| 1 | <sect1 id="ch06-shadow">
|
|---|
| 2 | <title>Installing Shadow-&shadow-version;</title>
|
|---|
| 3 | <?dbhtml filename="shadow.html" dir="chapter06"?>
|
|---|
| 4 |
|
|---|
| 5 | <screen>Estimated build time: &shadow-time;
|
|---|
| 6 | Estimated required disk space: &shadow-compsize;</screen>
|
|---|
| 7 |
|
|---|
| 8 | &aa-shadowpwd-shortdesc;
|
|---|
| 9 | &aa-shadowpwd-dep;
|
|---|
| 10 |
|
|---|
| 11 | <sect2><title> </title><para> </para></sect2>
|
|---|
| 12 |
|
|---|
| 13 | <sect2>
|
|---|
| 14 | <title>Installation of Shadow</title>
|
|---|
| 15 |
|
|---|
| 16 | <para>The <userinput>login</userinput>, <userinput>getty</userinput> and
|
|---|
| 17 | <userinput>init</userinput> programs (and some others) maintain a number
|
|---|
| 18 | of logfiles to record who are and who were logged in to the system. These
|
|---|
| 19 | programs, however, don't create these logfiles when they don't exist, so if
|
|---|
| 20 | you want this logging to occur you will have to create the files yourself.
|
|---|
| 21 | The Shadow package needs to detect these files in their proper place, so we
|
|---|
| 22 | create them now, with their proper permissions:</para>
|
|---|
| 23 |
|
|---|
| 24 | <screen><userinput>touch /var/run/utmp /var/log/{btmp,lastlog,wtmp}
|
|---|
| 25 | chmod 644 /var/run/utmp /var/log/{btmp,lastlog,wtmp}</userinput></screen>
|
|---|
| 26 |
|
|---|
| 27 | <para>The <filename>/var/run/utmp</filename> file lists the users that are
|
|---|
| 28 | currently logged in, the <filename>/var/log/wtmp</filename> file who
|
|---|
| 29 | <emphasis>were</emphasis> logged in and when.
|
|---|
| 30 | The <filename>/var/log/lastlog</filename> file shows for each user when he
|
|---|
| 31 | or she last logged in, and the <filename>/var/log/btmp</filename> lists the
|
|---|
| 32 | bad login attempts.</para>
|
|---|
| 33 |
|
|---|
| 34 | <para>Shadow hard-wires the path to the <userinput>passwd</userinput> binary
|
|---|
| 35 | within the binary itself, but does this the wrong way. If a
|
|---|
| 36 | <userinput>passwd</userinput> binary is not present before installing Shadow,
|
|---|
| 37 | the package incorrectly assumes it is going to be located at
|
|---|
| 38 | <filename>/bin/passwd</filename>, but then installs it in
|
|---|
| 39 | <filename>/usr/bin/passwd</filename>. This will lead to errors about not finding
|
|---|
| 40 | <filename>/bin/passwd</filename>. To work around this bug, create a dummy
|
|---|
| 41 | <filename>passwd</filename> file, so that it gets hard-wired properly:</para>
|
|---|
| 42 |
|
|---|
| 43 | <screen><userinput>touch /usr/bin/passwd</userinput></screen>
|
|---|
| 44 |
|
|---|
| 45 | <para>The current Shadow suite has a problem that causes the
|
|---|
| 46 | <userinput>newgrp</userinput> command to fail. The following patch (also
|
|---|
| 47 | appearing in Shadow's CVS code) fixes this problem:</para>
|
|---|
| 48 |
|
|---|
| 49 | <screen><userinput>patch -Np1 -i ../&shadow-patch;</userinput></screen>
|
|---|
| 50 |
|
|---|
| 51 | <para>Now prepare Shadow for compilation:</para>
|
|---|
| 52 |
|
|---|
| 53 | <screen><userinput>./configure --prefix=/usr --libdir=/usr/lib --enable-shared</userinput></screen>
|
|---|
| 54 |
|
|---|
| 55 | <para>Compile the package:</para>
|
|---|
| 56 |
|
|---|
| 57 | <screen><userinput>make</userinput></screen>
|
|---|
| 58 |
|
|---|
| 59 | <para>And install it:</para>
|
|---|
| 60 |
|
|---|
| 61 | <screen><userinput>make install</userinput></screen>
|
|---|
| 62 |
|
|---|
| 63 | <para>Shadow uses two files to configure authentication settings for the
|
|---|
| 64 | system. Install these two config files:</para>
|
|---|
| 65 |
|
|---|
| 66 | <screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen>
|
|---|
| 67 |
|
|---|
| 68 | <para>We want to change the password method to enable MD5 passwords which are
|
|---|
| 69 | theoretically more secure than the default "crypt" method and also allow
|
|---|
| 70 | password lengths greater than 8 characters. We also need to change the old
|
|---|
| 71 | <filename class="directory">/var/spool/mail</filename> location for user
|
|---|
| 72 | mailboxes to the current location at
|
|---|
| 73 | <filename class="directory">/var/mail</filename>. We do this by changing the
|
|---|
| 74 | relevant configuration file while copying it to its destination:</para>
|
|---|
| 75 |
|
|---|
| 76 | <screen><userinput>sed -e 's%/var/spool/mail%/var/mail%' \
|
|---|
| 77 | -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
|
|---|
| 78 | etc/login.defs.linux > /etc/login.defs</userinput></screen>
|
|---|
| 79 |
|
|---|
| 80 | <note><para>Be extra careful when typing all of the above. It is probably safer
|
|---|
| 81 | to cut-and-paste it rather than try and type it all in.</para></note>
|
|---|
| 82 |
|
|---|
| 83 | <para>According to the man page of <userinput>vipw</userinput>, a
|
|---|
| 84 | <userinput>vigr</userinput> program should exist too. Since the installation
|
|---|
| 85 | procedure doesn't create this program, create a symlink manually:</para>
|
|---|
| 86 |
|
|---|
| 87 | <screen><userinput>ln -s vipw /usr/sbin/vigr</userinput></screen>
|
|---|
| 88 |
|
|---|
| 89 | <para>As the <filename>/bin/vipw</filename> symlink is redundant (and even
|
|---|
| 90 | pointing to a non-existent file), remove it:</para>
|
|---|
| 91 |
|
|---|
| 92 | <screen><userinput>rm /bin/vipw</userinput></screen>
|
|---|
| 93 |
|
|---|
| 94 | <para>Now move the <userinput>sg</userinput> program to its proper place:</para>
|
|---|
| 95 |
|
|---|
| 96 | <screen><userinput>mv /bin/sg /usr/bin</userinput></screen>
|
|---|
| 97 |
|
|---|
| 98 | <para>And move Shadow's dynamic libraries to a more appropriate location:</para>
|
|---|
| 99 |
|
|---|
| 100 | <screen><userinput>mv /usr/lib/lib{shadow,misc}.so.0* /lib</userinput></screen>
|
|---|
| 101 |
|
|---|
| 102 | <para>As some packages expect to find the just-moved libraries in
|
|---|
| 103 | <filename>/usr/lib</filename>, create the following symlinks:</para>
|
|---|
| 104 |
|
|---|
| 105 | <screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
|
|---|
| 106 | ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</userinput></screen>
|
|---|
| 107 |
|
|---|
| 108 | <para>Coreutils has already installed a <userinput>groups</userinput> program
|
|---|
| 109 | in <filename>/usr/bin</filename>. If you wish, you can remove the one
|
|---|
| 110 | installed by Shadow:</para>
|
|---|
| 111 |
|
|---|
| 112 | <screen><userinput>rm /bin/groups</userinput></screen>
|
|---|
| 113 |
|
|---|
| 114 | </sect2>
|
|---|
| 115 | &c6-cf-shadowpwd;
|
|---|
| 116 | </sect1>
|
|---|
| 117 |
|
|---|
