source: postlfs/security/shadow.xml@ 13c8ca6

10.0 10.1 11.0 11.1 11.2 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind lazarus perl-modules plabs/python-mods qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 13c8ca6 was 13c8ca6, checked in by Pierre Labastie <pieere@…>, 6 years ago

Fix shadow use of defaults. Experiment a new kind of "here patch"

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@18361 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 21.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "c06f8c2571b44899e60662f9ad259dd6">
10 <!ENTITY shadow-size "1.6 MB">
11 <!ENTITY shadow-buildsize "31 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs80_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123
124find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
125find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
126find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
127
128sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
129 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
130
131sed -i 's/1000/999/' etc/useradd &amp;&amp;
132sed -i -e '/snprintf/s@_msg,@_msg, 256,@' src/su.c &amp;&amp;
133sed -i -e '47 d' -e '60,65 d' libmisc/myname.c &amp;&amp;
134echo '--- src/useradd.c (old)
135+++ src/useradd.c (new)
136@@ -2027,6 +2027,8 @@
137 is_shadow_grp = sgr_file_present ();
138 #endif
139
140+ get_defaults ();
141+
142 process_flags (argc, argv);
143
144 #ifdef ENABLE_SUBIDS
145@@ -2036,8 +2038,6 @@
146 (!user_id || (user_id &lt;= uid_max &amp;&amp; user_id &gt;= uid_min));
147 #endif /* ENABLE_SUBIDS */
148
149- get_defaults ();
150-
151 #ifdef ACCT_TOOLS_SETUID
152 #ifdef USE_PAM
153 {' | patch -p0 -l &amp;&amp;
154
155./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
156make</userinput></screen>
157
158 <para>
159 This package does not come with a test suite.
160 </para>
161
162 <para>
163 Now, as the <systemitem class="username">root</systemitem> user:
164 </para>
165
166<screen role="root"><userinput>make install &amp;&amp;
167mv -v /usr/bin/passwd /bin</userinput></screen>
168 </sect2>
169
170 <sect2 role="commands">
171 <title>Command Explanations</title>
172
173 <para>
174 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
175 is used to suppress the installation of the <command>groups</command>
176 program as the version from the <application>Coreutils</application>
177 package installed during LFS is preferred.
178 </para>
179
180 <para>
181 <command>find man -name Makefile.in -exec ... {} \;</command>: This
182 command is used to suppress the installation of the
183 <command>groups</command> man pages so the existing ones installed from
184 the <application>Coreutils</application> package are not replaced.
185 </para>
186
187 <para>
188 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
189 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
190 the default 'DES' method, this command modifies the installation to use
191 the more secure 'SHA512' method of hashing passwords, which also allows
192 passwords longer than eight characters. It also changes the obsolete
193 <filename class="directory">/var/spool/mail</filename> location for user
194 mailboxes that <application>Shadow</application> uses by default to the
195 <filename class="directory">/var/mail</filename> location.
196 </para>
197
198 <para>
199 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
200 to make the default useradd consistent with the LFS groups file.
201 </para>
202
203 <para>
204 <command>sed -i -e '/snprintf/s@_msg,@_msg, 256,@' src/su.c</command>: Fix
205 a build error that only occurs if <xref linkend="linux-pam"/> is detected
206 by <command>configure</command>.
207 </para>
208
209 <para>
210 <command>sed -i '47 d' -e '60,65 d' libmisc/myname.c</command>: Apply
211 a security fix from upstream.
212 </para>
213
214 <para>
215 <command>echo '--- ...</command>: This command illustrates another
216 way to apply patches. Without the patch, <command>useradd</command>
217 does not use the defaults in <filename>/etc/default/useradd</filename>.
218 </para>
219
220 <para>
221 <parameter>--with-group-name-max-length=32</parameter>: The maximum
222 user name is 32 characters. Make the maximum group name the same.
223 </para>
224
225 <para>
226 <command>mv -v /usr/bin/passwd /bin</command>: The
227 <command>passwd</command> program may be needed during times when the
228 <filename class='directory'>/usr</filename> filesystem is not mounted so
229 it is moved into the root partition.
230 </para>
231 </sect2>
232
233 <sect2 role="configuration">
234 <title>Configuring Shadow</title>
235
236 <para>
237 <application>Shadow</application>'s stock configuration for the
238 <command>useradd</command> utility may not be desirable for your
239 installation. One default parameter causes <command>useradd</command> to
240 create a mailbox file for any newly created user.
241 <command>useradd</command> will make the group ownership of this file to
242 the <systemitem class="groupname">mail</systemitem> group with 0660
243 permissions. If you would prefer that these mailbox files are not created
244 by <command>useradd</command>, issue the following command as the
245 <systemitem class="username">root</systemitem> user:
246 </para>
247
248<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
249 </sect2>
250
251 <sect2 role="configuration">
252 <title>Configuring Linux-PAM to Work with Shadow</title>
253
254 <note>
255 <para>
256 The rest of this page is devoted to configuring
257 <application>Shadow</application> to work properly with
258 <application>Linux-PAM</application>. If you do not have
259 <application>Linux-PAM</application> installed, and you reinstalled
260 <application>Shadow</application> to support strong passwords via the
261 <application>CrackLib</application> library, no further configuration is
262 required.
263 </para>
264 </note>
265
266 <sect3 id="pam.d">
267 <title>Config Files</title>
268
269 <para>
270 <filename>/etc/pam.d/*</filename> or alternatively
271 <filename>/etc/pam.conf</filename>,
272 <filename>/etc/login.defs</filename> and
273 <filename>/etc/security/*</filename>
274 </para>
275
276 <indexterm zone="shadow pam.d">
277 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
278 </indexterm>
279
280 <indexterm zone="shadow pam.d">
281 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
282 </indexterm>
283
284 <indexterm zone="shadow pam.d">
285 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
286 </indexterm>
287
288 <indexterm zone="shadow pam.d">
289 <primary sortas="e-etc-security">/etc/security/*</primary>
290 </indexterm>
291 </sect3>
292
293 <sect3>
294 <title>Configuration Information</title>
295
296 <para>
297 Configuring your system to use <application>Linux-PAM</application> can
298 be a complex task. The information below will provide a basic setup so
299 that <application>Shadow</application>'s login and password
300 functionality will work effectively with
301 <application>Linux-PAM</application>. Review the information and links
302 on the <xref linkend="linux-pam"/> page for further configuration
303 information. For information specific to integrating
304 <application>Shadow</application>, <application>Linux-PAM</application>
305 and <application>CrackLib</application>, you can visit the following
306 link:
307 </para>
308
309 <itemizedlist spacing="compact">
310 <listitem>
311 <para>
312 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
313 </para>
314 </listitem>
315 </itemizedlist>
316
317 <sect4 id="pam-login-defs">
318 <title>Configuring /etc/login.defs</title>
319
320 <para>
321 The <command>login</command> program currently performs many functions
322 which <application>Linux-PAM</application> modules should now handle.
323 The following <command>sed</command> command will comment out the
324 appropriate lines in <filename>/etc/login.defs</filename>, and stop
325 <command>login</command> from performing these functions (a backup
326 file named <filename>/etc/login.defs.orig</filename> is also created
327 to preserve the original file's contents). Issue the following
328 commands as the <systemitem class="username">root</systemitem> user:
329 </para>
330
331 <indexterm zone="shadow pam-login-defs">
332 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
333 </indexterm>
334
335<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
336for FUNCTION in FAIL_DELAY \
337 FAILLOG_ENAB \
338 LASTLOG_ENAB \
339 MAIL_CHECK_ENAB \
340 OBSCURE_CHECKS_ENAB \
341 PORTTIME_CHECKS_ENAB \
342 QUOTAS_ENAB \
343 CONSOLE MOTD_FILE \
344 FTMP_FILE NOLOGINS_FILE \
345 ENV_HZ PASS_MIN_LEN \
346 SU_WHEEL_ONLY \
347 CRACKLIB_DICTPATH \
348 PASS_CHANGE_TRIES \
349 PASS_ALWAYS_WARN \
350 CHFN_AUTH ENCRYPT_METHOD \
351 ENVIRON_FILE
352do
353 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
354done</userinput></screen>
355 </sect4>
356
357 <sect4>
358 <title>Configuring the /etc/pam.d/ Files</title>
359
360 <para>
361 As mentioned previously in the <application>Linux-PAM</application>
362 instructions, <application>Linux-PAM</application> has two supported
363 methods for configuration. The commands below assume that you've
364 chosen to use a directory based configuration, where each program has
365 its own configuration file. You can optionally use a single
366 <filename>/etc/pam.conf</filename> configuration file by using the
367 text from the files below, and supplying the program name as an
368 additional first field for each line.
369 </para>
370
371 <para>
372 As the <systemitem class="username">root</systemitem> user, replace
373 the following <application>Linux-PAM</application> configuration files
374 in the <filename class="directory">/etc/pam.d/</filename> directory
375 (or add the contents to the <filename>/etc/pam.conf</filename> file)
376 using the following commands:
377 </para>
378 </sect4>
379
380 <sect4>
381 <title>'login'</title>
382
383<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
384<literal># Begin /etc/pam.d/login
385
386# Set failure delay before next prompt to 3 seconds
387auth optional pam_faildelay.so delay=3000000
388
389# Check to make sure that the user is allowed to login
390auth requisite pam_nologin.so
391
392# Check to make sure that root is allowed to login
393# Disabled by default. You will need to create /etc/securetty
394# file for this module to function. See man 5 securetty.
395#auth required pam_securetty.so
396
397# Additional group memberships - disabled by default
398#auth optional pam_group.so
399
400# include the default auth settings
401auth include system-auth
402
403# check access for the user
404account required pam_access.so
405
406# include the default account settings
407account include system-account
408
409# Set default environment variables for the user
410session required pam_env.so
411
412# Set resource limits for the user
413session required pam_limits.so
414
415# Display date of last login - Disabled by default
416#session optional pam_lastlog.so
417
418# Display the message of the day - Disabled by default
419#session optional pam_motd.so
420
421# Check user's mail - Disabled by default
422#session optional pam_mail.so standard quiet
423
424# include the default session and password settings
425session include system-session
426password include system-password
427
428# End /etc/pam.d/login</literal>
429EOF</userinput></screen>
430 </sect4>
431
432 <sect4>
433 <title>'passwd'</title>
434
435<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
436<literal># Begin /etc/pam.d/passwd
437
438password include system-password
439
440# End /etc/pam.d/passwd</literal>
441EOF</userinput></screen>
442 </sect4>
443
444 <sect4>
445 <title>'su'</title>
446
447<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
448<literal># Begin /etc/pam.d/su
449
450# always allow root
451auth sufficient pam_rootok.so
452auth include system-auth
453
454# include the default account settings
455account include system-account
456
457# Set default environment variables for the service user
458session required pam_env.so
459
460# include system session defaults
461session include system-session
462
463# End /etc/pam.d/su</literal>
464EOF</userinput></screen>
465 </sect4>
466
467 <sect4>
468 <title>'chage'</title>
469
470<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
471<literal># Begin /etc/pam.d/chage
472
473# always allow root
474auth sufficient pam_rootok.so
475
476# include system defaults for auth account and session
477auth include system-auth
478account include system-account
479session include system-session
480
481# Always permit for authentication updates
482password required pam_permit.so
483
484# End /etc/pam.d/chage</literal>
485EOF</userinput></screen>
486 </sect4>
487
488 <sect4>
489 <title>Other common programs</title>
490 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
491 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
492 'usermod'</title>-->
493
494<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
495 groupmems groupmod newusers useradd userdel usermod
496do
497 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
498 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
499done</userinput></screen>
500
501 <para revision="systemd">Because the installation of
502 <application>systemd</application> is not yet complete, you will need
503 to remove the <filename>/run/nologin</filename> file before testing the
504 installation. Execute the following command as the
505 <systemitem class="username">root</systemitem> user:</para>
506
507<screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen>
508
509 <warning>
510 <para>
511 At this point, you should do a simple test to see if
512 <application>Shadow</application> is working as expected. Open
513 another terminal and log in as a user, then <command>su</command> to
514 <systemitem class="username">root</systemitem>. If you do not see
515 any errors, then all is well and you should proceed with the rest of
516 the configuration. If you did receive errors, stop now and double
517 check the above configuration files manually. You can also run the
518 test suite from the <application>Linux-PAM</application> package to
519 assist you in determining the problem. If you cannot find and fix
520 the error, you should recompile <application>Shadow</application>
521 adding the <option>--without-libpam</option> switch to the
522 <command>configure</command> command in the above instructions (also
523 move the <filename>/etc/login.defs.orig</filename> backup file to
524 <filename>/etc/login.defs</filename>). If you fail to do this and
525 the errors remain, you will be unable to log into your system.
526 </para>
527 </warning>
528 </sect4>
529
530 <sect4 id="pam-access">
531 <title>Configuring Login Access</title>
532
533 <para>
534 Instead of using the <filename>/etc/login.access</filename> file for
535 controlling access to the system, <application>Linux-PAM</application>
536 uses the <filename class='libraryfile'>pam_access.so</filename> module
537 along with the <filename>/etc/security/access.conf</filename> file.
538 Rename the <filename>/etc/login.access</filename> file using the
539 following command:
540 </para>
541
542 <indexterm zone="shadow pam-access">
543 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
544 </indexterm>
545
546<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
547 </sect4>
548
549 <sect4 id="pam-limits">
550 <title>Configuring Resource Limits</title>
551
552 <para>
553 Instead of using the <filename>/etc/limits</filename> file for
554 limiting usage of system resources,
555 <application>Linux-PAM</application> uses the
556 <filename class='libraryfile'>pam_limits.so</filename> module along
557 with the <filename>/etc/security/limits.conf</filename> file. Rename
558 the <filename>/etc/limits</filename> file using the following command:
559 </para>
560
561 <indexterm zone="shadow pam-limits">
562 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
563 </indexterm>
564
565<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
566
567 <caution><para>Be sure to test the login capabilities of the system
568 before logging out. Errors in the configuration can cause a permanent
569 lockout requiring a boot from an external source to correct the
570 problem.</para></caution>
571
572 </sect4>
573 </sect3>
574
575 </sect2>
576
577 <sect2 role="content">
578 <title>Contents</title>
579
580 <para>
581 A list of the installed files, along with their short descriptions can be
582 found at
583 <phrase revision="sysv">
584 <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/></phrase>
585 <phrase revision="systemd">
586 <ulink url="&lfs-rootd;/chapter06/shadow.html#contents-shadow"/></phrase>.
587 </para>
588
589 </sect2>
590
591</sect1>
Note: See TracBrowser for help on using the repository browser.