# Linux login

## Not an OS kernel operation

A privileged login application presents an interface for getting users’ credentials.

* A username/password pair.
* Biometric data.
* Smartcard and activation PIN.

The login application validates the credentials and fetches the appropriate UID and GIDs for the user.

* And starts an initial user application on a process with those identifiers.
  * In a Linux console, this application is a shell (sh, bash, csh, tcsh, zsh, etc.)
* When this process ends the login application reappears.

Thereafter **all processes created by the user have their identifiers**.

* Inherited through forks.

## From login to session processes

The login process must be a privileged process.

* Has to **create processes with arbitrary UID and GIDs**.
  * The ones of the entity logging in.

<figure><img src="/files/4FeBOLhaqMBeeeJj7uiJ" alt=""><figcaption></figcaption></figure>

## Password validation process

The **username is used to fetch a UID/GID** pair from `/etc/passwd`.

* And a set of additional GIDs in the `/etc/group` file.

The **supplied password is transformed using a digest function**.

* Currently configurable, for creating a new user (`/etc/login.defs`).
* Its identification is stored along with the transformed password.

The **result is checked against a value stored in `/etc/shadow`**.

* **Indexed** again **by the username**.
* If they match, the user was correctly authenticated.

File protections.

* `/etc/passwd` and `/etc/group` can be read by anyone.
  * This is fundamental, for instance, for listing directories (why?)
* `/etc/shadow` can only be read by root.
  * Protection against dictionary attacks.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/secure-execution-environments/security-in-operating-systems/linux-login.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.