[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
[ff769b8c] | 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
|
---|
[b4b71892] | 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
[17fb537e] | 6 |
|
---|
[31f3a57] | 7 | <!ENTITY shadow-download-http "http://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2">
|
---|
| 8 | <!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2">
|
---|
| 9 | <!ENTITY shadow-md5sum "e60b7b16128b9e00576073389a0ff1e6">
|
---|
[349b53dd] | 10 | <!ENTITY shadow-size "1.1 MB">
|
---|
[31f3a57] | 11 | <!ENTITY shadow-buildsize "13.6 MB">
|
---|
[349b53dd] | 12 | <!ENTITY shadow-time "0.3 SBU">
|
---|
[b4b71892] | 13 | ]>
|
---|
| 14 |
|
---|
[17fb537e] | 15 | <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
---|
[322f172] | 16 | <?dbhtml filename="shadow.html"?>
|
---|
| 17 |
|
---|
| 18 | <sect1info>
|
---|
| 19 | <othername>$LastChangedBy$</othername>
|
---|
| 20 | <date>$Date$</date>
|
---|
| 21 | </sect1info>
|
---|
| 22 |
|
---|
| 23 | <title>Shadow-&shadow-version;</title>
|
---|
| 24 |
|
---|
| 25 | <indexterm zone="shadow">
|
---|
| 26 | <primary sortas="a-Shadow">Shadow</primary>
|
---|
| 27 | </indexterm>
|
---|
| 28 |
|
---|
| 29 | <sect2 role="package">
|
---|
| 30 | <title>Introduction to Shadow</title>
|
---|
| 31 |
|
---|
| 32 | <para><application>Shadow</application> was indeed installed in LFS and
|
---|
| 33 | there is no reason to reinstall it unless you installed
|
---|
| 34 | <application>Linux-PAM</application>. If you did, this will allow programs
|
---|
| 35 | like <command>login</command> and <command>su</command> to utilize PAM.</para>
|
---|
| 36 |
|
---|
| 37 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 38 | <itemizedlist spacing="compact">
|
---|
| 39 | <listitem>
|
---|
| 40 | <para>Download (HTTP): <ulink url="&shadow-download-http;"/></para>
|
---|
| 41 | </listitem>
|
---|
| 42 | <listitem>
|
---|
| 43 | <para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para>
|
---|
| 44 | </listitem>
|
---|
| 45 | <listitem>
|
---|
| 46 | <para>Download MD5 sum: &shadow-md5sum;</para>
|
---|
| 47 | </listitem>
|
---|
| 48 | <listitem>
|
---|
| 49 | <para>Download size: &shadow-size;</para>
|
---|
| 50 | </listitem>
|
---|
| 51 | <listitem>
|
---|
| 52 | <para>Estimated disk space required: &shadow-buildsize;</para>
|
---|
| 53 | </listitem>
|
---|
| 54 | <listitem>
|
---|
| 55 | <para>Estimated build time: &shadow-time;</para>
|
---|
| 56 | </listitem>
|
---|
| 57 | </itemizedlist>
|
---|
| 58 |
|
---|
[31f3a57] | 59 | <!--
|
---|
[322f172] | 60 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
| 61 | <itemizedlist spacing='compact'>
|
---|
| 62 | <listitem>
|
---|
[349b53dd] | 63 | <para>Patch to fix several invalid warning messages when used with
|
---|
| 64 | <application>Linux_PAM</application>: <ulink
|
---|
| 65 | url="&patch-root;/shadow-&shadow-version;-Linux_PAM_fixes-1.patch"/></para>
|
---|
[322f172] | 66 | </listitem>
|
---|
| 67 | </itemizedlist>
|
---|
[31f3a57] | 68 | -->
|
---|
[322f172] | 69 |
|
---|
| 70 | <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
|
---|
| 71 |
|
---|
| 72 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
| 73 | <para><xref linkend="Linux_PAM"/></para>
|
---|
| 74 |
|
---|
| 75 | </sect2>
|
---|
| 76 |
|
---|
| 77 | <sect2 role="installation">
|
---|
| 78 | <title>Installation of Shadow</title>
|
---|
| 79 |
|
---|
| 80 | <para>Reinstall <application>Shadow</application> by running the following
|
---|
| 81 | commands:</para>
|
---|
| 82 |
|
---|
[31f3a57] | 83 | <!--
|
---|
[349b53dd] | 84 | <screen><userinput>patch -Np1 -i ../shadow-&shadow-version;-Linux_PAM_fixes-1.patch &&
|
---|
[31f3a57] | 85 | <-->
|
---|
| 86 |
|
---|
| 87 | <screen><userinput>./configure --libdir=/lib --enable-shared --enable-shadowgrp \
|
---|
[4fcf20a5] | 88 | --with-libpam --without-libcrack &&
|
---|
| 89 | sed -i 's/groups$(EXEEXT) //' src/Makefile &&
|
---|
| 90 | sed -i '/groups/d' man/Makefile &&
|
---|
[322f172] | 91 | make</userinput></screen>
|
---|
[17fb537e] | 92 |
|
---|
[31f3a57] | 93 | <para>This package does not come with a test suite.</para>
|
---|
| 94 |
|
---|
[322f172] | 95 | <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
---|
[17fb537e] | 96 |
|
---|
[322f172] | 97 | <screen role="root"><userinput>make install &&
|
---|
[4fcf20a5] | 98 | mv -v /usr/bin/passwd /bin &&
|
---|
| 99 | mv -v /lib/libshadow.*a /usr/lib &&
|
---|
| 100 | rm -v /lib/libshadow.so &&
|
---|
[322f172] | 101 | ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>
|
---|
[b4b71892] | 102 |
|
---|
[322f172] | 103 | </sect2>
|
---|
[b4b71892] | 104 |
|
---|
[322f172] | 105 | <sect2 role="commands">
|
---|
| 106 | <title>Command Explanations</title>
|
---|
[b4b71892] | 107 |
|
---|
[322f172] | 108 | <para><parameter>--without-libcrack</parameter>: This switch tells
|
---|
| 109 | <application>Shadow</application> not to use
|
---|
| 110 | <filename class='libraryfile'>libcrack</filename>. This is desired as
|
---|
| 111 | <application>Linux-PAM</application> already contains
|
---|
| 112 | <filename class='libraryfile'>libcrack</filename>.</para>
|
---|
[b4b71892] | 113 |
|
---|
[31f3a57] | 114 | <para><parameter>--enable-shadowgrp</parameter>: This version of
|
---|
| 115 | <application>Shadow</application> defaults to not enabling
|
---|
| 116 | its group functionality, which causes <command>grpconv</command> to
|
---|
| 117 | fail.</para>
|
---|
| 118 |
|
---|
[322f172] | 119 | <para><command>sed -i ...</command>: These commands are used to suppress
|
---|
| 120 | the installation of the <command>groups</command> program as the version
|
---|
| 121 | from the <application>Coreutils</application> package installed during
|
---|
| 122 | LFS is preferred.</para>
|
---|
[39975e9] | 123 |
|
---|
[322f172] | 124 | </sect2>
|
---|
[b4b71892] | 125 |
|
---|
[322f172] | 126 | <sect2 role="configuration">
|
---|
| 127 | <title>Configuring Linux-PAM to Work with Shadow</title>
|
---|
[b4b71892] | 128 |
|
---|
[322f172] | 129 | <sect3 id="pam.d">
|
---|
| 130 | <title>Config Files</title>
|
---|
[b4b71892] | 131 |
|
---|
[1ba671c] | 132 | <para><filename>/etc/pam.d/*</filename> or alternatively
|
---|
| 133 | <filename>/etc/pam.conf, /etc/login.defs and
|
---|
| 134 | /etc/security/*</filename></para>
|
---|
[b4b71892] | 135 |
|
---|
[322f172] | 136 | <indexterm zone="shadow pam.d">
|
---|
| 137 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
| 138 | </indexterm>
|
---|
[2197589] | 139 |
|
---|
[322f172] | 140 | <indexterm zone="shadow pam.d">
|
---|
| 141 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
| 142 | </indexterm>
|
---|
[4fcf20a5] | 143 |
|
---|
[1ba671c] | 144 | <indexterm zone="shadow pam.d">
|
---|
| 145 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 146 | </indexterm>
|
---|
| 147 |
|
---|
| 148 | <indexterm zone="shadow pam.d">
|
---|
| 149 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
| 150 | </indexterm>
|
---|
| 151 |
|
---|
[322f172] | 152 | </sect3>
|
---|
| 153 |
|
---|
| 154 | <sect3>
|
---|
| 155 | <title>Configuration Information</title>
|
---|
| 156 |
|
---|
[1ba671c] | 157 | <sect4 id="pam-login-defs">
|
---|
| 158 | <title>Configuring /etc/login.defs</title>
|
---|
| 159 |
|
---|
| 160 | <para>The <command>login</command> program currently performs many
|
---|
| 161 | functions which <application>Linux-PAM</application> modules should
|
---|
| 162 | now handle. The following <command>sed</command> command will comment
|
---|
| 163 | out the appropriate lines in <filename>/etc/login.defs</filename>, and
|
---|
| 164 | stop <command>login</command> from performing these functions (a backup
|
---|
| 165 | file named <filename>/etc/login.defs.orig</filename> is also created
|
---|
| 166 | to preserve the original file's contents):</para>
|
---|
| 167 |
|
---|
| 168 | <indexterm zone="shadow pam-login-defs">
|
---|
| 169 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 170 | </indexterm>
|
---|
| 171 |
|
---|
| 172 | <screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
|
---|
| 173 | for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
|
---|
| 174 | PORTTIME_CHECKS_ENAB CONSOLE \
|
---|
| 175 | MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
|
---|
| 176 | SU_WHEEL_ONLY MD5_CRYPT_ENAB \
|
---|
| 177 | CONSOLE_GROUPS ENVIRON_FILE \
|
---|
| 178 | ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
|
---|
| 179 | ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
|
---|
| 180 | CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE
|
---|
| 181 | do
|
---|
| 182 | sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
|
---|
| 183 | done</userinput></screen>
|
---|
| 184 |
|
---|
| 185 | <para>If you have <application>CrackLib</application> installed,
|
---|
| 186 | also comment out four more lines using the following command:</para>
|
---|
| 187 |
|
---|
| 188 | <screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
|
---|
| 189 | PASS_CHANGE_TRIES PASS_ALWAYS_WARN
|
---|
| 190 | do
|
---|
| 191 | sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
|
---|
| 192 | done</userinput></screen>
|
---|
| 193 |
|
---|
| 194 | </sect4>
|
---|
| 195 |
|
---|
| 196 | <sect4>
|
---|
| 197 | <title>Configuring the /etc/pam.d/ Files</title>
|
---|
| 198 |
|
---|
| 199 | <para>Add the following <application>Linux-PAM</application> configuration
|
---|
| 200 | files to <filename class="directory">/etc/pam.d/</filename> (or add them
|
---|
| 201 | to <filename>/etc/pam.conf</filename> with the additional field for
|
---|
| 202 | the program).</para>
|
---|
| 203 |
|
---|
| 204 | </sect4>
|
---|
[322f172] | 205 |
|
---|
| 206 | <sect4>
|
---|
[974951c] | 207 | <title>'login' (with CrackLib)</title>
|
---|
[322f172] | 208 |
|
---|
| 209 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
| 210 | <literal># Begin /etc/pam.d/login
|
---|
[4fcf20a5] | 211 |
|
---|
| 212 | auth requisite pam_securetty.so
|
---|
| 213 | auth requisite pam_nologin.so
|
---|
| 214 | auth required pam_unix.so
|
---|
| 215 | account required pam_access.so
|
---|
| 216 | account required pam_unix.so
|
---|
[7fb0e285] | 217 | session required pam_env.so
|
---|
[4fcf20a5] | 218 | session required pam_motd.so
|
---|
| 219 | session required pam_limits.so
|
---|
| 220 | session optional pam_mail.so dir=/var/mail standard
|
---|
| 221 | session optional pam_lastlog.so
|
---|
| 222 | session required pam_unix.so
|
---|
| 223 | password required pam_cracklib.so retry=3 difok=8 minlen=5 \
|
---|
| 224 | dcredit=3 ocredit=3 \
|
---|
| 225 | ucredit=2 lcredit=2
|
---|
| 226 | password required pam_unix.so md5 shadow use_authtok
|
---|
| 227 |
|
---|
[322f172] | 228 | # End /etc/pam.d/login</literal>
|
---|
| 229 | EOF</userinput></screen>
|
---|
| 230 |
|
---|
| 231 | </sect4>
|
---|
[4fcf20a5] | 232 |
|
---|
[322f172] | 233 | <sect4>
|
---|
[974951c] | 234 | <title>'login' (without CrackLib)</title>
|
---|
[4fcf20a5] | 235 |
|
---|
[322f172] | 236 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
| 237 | <literal># Begin /etc/pam.d/login
|
---|
[b4b71892] | 238 |
|
---|
| 239 | auth requisite pam_securetty.so
|
---|
| 240 | auth requisite pam_nologin.so
|
---|
| 241 | auth required pam_env.so
|
---|
| 242 | auth required pam_unix.so
|
---|
| 243 | account required pam_access.so
|
---|
| 244 | account required pam_unix.so
|
---|
| 245 | session required pam_motd.so
|
---|
| 246 | session required pam_limits.so
|
---|
[4fcf20a5] | 247 | session optional pam_mail.so dir=/var/mail standard
|
---|
[b4b71892] | 248 | session optional pam_lastlog.so
|
---|
| 249 | session required pam_unix.so
|
---|
[4fcf20a5] | 250 | password required pam_unix.so md5 shadow
|
---|
[b4b71892] | 251 |
|
---|
[322f172] | 252 | # End /etc/pam.d/login</literal>
|
---|
| 253 | EOF</userinput></screen>
|
---|
[4fcf20a5] | 254 |
|
---|
[322f172] | 255 | </sect4>
|
---|
[4fcf20a5] | 256 |
|
---|
[322f172] | 257 | <sect4>
|
---|
[974951c] | 258 | <title>'passwd' (with CrackLib)</title>
|
---|
[322f172] | 259 |
|
---|
| 260 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
| 261 | <literal># Begin /etc/pam.d/passwd
|
---|
[b4b71892] | 262 |
|
---|
[4fcf20a5] | 263 | password required pam_cracklib.so retry=3 difok=8 minlen=5 \
|
---|
| 264 | dcredit=3 ocredit=3 \
|
---|
| 265 | ucredit=2 lcredit=2
|
---|
| 266 | password required pam_unix.so md5 shadow use_authtok
|
---|
[b4b71892] | 267 |
|
---|
[322f172] | 268 | # End /etc/pam.d/passwd</literal>
|
---|
| 269 | EOF</userinput></screen>
|
---|
| 270 |
|
---|
| 271 | </sect4>
|
---|
[b4b71892] | 272 |
|
---|
[322f172] | 273 | <sect4>
|
---|
[974951c] | 274 | <title>'passwd' (without CrackLib)</title>
|
---|
[4fcf20a5] | 275 |
|
---|
[322f172] | 276 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
| 277 | <literal># Begin /etc/pam.d/passwd
|
---|
[4fcf20a5] | 278 |
|
---|
| 279 | password required pam_unix.so md5 shadow
|
---|
[b4b71892] | 280 |
|
---|
[322f172] | 281 | # End /etc/pam.d/passwd</literal>
|
---|
| 282 | EOF</userinput></screen>
|
---|
| 283 |
|
---|
| 284 | </sect4>
|
---|
[4fcf20a5] | 285 |
|
---|
[322f172] | 286 | <sect4>
|
---|
| 287 | <title>'su'</title>
|
---|
[4fcf20a5] | 288 |
|
---|
[322f172] | 289 | <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
|
---|
| 290 | <literal># Begin /etc/pam.d/su
|
---|
[b4b71892] | 291 |
|
---|
| 292 | auth sufficient pam_rootok.so
|
---|
| 293 | auth required pam_unix.so
|
---|
| 294 | account required pam_unix.so
|
---|
[4fcf20a5] | 295 | session optional pam_mail.so dir=/var/mail standard
|
---|
[7fb0e285] | 296 | session required pam_env.so
|
---|
[b4b71892] | 297 | session required pam_unix.so
|
---|
| 298 |
|
---|
[322f172] | 299 | # End /etc/pam.d/su</literal>
|
---|
| 300 | EOF</userinput></screen>
|
---|
[b4b71892] | 301 |
|
---|
[322f172] | 302 | </sect4>
|
---|
[b4b71892] | 303 |
|
---|
[322f172] | 304 | <sect4>
|
---|
| 305 | <title>'chage'</title>
|
---|
| 306 |
|
---|
| 307 | <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
|
---|
| 308 | <literal># Begin /etc/pam.d/chage
|
---|
[b4b71892] | 309 |
|
---|
| 310 | auth sufficient pam_rootok.so
|
---|
| 311 | auth required pam_unix.so
|
---|
| 312 | account required pam_unix.so
|
---|
| 313 | session required pam_unix.so
|
---|
| 314 | password required pam_permit.so
|
---|
| 315 |
|
---|
[322f172] | 316 | # End /etc/pam.d/chage</literal>
|
---|
| 317 | EOF</userinput></screen>
|
---|
| 318 |
|
---|
| 319 | </sect4>
|
---|
[b4b71892] | 320 |
|
---|
[322f172] | 321 | <sect4>
|
---|
| 322 | <title>'chpasswd', 'newusers', 'groupadd', 'groupdel',
|
---|
| 323 | 'groupmod', 'useradd', 'userdel', and 'usermod'</title>
|
---|
[39975e9] | 324 |
|
---|
[322f172] | 325 | <screen role="root"><userinput>for PROGRAM in chpasswd newusers groupadd groupdel \
|
---|
[4fcf20a5] | 326 | groupmod useradd userdel usermod
|
---|
| 327 | do
|
---|
[904f31e2] | 328 | install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
|
---|
[4fcf20a5] | 329 | sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
|
---|
[322f172] | 330 | done</userinput></screen>
|
---|
| 331 |
|
---|
| 332 | <warning>
|
---|
| 333 | <para>At this point, you should do a simple test to see if
|
---|
| 334 | <application>Shadow</application> is working as expected. Open
|
---|
[1ba671c] | 335 | another terminal and log in as a user, then <command>su</command> to
|
---|
[974951c] | 336 | <systemitem class="username">root</systemitem>. If you do not see any
|
---|
| 337 | errors, then all is well and you should proceed with the rest of the
|
---|
[322f172] | 338 | configuration. If you did receive errors, stop now and double check
|
---|
[974951c] | 339 | the above configuration files manually. If you cannot find and
|
---|
[322f172] | 340 | fix the error, you should recompile <application>Shadow</application>
|
---|
| 341 | replacing <option>--with-libpam</option> with
|
---|
[1ba671c] | 342 | <option>--without-libpam</option> in the above instructions (also move
|
---|
| 343 | the <filename>/etc/login.defs.orig</filename> backup file to
|
---|
| 344 | <filename>/etc/login.defs</filename>). If you
|
---|
[322f172] | 345 | fail to do this and the errors remain, you will be unable to log into
|
---|
| 346 | your system.</para>
|
---|
| 347 | </warning>
|
---|
| 348 |
|
---|
[349b53dd] | 349 | </sect4>
|
---|
| 350 |
|
---|
| 351 | <sect4>
|
---|
| 352 | <title>Other</title>
|
---|
| 353 |
|
---|
[322f172] | 354 | <para>Currently, <filename>/etc/pam.d/other</filename> is configured
|
---|
| 355 | to allow anyone with an account on the machine to use PAM-aware
|
---|
| 356 | programs without a configuration file for that program. After testing
|
---|
| 357 | <application>Linux-PAM</application> for proper configuration, install
|
---|
| 358 | a more restrictive <filename>other</filename> file so that
|
---|
| 359 | program-specific configuration files are required:</para>
|
---|
| 360 |
|
---|
| 361 | <screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
|
---|
| 362 | <literal># Begin /etc/pam.d/other
|
---|
[b4b71892] | 363 |
|
---|
| 364 | auth required pam_deny.so
|
---|
| 365 | auth required pam_warn.so
|
---|
| 366 | account required pam_deny.so
|
---|
| 367 | session required pam_deny.so
|
---|
| 368 | password required pam_deny.so
|
---|
| 369 | password required pam_warn.so
|
---|
| 370 |
|
---|
[322f172] | 371 | # End /etc/pam.d/other</literal>
|
---|
| 372 | EOF</userinput></screen>
|
---|
[4fcf20a5] | 373 |
|
---|
[322f172] | 374 | </sect4>
|
---|
[4fcf20a5] | 375 |
|
---|
[322f172] | 376 | <sect4 id="pam-access">
|
---|
| 377 | <title>Configuring Login Access</title>
|
---|
[4fcf20a5] | 378 |
|
---|
[322f172] | 379 | <para>Instead of using the <filename>/etc/login.access</filename>
|
---|
| 380 | file for controlling access to the system,
|
---|
| 381 | <application>Linux-PAM</application> uses the
|
---|
| 382 | <filename class='libraryfile'>pam_access.so</filename> module along
|
---|
| 383 | with the <filename>/etc/security/access.conf</filename> file. Rename
|
---|
| 384 | the <filename>/etc/login.access</filename> file using the following
|
---|
| 385 | command:</para>
|
---|
| 386 |
|
---|
| 387 | <indexterm zone="shadow pam-access">
|
---|
| 388 | <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
---|
| 389 | </indexterm>
|
---|
| 390 |
|
---|
| 391 | <screen role="root"><userinput>if [ -f /etc/login.access ]; then
|
---|
[4fcf20a5] | 392 | mv -v /etc/login.access /etc/login.access.NOUSE
|
---|
[322f172] | 393 | fi</userinput></screen>
|
---|
| 394 |
|
---|
| 395 | </sect4>
|
---|
| 396 |
|
---|
| 397 | <sect4 id="pam-limits">
|
---|
| 398 | <title>Configuring Resource Limits</title>
|
---|
| 399 |
|
---|
| 400 | <para>Instead of using the <filename>/etc/limits</filename> file
|
---|
| 401 | for limiting usage of system resources,
|
---|
| 402 | <application>Linux-PAM</application> uses the
|
---|
| 403 | <filename class='libraryfile'>pam_limits.so</filename> module along
|
---|
| 404 | with the <filename>/etc/security/limits.conf</filename> file. Rename
|
---|
| 405 | the <filename>/etc/limits</filename> file using the following
|
---|
| 406 | command:</para>
|
---|
| 407 |
|
---|
| 408 | <indexterm zone="shadow pam-limits">
|
---|
| 409 | <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
---|
| 410 | </indexterm>
|
---|
| 411 |
|
---|
| 412 | <screen role="root"><userinput>if [ -f /etc/limits ]; then
|
---|
[4fcf20a5] | 413 | mv -v /etc/limits /etc/limits.NOUSE
|
---|
[322f172] | 414 | fi</userinput></screen>
|
---|
| 415 |
|
---|
| 416 | </sect4>
|
---|
[4fcf20a5] | 417 |
|
---|
[7fb0e285] | 418 |
|
---|
| 419 | <sect4 id="pam-env">
|
---|
| 420 | <title>Configuring Default Environment</title>
|
---|
| 421 |
|
---|
[7b1d193] | 422 | <para>During previous configuration, several items were removed from
|
---|
[7fb0e285] | 423 | <filename>/etc/login.defs</filename>. Some of these items are now
|
---|
| 424 | controlled by the <filename class='libraryfile'>pam_env.so</filename>
|
---|
| 425 | module and the <filename>/etc/security/pam_env.conf</filename>
|
---|
| 426 | configuration file. In particular, the default path has been
|
---|
| 427 | changed. To recover your default path, execute the following
|
---|
| 428 | commands:</para>
|
---|
| 429 |
|
---|
| 430 | <screen><userinput><command>ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
|
---|
| 431 | awk '{ print $2 }' | sed 's/PATH=//'` &&
|
---|
| 432 | echo 'PATH DEFAULT='`echo "${ENV_PATH}"`' OVERRIDE=${PATH}' \
|
---|
| 433 | >> /etc/security/pam_env.conf &&
|
---|
| 434 | unset ENV_PATH</command></userinput></screen>
|
---|
| 435 |
|
---|
| 436 | <note><para>ENV_SUPATH is no longer supported. You must create
|
---|
| 437 | a valid <filename>/root/.bashrc</filename> file to provide a
|
---|
[31f3a57] | 438 | modified path for the super-user.</para></note>
|
---|
[7fb0e285] | 439 |
|
---|
| 440 | </sect4>
|
---|
| 441 |
|
---|
[322f172] | 442 | </sect3>
|
---|
[b4b71892] | 443 |
|
---|
[322f172] | 444 | </sect2>
|
---|
[f45b1953] | 445 |
|
---|
[322f172] | 446 | <sect2 role="content">
|
---|
| 447 | <title>Contents</title>
|
---|
[17fb537e] | 448 |
|
---|
[322f172] | 449 | <para>A list of the installed files, along with their short descriptions
|
---|
| 450 | can be found at
|
---|
| 451 | <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
|
---|
[17fb537e] | 452 |
|
---|
[322f172] | 453 | </sect2>
|
---|
[17fb537e] | 454 |
|
---|
[f45b1953] | 455 | </sect1>
|
---|