7-current&format=html

John
-- 
Perl isn't a toolbox, but a small machine shop where you can special-order
certain sorts of tools at low cost and in short order.       -- Larry Wall
0
krahnj
12/21/2006 11:06:38 AM
On 12/21/2006 02:59 AM, Chad Perrin wrote:
> On Wed, Dec 20, 2006 at 10:47:25PM -0800, John W. Krahn wrote:
>> Mumia W. wrote:
>>> On 12/20/2006 04:14 PM, Tom Smith wrote:
>>>> [...]
>>>> So is there a better way to do this, or perhaps a cleaner way?
>>> use strict;
>>> use warnings;
>>> $_ = `id $ARGV[0]`;
>>> s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";
>> print $1 if `groups $ARGV[0] 2>/dev/null` =~ /$ARGV[0]\s*:\s*(.+)/;
> 
> According to the manpage for groups on FreeBSD Release 6.1, it's
> deprecated in favor of the id utility -- and with the -Gn switches, it
> works identically to the groups command.  Just thought I'd mention.
> 

I wish I'd looked at the man-page for "id." Oh well, here's another way 
to do it within Perl:

use strict;
use warnings;

my @groups;
push @groups, (getpwnam $ARGV[0])[3];

while (my @gr = getgrent) {
     push @groups, $gr[2] if ($gr[3] =~ /\b\Q$ARGV[0]\E\b/);
}

@groups = map scalar getgrgid($_), @groups;
print "@groups\n";

__END__

Let's hope that's platform-independent enough :-)


0
mumia
12/21/2006 12:18:26 PM
Mumia W. wrote:
> On 12/21/2006 12:42 AM, Tom Smith wrote:
>> Mumia W. wrote:
>>>
>>> use strict;
>>> use warnings;
>>> $_ = `id $ARGV[0]`;
>>> s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";
>>
>> I'm not trying to be argumentative or say that this is "wrong"... But 
>> does anyone else agree with this? If so, why is this way better than 
>> the pure Perl way?
>>
>
> I should have put a smiley in my post :-)
:-)
0
tom71713
12/21/2006 2:41:54 PM
Dr.Ruud wrote:
> Chad Perrin schreef:
>   
>> Dr.Ruud:
>>     
>
>   
>>> TIMTOWTDI. On the shell machines of my provider (FreeBSD) the "id"
>>> approach will work, and the "/etc/group" one won't.
>>>       
>> I don't think that has anything to do with it being FreeBSD.
>>     
>
> That was and is also what I don't think. I only mentioned it because OP
> mentioned "This should work on any *nix system".
>   

Yeah, that's very strange. I figured every *nix system would have an 
accessible /etc/group file--else, how's one to know which groups they're 
a member of when they log in?

>   
>> Of course, if you're going to call out of the Perl script to the id
>> utility, you may as well skip the Perl script entirely and just enter
>> this at the shell prompt:
>>
>>   id -Gn username
>>     
>
> That depends on what OP needs to do with the result. It could be part of
> a larger Perl script that is doing other stuff as well.
>
>   

Yeah, it is part of a larger script. It's running on a Linux server and 
manipulating some Samba stuff for the Win32 clients.

I try to avoid calling console commands because there tends to be 
differences in some of the CLI utilities between distributions--that was 
actually one of the first things I had considered doing, except with the 
`groups` command.

0
tom71713
12/21/2006 3:05:05 PM
Chad Perrin wrote:
> On Thu, Dec 21, 2006 at 01:48:38AM -0600, Mumia W. wrote:
>   
>> On 12/21/2006 12:42 AM, Tom Smith wrote:
>>     
>>> Mumia W. wrote:
>>>       
>>>> use strict;
>>>> use warnings;
>>>> $_ = `id $ARGV[0]`;
>>>> s/.*?groups=// && print "@{[ /\((\w+)\)/g ]}\n";
>>>>         
>>> I'm not trying to be argumentative or say that this is "wrong"... But 
>>> does anyone else agree with this? If so, why is this way better than the 
>>> pure Perl way?
>>>
>>>       
>> I should have put a smiley in my post :-)
>>     
>
> Whew.  I was considering mentioning that appeared rather more obfuscated
> than Tom's example.  Clever, though.
>   

Yeah, the smiley may have clarified the intentions a little... My first 
reaction when I saw the code was one of great surprise--I just wasn't 
seeing how that would be easier to understand or the "cleaner" way to 
achieve what I wanted. But now I get it. :-)
0
tom71713
12/21/2006 3:08:07 PM
Tom Smith wrote:
> Dr.Ruud wrote:
>> Chad Perrin schreef:
>>  
>>> Dr.Ruud:
>>>     
>>
>>  
>>>> TIMTOWTDI. On the shell machines of my provider (FreeBSD) the "id"
>>>> approach will work, and the "/etc/group" one won't.
>>>>       
>>> I don't think that has anything to do with it being FreeBSD.
>>>     
>>
>> That was and is also what I don't think. I only mentioned it because OP
>> mentioned "This should work on any *nix system".
>>   
>
> Yeah, that's very strange. I figured every *nix system would have an 
> accessible /etc/group file--else, how's one to know which groups 
> they're a member of when they log in?

And it's probably important to note that the script is intended to run 
as root so that it can access a secured portion of the server that users 
are unable to. (Sorry, I didn't think to add that earlier.)
0
tom71713
12/21/2006 3:15:58 PM
On 12/21/2006 09:05 AM, Tom Smith wrote:
> 
> I try to avoid calling console commands because there tends to be 
> differences in some of the CLI utilities between distributions--that was 
> actually one of the first things I had considered doing, except with the 
> `groups` command.
> 
> 

You could limit or control the problems created by using console 
commands by putting all of the console commands into a single module, e.g.

----in file Myapp/Commands.pm-----
package Myapp::Commands;
$cmd{groups} = 'id -Gn ';
$cmd{users} = 'users ';
$cmd{who} = 'who ';


----in scripts that need to use those commands---
use MyApp::Commands;
my $groups = `$Myapp::Commands::cmd{groups} $ARGV[0]`;
my @groups = $groups =~ /(\w+)/g;

-----end----

That's similar to what Configure does when a GNU program is being 
complied--except that Gmake does not support packages :-)


0
mumia
12/21/2006 7:06:28 PM
On Thu, Dec 21, 2006 at 11:23:15AM +0100, Dr.Ruud wrote:
> Chad Perrin schreef:
> > Dr.Ruud:
> 
> >> TIMTOWTDI. On the shell machines of my provider (FreeBSD) the "id"
> >> approach will work, and the "/etc/group" one won't.
> >
> > I don't think that has anything to do with it being FreeBSD.
> 
> That was and is also what I don't think. I only mentioned it because OP
> mentioned "This should work on any *nix system".

Ahh, got it.  I guess I misunderstood what you intended to say, then.


> 
> > I'm typing this from a FreeBSD machine, and it works just fine.
> 
> So some security layer is not implemented at your end. I don't know
> which is implemented here, there are several ways to do something
> similar.

At a wild guess, I'd say it might be a chroot "jail".

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Ben Franklin: "As we enjoy great Advantages from the Inventions of
others we should be glad of an Opportunity to serve others by any
Invention of ours, and this we should do freely and generously."
0
perrin
12/21/2006 8:01:25 PM
On Thu, Dec 21, 2006 at 08:08:07AM -0700, Tom Smith wrote:
> 
> Yeah, the smiley may have clarified the intentions a little...

.. . . or it may have just looked like part of the Perl code.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
print substr("Just another Perl hacker", 0, -2);
0
perrin
12/21/2006 8:03:31 PM
On Thu, Dec 21, 2006 at 03:06:38AM -0800, John W. Krahn wrote:
> Chad Perrin wrote:
> > On Wed, Dec 20, 2006 at 05:28:46PM -0800, John W. Krahn wrote:
> >> 
> >> Since you are only reading from /etc/group you are not picking up the primary
> >> group stored in /etc/passwd.
> > 
> > Singling out the primary group wasn't a requirement for the Perl script,
> > as far as I recall.  If I'm mistaken, then yeah, you might want to check
> > /etc/passwd for the primary group.  If not, you'll get the primary group
> > along with the rest of them from /etc/group (but it won't be identified
> > as any different from the rest of them).
> > 
> > At least, that's how it works here.
> 
> According to the FreeBSD group(5) man page[1]:
> 
> <QUOTE>
>                    A user is automatically in a group if that group was speci-
>      fied in their /etc/passwd entry and does not need to be added to that
>      group in the group file.
> </QUOTE>
> 
> And on my current system (SuSE 9.3) that is the case as well, which is why I
> said that you have to get the primary group from the /etc/passwd file.

Interesting.  On this FreeBSD machine, all primary groups for user
accounts are listed in the group file, along with any other group
memberships.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Brian K. Reid: "In computer science, we stand on each other's feet."
0
perrin
12/21/2006 8:05:37 PM
On Thu, Dec 21, 2006 at 08:05:05AM -0700, Tom Smith wrote:
> Dr.Ruud wrote:
> >Chad Perrin schreef:
> >  
> >>Of course, if you're going to call out of the Perl script to the id
> >>utility, you may as well skip the Perl script entirely and just enter
> >>this at the shell prompt:
> >>
> >>  id -Gn username
> >
> >That depends on what OP needs to do with the result. It could be part of
> >a larger Perl script that is doing other stuff as well.
> 
> Yeah, it is part of a larger script. It's running on a Linux server and 
> manipulating some Samba stuff for the Win32 clients.
> 
> I try to avoid calling console commands because there tends to be 
> differences in some of the CLI utilities between distributions--that was 
> actually one of the first things I had considered doing, except with the 
> `groups` command.

That's why I said you may as well either just use the id utility from
the shell if you're not going to grab group memberships in an
idiomatically Perlish way -- the Perl code is likely to be more
portable.  Of course, specifying the path to the group file, as I
originally suggested, might not be the most portable way to do that (in
retrospect).

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
"It's just incredible that a trillion-synapse computer could actually
spend Saturday afternoon watching a football game." - Marvin Minsky
0
perrin
12/21/2006 8:08:16 PM
--------------050508080803030006090102
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



Chad Perrin wrote:
> On Thu, Dec 21, 2006 at 08:05:05AM -0700, Tom Smith wrote:
>   
>> Dr.Ruud wrote:
>>     
>>> Chad Perrin schreef:
>>>  
>>>       
>>>> Of course, if you're going to call out of the Perl script to the id
>>>> utility, you may as well skip the Perl script entirely and just enter
>>>> this at the shell prompt:
>>>>
>>>>  id -Gn username
>>>>         
>>> That depends on what OP needs to do with the result. It could be part of
>>> a larger Perl script that is doing other stuff as well.
>>>       
>> Yeah, it is part of a larger script. It's running on a Linux server and 
>> manipulating some Samba stuff for the Win32 clients.
>>
>> I try to avoid calling console commands because there tends to be 
>> differences in some of the CLI utilities between distributions--that was 
>> actually one of the first things I had considered doing, except with the 
>> `groups` command.
>>     
>
> That's why I said you may as well either just use the id utility from
> the shell if you're not going to grab group memberships in an
> idiomatically Perlish way -- the Perl code is likely to be more
> portable.  Of course, specifying the path to the group file, as I
> originally suggested, might not be the most portable way to do that (in
> retrospect).
>   

That's interesting... But I couldn't determine another (perhaps better) 
way of doing it.

I tried the getgr* and getpw* functions, but they were too 
specific--that is, one has to specify which user or group they want 
information about. And the user information won't tell me such things as 
which groups the user belongs to... And I can't get information about a 
group unless I know the group name ahead of time... And so on. This is 
why I decided on the method I did. (Perhaps I wasn't doing something 
correctly with those functions?)

In either case, the interesting point about your comment is that every 
*nix system I've ever touched (Linux (includes Redhat, Debian, Ubuntu, 
Mandrake, and Gentoo), FreeBSD, Solaris, and AIX) have all had their 
group file located at /etc/group. Do you have a specific example or 
reason of why someone might want to change this location?

--------------050508080803030006090102--
0
tom71713
12/21/2006 8:25:01 PM
Chad Perrin schreef:
> Ruud:

>> So some security layer is not implemented at your end. I don't know
>> which is implemented here, there are several ways to do something
>> similar.
>
> At a wild guess, I'd say it might be a chroot "jail".

I just asked them, and the shell runs in a (modified) yp (nis). So
"shadow password maps". See ypserv(8).

-- 
Affijn, Ruud

"Gewoon is een tijger."

0
rvtol
12/22/2006 3:24:50 PM
Reply:

Similar Artilces:

[Fwd: Re: Displaying a user's group memberships]
--------------070908020200010708080806 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sorry, I sent these to the poster rather than the list--my bad. -------- Original Message -------- Subject: Re: Displaying a user's group memberships Date: Wed, 20 Dec 2006 20:23:53 -0700 From: Tom Smith <tom71713-perl@inqone.com> To: John W. Krahn <krahnj@telus.net> References: <45872961.7080805@inqone.com> <20061219001601.GA32475@apotheon.com> <4589B5BA.7060907@inqone.com> <4589E34E.60908@telus.net> ...

[Fwd: Re: Displaying a user's group memberships] #2
Sorry, I sent this to the poster rather than the list... My bad. -------- Original Message -------- Subject: Re: Displaying a user's group memberships Date: Wed, 20 Dec 2006 20:39:13 -0700 From: Tom Smith <tom71713-perl@inqone.com> To: John W. Krahn <krahnj@telus.net> References: <45872961.7080805@inqone.com> <20061219001601.GA32475@apotheon.com> <4589B5BA.7060907@inqone.com> <4589E34E.60908@telus.net> John W. Krahn wrote: > Tom Smith wrote: > >> Thank Chad (and John) for your input on this. I thought I'd pos...

Modifying user's group memberships using the System.DirectoryServices.Protocols (S.DS.P) Namespace
Hi everybody,I am connecting to an Active Directory server using the System.DirectoryServices.Protocols namespace (this is necessary as the AD server lives in a different, untrusted domain to the web server; and the ADSI security does not allow us to connect using the DirectoryEntry classes.)I am new to this namespace; but have made good progress recently. I can retrieve and modify user details, activate and deactivate their accounts, change their email address, telephone number, etc. and add new users into the directory. So I have got some familiarity with the classes and functionality whic...

changes made from one user's webpart's page, effects all user's
 I am just doing this offline right now in Visual Web Developer Express 2008I created the login inonce in the memberpage area, people can modify their webpart page. I created several users to test this out.  I loaded it in a browser.When I make changes as logged in user "A" .  Then logout and login as user "B", user "B,s" webpart page has been changed to user "A".This goes true for whomever I log in as.  It changes for everyone.Is there something specific I need to do in order to get everyone's changes to be unique for them...

Compare a Group's objectSid to a user's primaryGroupId
Dunnry, this question is related to my quest that you solved yesterday about how to get a primary group for a user. The difference is this time I try to a a list of users that are member of a given group.When using the member property to get a list of members of a given Group (e.g. GroupA), it didn't list those users whose primaryGroup is GroupA. So I am thinking to use a filter like (primaryGroupID= GroupA's Objectsid) when search users.However, the GroupA's objestSid is byte[] type, and the primaryGroupID is int type. Though the method in yesterday's post "CreatePrimaryGroupSID" ...

Impersonation: obtain the user's group membership
Hi, I have set up an ASP site which uses Impersonation, works fine. But I need to obtain the user's group membership somehow. Obtaining the Username is no Problem with Request.ServerVariables("LOGON_USER") (I'm using VBScript), but there is no variable for the user's groups. I read you can do it via ldap, and got folowing code: <% Set oConn = CreateObject("ADODB.Connection") Set oComm = CreateObject("ADODB.Command") oConn.Provider = "ADsDSOOBJECT" ' ADSI OLE-DB provider oConn.Open "ADs Provider" ...

Checking user's group membership with forms authentication
Hello all,I am writing a web site that uses forms authentication to check a user's credentials against our ldap server.  Since I am very inexperienced in asp.net, I used the tutorial found here for guidance.  I can now log in to the app, but find that I don't know how to check whether a user belongs to a group or not programmatically.  It seems it should be simple, but I cannot find it in the tutorial.Thanks in advance,WinterPhoenix check this: http://msdn.microsoft.com/en-us/library/ms998358.aspx/GuruBhai...

rights or attributes needed to modify a user's group membership
We have a container admin who can change passwords, login scripts, but I need him to modify a user's group membership. What righs does he need to the container that I'd like for him to administer? http://support.novell.com/cgi-bin/search/searchtid.cgi?/10064960.htm shanes_inbox@hotmail.com wrote: > We have a container admin who can change passwords, login scripts, but I > need him to modify a user's group membership. > > What righs does he need to the container that I'd like for him to > administer? -- Craig Wilson CNE3, 4, 5 - MCSE - CCNA...

determining a group's membership in other groups
Hi,   How can I determine if a certain Active Directory group is a member of other groups? Let’s say we have a group in Active Directory called ‘Microsoft Dallas Employees’ which contains the list of employees in Microsoft’s Dallas office. This group in turn belongs to a bigger group called Microsoft Employees. How do I use ‘Microsoft Dallas Employees’ as a search criteria and find out the other groups that this belongs to?   My environment is ASP.NET 2.0, C#, Active Dirtectory 2003 on  Windows server 2003   -Thanks   The easiest way would be to use an...

Unable to access user control's user control's function\property from another user control
Hi, I used to call an user control's user control function as stated below from my user control in ASP.Net 1.1 wucCompany.wucEmployee.GetEmployeeSomething() After migrating to ASP.Net 2.0, I am unable to use any properties/functions(even the public ones) of the user control's User control's from another user control.  The way I have to do is create property\function in wucCompany which calls the wucEmployee's property\function and call the wucDepartment.GetEmployeeSomething().Since I need to do this change in too many places, I can...

login failed because user's IsApproved is false for user's account
Hi How can i detect if a user's login fails because their account is not approved yet (i.e IsApproved = false in Membership table) I am using a templated login control and if the user's login fails for this reason all that happens is that the FailureText control is displayed. How can i change the failure text if the user's account is not approved? thanks andrea Use Membership.GetUser Function this function Return a hydrated MembershipUser Object you can access its properties and check the validity see the link below http://msdn2.microsoft.com/en-us/library/40w5063z.aspxRega...

how to change a user's mailbox but keep the user's GW id
We have a user whose email has a space between her first name and middle name, which cause the problem in sending out email or receive email from the outside the network. Can someone advise how and where I suppose to change her email name to a valid name like firstname.middlename.lastname@xxx.com from firstname middle.lastname@xxx.com? Thank you very much! On Tue, 23 Oct 2007 15:27:51 +0000, April wrote: Duplicate. -- Joe Marton Novell Support Forum SysOp Novell does not officially monitor these forums! Use the Internet override - in ConsoleOne, GroupWise Tab, Inte...

The 3.0.1 AD driver has a rule in the publisher command transform that strips unassociated users from groups so we don't affect eDir group membership that shouldn't be touched. The part that is faili
--____LEUBUQEWUFZXUVUONBYT____ Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; modification-date="Fri, 27 Mar 2008 11:46:44 -0400" The 3.0.1 AD driver has a rule in the publisher command transform that = strips unassociated users from groups so we don't affect eDir group = membership that shouldn't be touched. The part that is failing (for some = reason) is near the end where we're checking to see if a user is unassociat= ed. The policy queries eDirectory with this: =20 token-xpath(&q...

Notes Driver: veto when user's fullname is the same as existing user's fullname
In the Notes Driver, I want to put the policy to veto when the current user's fullname is the same as existing user fullname is Lotus Domino Directory and and in eDirectory. How can I do the query to findout whether the user's fullname is the same as the existing ones or not. Please help.. Thanks Pattarawan. -- pattarawan pattarawan, It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply. Has your problem been resolved? If not, you might try one of the following op...

Web resources about - Displaying a user's group memberships - perl.beginners

The Church of Jesus Christ of Latter-day Saints membership statistics - Wikipedia, the free encyclopedia ...
Percentages of LDS members were calculated with this information. The link under the names of each country, territory, etc. corresponds to brief ...

Civility Caucus In Congress Turns To Facebook To Boost Membership
In the midst of a heated election season and record-low approval numbers for Congress, an under-the-radar congressional caucus focused on changing ...

Search Twitter - membership
... Bum @ prodigalbum 1m Nothing will consign Labour to oblivion faster than a backroom PLP coup to oust a leader chosen by the wider membership ...

Membership Has Its Privileges
Right now, crossing one of the magical rep borders happens more or less unnoticed. People just gain the particular powers. Now, of course they ...

Membership Cards - a set on Flickr
Sets let you organize your photos on Flickr. Explore the 1481 photos in this set.

Calgary Public Library: New Look. New Library. Free Membership. - YouTube
CREATING THE WORLD’S BEST PUBLIC LIBRARY: NEW LOOK. NEW LIBRARY. FREE MEMBERSHIP. For Immediate Release: In a bold move to become the world’s ...

The benefits of private club membership in the UAE
Lifestyle membership clubs can offer cardholders exclusive leisure discounts across the Emirates. But there can be a big catch - you need to ...

Bill Shorten outlines ALP reforms aimed at boosting party membership
An emboldened Bill Shorten has outlined his ambitious reform agenda aimed at dramatically increasing the Labor Party's membership through the ...

Joe Tripodi's ALP membership suspended
NSW ALP has suspended membership of Joe Tripodi amid a corruption inquiry.

Branch stacking: dozens of ALP memberships void
An internal Labor Party investigation has found that anonymous&nbsp;pre-paid debit cards were used to pay for dozens of Labor memberships.&nbsp; ...

Resources last updated: 11/27/2015 9:29:10 AM