- Timestamp:
- 02/15/2009 11:36:42 PM (16 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 12.2, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gimp3, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/for-12.3, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/spidermonkey128, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- a270244
- Parents:
- 903f671
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/shadow.xml
r903f671 rbca744f 5 5 %general-entities; 6 6 7 <!-- <!ENTITY shadow-download-http "http://ftp.pld.org.pl/software/shadow/old/shadow-&shadow-version;.tar.bz2"> --> 8 <!-- <!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2"> --> 9 <!-- <!ENTITY shadow-download-http "http://cross-lfs.org/files/packages/svn/shadow-&shadow-version;.tar.bz2"> --> 10 <!ENTITY shadow-download-http "http://anduin.linuxfromscratch.org/sources/LFS/lfs-packages/development/shadow-&shadow-version;.tar.bz2"> 11 <!ENTITY shadow-download-ftp " "> 12 <!ENTITY shadow-md5sum "e7751d46ecf219c07ae0b028ab3335c6"> 13 <!ENTITY shadow-size "1.5 MB"> 14 <!ENTITY shadow-buildsize "18 MB"> 7 <!ENTITY shadow-download-http " "> 8 <!ENTITY shadow-download-ftp "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-&shadow-version;.tar.bz2"> 9 <!ENTITY shadow-md5sum "3d26d990d4c3add1b7f8387eec1d1fde"> 10 <!ENTITY shadow-size "1.6 MB"> 11 <!ENTITY shadow-buildsize "22 MB"> 15 12 <!ENTITY shadow-time "0.3 SBU"> 16 13 ]> … … 65 62 </itemizedlist> 66 63 67 < bridgehead renderas="sect3">Additional Downloads</bridgehead>64 <!-- <bridgehead renderas="sect3">Additional Downloads</bridgehead> 68 65 <itemizedlist spacing='compact'> 69 66 <listitem> … … 71 68 url="&patch-root;/shadow-&shadow-version;-useradd_fix-2.patch"/></para> 72 69 </listitem> 73 </itemizedlist> 70 </itemizedlist> --> 74 71 75 72 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead> … … 88 85 89 86 <important> 90 <para>The installation shown below is for a situationwhere87 <para>The installation commands shown below are for installations where 91 88 <application>Linux-PAM</application> has been installed (with or 92 89 without a <application>CrackLib</application> installation) and 93 90 <application>Shadow</application> is being reinstalled to support the 94 <application>Linux-PAM</application> installation. If you are 95 reinstalling <application>Shadow</application> to provide strong 96 password support via the <application>CrackLib</application> library 97 and you have not installed <application>Linux-PAM</application>, ensure 98 you add the <parameter>--with-libcrack</parameter> parameter to the 99 <command>configure</command> script below.</para> 91 <application>Linux-PAM</application> installation.</para> 92 93 <para> If you are reinstalling <application>Shadow</application> to 94 provide strong password support using the 95 <application>CrackLib</application> library without using 96 <application>Linux-PAM</application>, ensure you add the 97 <parameter>--with-libcrack</parameter> parameter to the 98 <command>configure</command> script below and also issue the following 99 command:</para> 100 101 <screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen> 100 102 </important> 101 103 … … 103 105 commands:</para> 104 106 105 <screen><userinput>patch -Np1 -i ../shadow-&shadow-version;-useradd_fix-2.patch && 106 107 ./configure --libdir=/lib \ 108 --sysconfdir=/etc \ 109 --enable-shared \ 110 --without-selinux && 111 112 sed -i 's/groups$(EXEEXT) //' src/Makefile && 113 find man -name Makefile -exec sed -i 's/groups\.1 / /' {} \; && 114 sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile && 107 <screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in && 108 find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && 109 sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in && 115 110 116 111 for i in de es fi fr id it pt_BR; do 117 112 convert-mans UTF-8 ISO-8859-1 man/${i}/*.? 118 done &&113 done && 119 114 120 115 for i in cs hu pl; do 121 116 convert-mans UTF-8 ISO-8859-2 man/${i}/*.? 122 done && 123 124 convert-mans UTF-8 EUC-JP man/ja/*.? && 125 convert-mans UTF-8 KOI8-R man/ru/*.? && 126 convert-mans UTF-8 ISO-8859-9 man/tr/*.? && 127 117 done && 118 119 convert-mans UTF-8 EUC-JP man/ja/*.? && 120 convert-mans UTF-8 KOI8-R man/ru/*.? && 121 convert-mans UTF-8 ISO-8859-9 man/tr/*.? && 122 123 sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@' \ 124 -e 's@/var/spool/mail@/var/mail@' etc/login.defs && 125 126 ./configure --sysconfdir=/etc && 128 127 make</userinput></screen> 129 128 … … 133 132 134 133 <screen role="root"><userinput>make install && 135 mv -v /usr/bin/passwd /bin && 136 mv -v /lib/libshadow.*a /usr/lib && 137 rm -v /lib/libshadow.so && 138 ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen> 134 mv -v /usr/bin/passwd /bin</userinput></screen> 139 135 140 136 </sect2> … … 143 139 <title>Command Explanations</title> 144 140 145 <!-- Removed the -with-libpam and -without-libcrack options from the 146 default as these are the defaults. Pam will automatically be picked 147 up if it is installed, and CrackLib won't be used unless specifically 148 requested via -with-libcrack 149 <para><parameter>-without-libcrack</parameter>: This switch tells 150 <application>Shadow</application> not to use 151 <filename class='libraryfile'>libcrack</filename>. This is desired as 152 <application>Linux-PAM</application> will provide 153 <filename class='libraryfile'>libcrack</filename> functionality.</para> 154 --> 155 156 <para><parameter>--without-selinux</parameter>: Support for selinux is 157 enabled by default, but selinux is not built in a base LFS system. The 158 <command>configure</command> script will fail if this option is not 159 used.</para> 160 161 <para><command>sed -i 's/groups$(EXEEXT) //' src/Makefile</command>: This 162 command is used to suppress the installation of the 141 <para><command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: 142 This command is used to suppress the installation of the 163 143 <command>groups</command> program as the version from the 164 144 <application>Coreutils</application> package installed during LFS is 165 145 preferred.</para> 166 146 167 <para><command>find man -name Makefile -exec ... {} \;</command>: This147 <para><command>find man -name Makefile.in -exec ... {} \;</command>: This 168 148 command is used to suppress the installation of the 169 149 <command>groups</command> man pages so the existing ones installed from 170 150 the <application>Coreutils</application> package are not replaced.</para> 171 151 172 <para><command>sed -i -e '...' -e '...' man/Makefile </command>: This152 <para><command>sed -i -e '...' -e '...' man/Makefile.in</command>: This 173 153 command disables the installation of Chinese and Korean manual pages, since 174 154 <application>Man-DB</application> cannot format them properly.</para> … … 177 157 convert some of the man pages so that <application>Man-DB</application> 178 158 will display them in the expected encodings.</para> 159 160 <para><command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@' 161 -e 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: 162 Instead of using the default 'crypt' method, this command modifies the 163 installation to use the more secure 'MD5' method of password encryption, 164 which also allows passwords longer than eight characters. It also changes 165 the obsolete <filename class="directory">/var/spool/mail</filename> 166 location for user mailboxes that <application>Shadow</application> uses by 167 default to the <filename class="directory">/var/mail</filename> 168 location.</para> 179 169 180 170 <para><command>mv -v /usr/bin/passwd /bin</command>: The … … 183 173 it is moved into the root partition.</para> 184 174 185 <para><command>mv -v ...; rm -v ...; ln -v ...</command>: These commands186 are used to move the <filename class='libraryfile'>libshadow</filename>187 library to the root partition to support the moving of the188 <command>passwd</command> program earlier.</para>189 190 175 </sect2> 191 176 … … 194 179 195 180 <para><application>Shadow</application>'s stock configuration for the 196 <command>useradd</command> utility is not suitable for LFS systems. Use the 197 following commands as the <systemitem class="username">root</systemitem> 198 user to change the default home directory for new users and prevent the 199 creation of mail spool files:</para> 200 201 <screen role="root"><userinput>useradd -D -b /home && 202 sed -i 's/yes/no/' /etc/default/useradd</userinput></screen> 181 <command>useradd</command> utility may not be desireable for your 182 installation. One default parameter causes <command>useradd</command> to 183 create a mailbox file for any newly created user. 184 <command>useradd</command> will make the group ownership of this file to 185 the <systemitem class="groupname">mail</systemitem> group with 0660 186 permissions. If you would prefer that these mailbox files are not created 187 by <command>useradd</command>, issue the 188 following command as the <systemitem class="username">root</systemitem> user:</para> 189 190 <screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen> 203 191 204 192 </sect2> … … 221 209 222 210 <para><filename>/etc/pam.d/*</filename> or alternatively 223 <filename>/etc/pam.conf, /etc/login.defs and211 <filename>/etc/pam.conf, /etc/login.defs, and 224 212 /etc/security/*</filename></para> 225 213 … … 298 286 done</userinput></screen> 299 287 300 <!-- Moved the commenting of these four parameters into the section301 above. If PAM is installed, it complains if these are not commented302 regardless if CrackLib is installed.303 304 <para>If you have <application>CrackLib</application> installed,305 also comment out four more lines using the following command as the306 <systemitem class="username">root</systemitem> user:</para>307 308 <screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \309 PASS_CHANGE_TRIES PASS_ALWAYS_WARN310 do311 sed -i "s/^$FUNCTION/# &/" /etc/login.defs312 done</userinput></screen>313 314 -->315 316 288 </sect4> 317 289 … … 330 302 331 303 <para>As the <systemitem class="username">root</systemitem> user, 332 create the <filename class="directory">/etc/pam.d</filename> 333 directory with the following command:</para> 334 335 <screen role="root"><userinput>install -v -d -m755 /etc/pam.d</userinput></screen> 336 337 <para>While still the <systemitem class="username">root</systemitem> 338 user, add the following <application>Linux-PAM</application> 339 configuration files to the 304 replace the following <application>Linux-PAM</application> 305 configuration files in the 340 306 <filename class="directory">/etc/pam.d/</filename> directory (or 341 add the contents to the <filename>/etc/pam.conf</filename> file) with307 add the contents to the <filename>/etc/pam.conf</filename> file) using 342 308 the following commands:</para> 343 309 … … 468 434 469 435 <sect4> 470 <title>'chpasswd', 'chgpasswd', 'groupadd', 'groupdel', 'groupmems', 471 'groupmod', 'newusers', 'useradd', 'userdel', and 'usermod'</title> 472 473 <screen role="root"><userinput>for PROGRAM in chpasswd chgpasswd groupadd groupdel groupmems \ 474 groupmod newusers useradd userdel usermod 436 <title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 437 'groupdel', 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' 438 and 'usermod'</title> 439 440 <screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \ 441 groupmems groupmod newusers useradd userdel usermod 475 442 do 476 443 install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM … … 515 482 auth required pam_warn.so 516 483 account required pam_deny.so 517 session required pam_deny.so484 account required pam_warn.so 518 485 password required pam_deny.so 519 486 password required pam_warn.so 487 session required pam_deny.so 488 session required pam_warn.so 520 489 521 490 # End /etc/pam.d/other</literal> 522 491 EOF</userinput></screen> 523 524 <para>If you preserved the source tree from the525 <application>Linux-PAM</application> package (or you feel like unpacking526 that tarball, then running <command>configure</command> and527 <command>make</command>), now would be a good time to run the test528 suite from this package. This test suite will use the configuration you529 just finished during the tests. All the tests should pass.</para>530 492 531 493 </sect4>
Note:
See TracChangeset
for help on using the changeset viewer.