source: chapter08/shadow.xml@ 5287d52

11.0 11.0-rc1 11.0-rc2 11.0-rc3 11.1 11.1-rc1 11.2 11.2-rc1 11.3 11.3-rc1 12.0 12.0-rc1 12.1 12.1-rc1 arm bdubbs/gcc13 ml-11.0 multilib renodr/libudev-from-systemd s6-init trunk xry111/arm64 xry111/arm64-12.0 xry111/clfs-ng xry111/lfs-next xry111/loongarch xry111/loongarch-12.0 xry111/loongarch-12.1 xry111/mips64el xry111/pip3 xry111/rust-wip-20221008 xry111/update-glibc
Last change on this file since 5287d52 was 5287d52, checked in by Thomas Trepl (Moody) <thomas@…>, 3 years ago

Simplify the new sed
  • Property mode set to 100644
File size: 22.3 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="ch-system-shadow" role="wrap">
9 <?dbhtml filename="shadow.html"?>
10
11 <sect1info condition="script">
12 <productname>shadow</productname>
13 <productnumber>&shadow-version;</productnumber>
14 <address>&shadow-url;</address>
15 </sect1info>
16
17 <title>Shadow-&shadow-version;</title>
18
19 <indexterm zone="ch-system-shadow">
20 <primary sortas="a-Shadow">Shadow</primary>
21 </indexterm>
22
23 <sect2 role="package">
24 <title/>
25
26 <para>The Shadow package contains programs for handling passwords in a secure
27 way.</para>
28
29 <segmentedlist>
30 <segtitle>&buildtime;</segtitle>
31 <segtitle>&diskspace;</segtitle>
32
33 <seglistitem>
34 <seg>&shadow-fin-sbu;</seg>
35 <seg>&shadow-fin-du;</seg>
36 </seglistitem>
37 </segmentedlist>
38
39 </sect2>
40
41 <sect2 role="installation">
42 <title>Installation of Shadow</title>
43
44 <note>
45 <para>If you would like to enforce the use of strong passwords, refer to
46 <ulink url="&blfs-book;postlfs/cracklib.html"/> for installing
47 CrackLib prior to building Shadow. Then add
48 <parameter>--with-libcrack</parameter> to the <command>configure</command>
49 command below.</para>
50 </note>
51
52 <para>Disable the installation of the <command>groups</command> program
53 and its man pages, as Coreutils provides a better version. Also,
54 prevent the installation of manual pages that were already installed in
55 <xref linkend="ch-system-man-pages"/>:</para>
56
57<screen><userinput remap="pre">sed -i 's/groups$(EXEEXT) //' src/Makefile.in
58find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;
59find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
60find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></screen>
61
62 <para id="shadow-login_defs">Instead of using the default
63 <emphasis>crypt</emphasis> method, use the more secure
64 <emphasis>SHA-512</emphasis> method of password encryption, which also
65 allows passwords longer than 8 characters. It is also necessary to change
66 the obsolete <filename class="directory">/var/spool/mail</filename> location
67 for user mailboxes that Shadow uses by default to the <filename
68 class="directory">/var/mail</filename> location used currently. And,
69 get rid of <filename class="directory">/bin</filename> and
70 <filename class="directory">/sbin</filename> from <envar>PATH</envar>,
71 since they are simply symlinks to their counterpart in
72 <filename class="directory">/usr</filename>.</para>
73
74 <note>
75 <para>If <filename class="directory">/bin</filename> and/or
76 <filename class="directory">/sbin</filename> are preferred to be
77 left over in <envar>PATH</envar> for some reason, modify
78 <envar>PATH</envar> in <filename>.bashrc</filename> after LFS is
79 built.</para>
80 </note>
81
82<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
83 -e 's:/var/spool/mail:/var/mail:' \
84 -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
85 -i etc/login.defs</userinput></screen>
86
87 <note>
88 <para>If you chose to build Shadow with Cracklib support, run the following:</para>
89
90<screen role="nodump"><userinput>sed -i 's:DICTPATH.*:DICTPATH\t/lib/cracklib/pw_dict:' etc/login.defs</userinput></screen>
91 </note>
92<!--
93 <para>Make a minor change to make the first group number generated
94 by useradd 1000:</para>
95
96<screen><userinput remap="pre">sed -i 's/1000/999/' etc/useradd</userinput></screen>
97-->
98 <para>Fix a simple programming error by modifying a file with following command:</para>
99
100<screen><userinput remap="pre">sed -e "224s/rounds/min_rounds/" -i libmisc/salt.c</userinput></screen>
101
102 <para>Prepare Shadow for compilation:</para>
103
104<screen><userinput remap="configure">touch /usr/bin/passwd
105./configure --sysconfdir=/etc \
106 --with-group-name-max-length=32</userinput></screen>
107
108 <variablelist>
109 <title>The meaning of the configure option:</title>
110
111 <varlistentry>
112 <term><command>touch /usr/bin/passwd</command></term>
113 <listitem>
114 <para>The file <filename>/usr/bin/passwd</filename> needs
115 to exist because its location is harcoded in some programs, and
116 the default location if it does not exist is not right.</para>
117 </listitem>
118 </varlistentry>
119 <varlistentry>
120 <term><parameter>--with-group-name-max-length=32</parameter></term>
121 <listitem>
122 <para>The maximum user name is 32 characters. Make the maximum
123 group name the same.</para>
124 </listitem>
125 </varlistentry>
126
127 </variablelist>
128
129 <para>Compile the package:</para>
130
131 <screen><userinput remap="make">make</userinput></screen>
132
133 <para>This package does not come with a test suite.</para>
134
135 <para>Install the package:</para>
136
137 <screen><userinput remap="install">make exec_prefix=/usr install
138make -C man install-man
139mkdir -p /etc/default
140useradd -D --gid 999</userinput></screen>
141
142 </sect2>
143
144 <sect2 id="conf-shadow" role="configuration">
145 <title>Configuring Shadow</title>
146
147 <indexterm zone="conf-shadow">
148 <primary sortas="a-Shadow">Shadow</primary>
149 <secondary>configuring</secondary>
150 </indexterm>
151
152 <para>This package contains utilities to add, modify, and delete users and
153 groups; set and change their passwords; and perform other administrative
154 tasks. For a full explanation of what <emphasis>password shadowing</emphasis>
155 means, see the <filename>doc/HOWTO</filename> file within the unpacked
156 source tree. If using Shadow support, keep in mind that programs which need
157 to verify passwords (display managers, FTP programs, pop3 daemons, etc.)
158 must be Shadow-compliant. That is, they need to be able to work with
159 shadowed passwords.</para>
160
161 <para>To enable shadowed passwords, run the following command:</para>
162
163<screen><userinput>pwconv</userinput></screen>
164
165 <para>To enable shadowed group passwords, run:</para>
166
167<screen><userinput>grpconv</userinput></screen>
168
169 <para>Shadow's stock configuration for the <command>useradd</command>
170 utility has a few caveats that need some explanation. First, the default
171 action for the <command>useradd</command> utility is to create the user and
172 a group of the same name as the user. By default the user ID (UID) and
173 group ID (GID) numbers will begin with 1000. This means if you don't pass
174 parameters to <command>useradd</command>, each user will be a member of a
175 unique group on the system. If this behavior is undesirable, you'll need
176 to pass the <parameter>-g</parameter> parameter to
177 <command>useradd</command>. The default parameters are stored in the
178 <filename>/etc/default/useradd</filename> file. You may need to modify two
179 parameters in this file to suit your particular needs.</para>
180
181 <variablelist>
182 <title><filename>/etc/default/useradd</filename> Parameter Explanations</title>
183
184 <varlistentry>
185 <term><parameter>GROUP=1000</parameter></term>
186 <listitem>
187 <para>This parameter sets the beginning of the group numbers used in
188 the /etc/group file. You can modify it to anything you desire. Note
189 that <command>useradd</command> will never reuse a UID or GID. If the
190 number identified in this parameter is used, it will use the next
191 available number after this. Note also that if you don't have a group
192 1000 on your system the first time you use <command>useradd</command>
193 without the <parameter>-g</parameter> parameter, you'll get a message
194 displayed on the terminal that says:
195 <computeroutput>useradd: unknown GID 1000</computeroutput>. You may
196 disregard this message and group number 1000 will be used.</para>
197 </listitem>
198 </varlistentry>
199 <varlistentry>
200 <term><parameter>CREATE_MAIL_SPOOL=yes</parameter></term>
201 <listitem>
202 <para>This parameter causes <command>useradd</command> to create a
203 mailbox file for the newly created user. <command>useradd</command>
204 will make the group ownership of this file to the
205 <systemitem class="groupname">mail</systemitem> group with 0660
206 permissions. If you would prefer that these mailbox files are not
207 created by <command>useradd</command>, issue the following
208 command:</para>
209
210<screen><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
211 </listitem>
212 </varlistentry>
213
214 </variablelist>
215
216
217 </sect2>
218
219 <sect2 role="configuration">
220 <title>Setting the root password</title>
221
222 <para>Choose a password for user <emphasis>root</emphasis> and set it
223 by running:</para>
224
225<screen role="nodump"><userinput>passwd root</userinput></screen>
226
227 </sect2>
228
229 <sect2 id="contents-shadow" role="content">
230 <title>Contents of Shadow</title>
231
232 <segmentedlist>
233 <segtitle>Installed programs</segtitle>
234 <segtitle>Installed directory</segtitle>
235
236 <seglistitem>
237 <seg>chage, chfn, chgpasswd, chpasswd, chsh, expiry, faillog, gpasswd,
238 groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv,
239 lastlog, login, logoutd, newgidmap, newgrp, newuidmap, newusers,
240 nologin, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), su,
241 useradd, userdel, usermod, vigr (link to vipw), and vipw</seg>
242 <seg>/etc/default</seg>
243 </seglistitem>
244 </segmentedlist>
245
246 <variablelist>
247 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
248 <?dbfo list-presentation="list"?>
249 <?dbhtml list-presentation="table"?>
250
251 <varlistentry id="chage">
252 <term><command>chage</command></term>
253 <listitem>
254 <para>Used to change the maximum number of days between obligatory
255 password changes</para>
256 <indexterm zone="ch-system-shadow chage">
257 <primary sortas="b-chage">chage</primary>
258 </indexterm>
259 </listitem>
260 </varlistentry>
261
262 <varlistentry id="chfn">
263 <term><command>chfn</command></term>
264 <listitem>
265 <para>Used to change a user's full name and other information</para>
266 <indexterm zone="ch-system-shadow chfn">
267 <primary sortas="b-chfn">chfn</primary>
268 </indexterm>
269 </listitem>
270 </varlistentry>
271
272 <varlistentry id="chgpasswd">
273 <term><command>chgpasswd</command></term>
274 <listitem>
275 <para>Used to update group passwords in batch mode</para>
276 <indexterm zone="ch-system-shadow chgpasswd">
277 <primary sortas="b-chgpasswd">chgpasswd</primary>
278 </indexterm>
279 </listitem>
280 </varlistentry>
281
282 <varlistentry id="chpasswd">
283 <term><command>chpasswd</command></term>
284 <listitem>
285 <para>Used to update user passwords in batch mode</para>
286 <indexterm zone="ch-system-shadow chpasswd">
287 <primary sortas="b-chpasswd">chpasswd</primary>
288 </indexterm>
289 </listitem>
290 </varlistentry>
291
292 <varlistentry id="chsh">
293 <term><command>chsh</command></term>
294 <listitem>
295 <para>Used to change a user's default login shell</para>
296 <indexterm zone="ch-system-shadow chsh">
297 <primary sortas="b-chsh">chsh</primary>
298 </indexterm>
299 </listitem>
300 </varlistentry>
301
302 <varlistentry id="expiry">
303 <term><command>expiry</command></term>
304 <listitem>
305 <para>Checks and enforces the current password expiration policy</para>
306 <indexterm zone="ch-system-shadow expiry">
307 <primary sortas="b-expiry">expiry</primary>
308 </indexterm>
309 </listitem>
310 </varlistentry>
311
312 <varlistentry id="faillog">
313 <term><command>faillog</command></term>
314 <listitem>
315 <para>Is used to examine the log of login failures, to set a maximum
316 number of failures before an account is blocked, or to reset the
317 failure count</para>
318 <indexterm zone="ch-system-shadow faillog">
319 <primary sortas="b-faillog">faillog</primary>
320 </indexterm>
321 </listitem>
322 </varlistentry>
323
324 <varlistentry id="gpasswd">
325 <term><command>gpasswd</command></term>
326 <listitem>
327 <para>Is used to add and delete members and administrators to
328 groups</para>
329 <indexterm zone="ch-system-shadow gpasswd">
330 <primary sortas="b-gpasswd">gpasswd</primary>
331 </indexterm>
332 </listitem>
333 </varlistentry>
334
335 <varlistentry id="groupadd">
336 <term><command>groupadd</command></term>
337 <listitem>
338 <para>Creates a group with the given name</para>
339 <indexterm zone="ch-system-shadow groupadd">
340 <primary sortas="b-groupadd">groupadd</primary>
341 </indexterm>
342 </listitem>
343 </varlistentry>
344
345 <varlistentry id="groupdel">
346 <term><command>groupdel</command></term>
347 <listitem>
348 <para>Deletes the group with the given name</para>
349 <indexterm zone="ch-system-shadow groupdel">
350 <primary sortas="b-groupdel">groupdel</primary>
351 </indexterm>
352 </listitem>
353 </varlistentry>
354
355 <varlistentry id="groupmems">
356 <term><command>groupmems</command></term>
357 <listitem>
358 <para>Allows a user to administer his/her own group membership list
359 without the requirement of super user privileges.</para>
360 <indexterm zone="ch-system-shadow groupmems">
361 <primary sortas="b-groupmems">groupmems</primary>
362 </indexterm>
363 </listitem>
364 </varlistentry>
365
366 <varlistentry id="groupmod">
367 <term><command>groupmod</command></term>
368 <listitem>
369 <para>Is used to modify the given group's name or GID</para>
370 <indexterm zone="ch-system-shadow groupmod">
371 <primary sortas="b-groupmod">groupmod</primary>
372 </indexterm>
373 </listitem>
374 </varlistentry>
375
376 <varlistentry id="grpck">
377 <term><command>grpck</command></term>
378 <listitem>
379 <para>Verifies the integrity of the group files
380 <filename>/etc/group</filename> and
381 <filename>/etc/gshadow</filename></para>
382 <indexterm zone="ch-system-shadow grpck">
383 <primary sortas="b-grpck">grpck</primary>
384 </indexterm>
385 </listitem>
386 </varlistentry>
387
388 <varlistentry id="grpconv">
389 <term><command>grpconv</command></term>
390 <listitem>
391 <para>Creates or updates the shadow group file from the normal
392 group file</para>
393 <indexterm zone="ch-system-shadow grpconv">
394 <primary sortas="b-grpconv">grpconv</primary>
395 </indexterm>
396 </listitem>
397 </varlistentry>
398
399 <varlistentry id="grpunconv">
400 <term><command>grpunconv</command></term>
401 <listitem>
402 <para>Updates <filename>/etc/group</filename> from
403 <filename>/etc/gshadow</filename> and then deletes the latter</para>
404 <indexterm zone="ch-system-shadow grpunconv">
405 <primary sortas="b-grpunconv">grpunconv</primary>
406 </indexterm>
407 </listitem>
408 </varlistentry>
409
410 <varlistentry id="lastlog">
411 <term><command>lastlog</command></term>
412 <listitem>
413 <para>Reports the most recent login of all users or of a
414 given user</para>
415 <indexterm zone="ch-system-shadow lastlog">
416 <primary sortas="b-lastlog">lastlog</primary>
417 </indexterm>
418 </listitem>
419 </varlistentry>
420
421 <varlistentry id="login">
422 <term><command>login</command></term>
423 <listitem>
424 <para>Is used by the system to let users sign on</para>
425 <indexterm zone="ch-system-shadow login">
426 <primary sortas="b-login">login</primary>
427 </indexterm>
428 </listitem>
429 </varlistentry>
430
431 <varlistentry id="logoutd">
432 <term><command>logoutd</command></term>
433 <listitem>
434 <para>Is a daemon used to enforce restrictions on log-on time
435 and ports</para>
436 <indexterm zone="ch-system-shadow logoutd">
437 <primary sortas="b-logoutd">logoutd</primary>
438 </indexterm>
439 </listitem>
440 </varlistentry>
441
442 <varlistentry id="newgidmap">
443 <term><command>newgidmap</command></term>
444 <listitem>
445 <para>Is used to set the gid mapping of a user namespace</para>
446 <indexterm zone="ch-system-shadow newgidmap">
447 <primary sortas="b-newgidmap">newgidmap</primary>
448 </indexterm>
449 </listitem>
450 </varlistentry>
451
452 <varlistentry id="newgrp">
453 <term><command>newgrp</command></term>
454 <listitem>
455 <para>Is used to change the current GID during a login session</para>
456 <indexterm zone="ch-system-shadow newgrp">
457 <primary sortas="b-newgrp">newgrp</primary>
458 </indexterm>
459 </listitem>
460 </varlistentry>
461
462 <varlistentry id="newuidmap">
463 <term><command>newuidmap</command></term>
464 <listitem>
465 <para>Is used to set the uid mapping of a user namespace</para>
466 <indexterm zone="ch-system-shadow newuidmap">
467 <primary sortas="b-newuidmap">newuidmap</primary>
468 </indexterm>
469 </listitem>
470 </varlistentry>
471
472 <varlistentry id="newusers">
473 <term><command>newusers</command></term>
474 <listitem>
475 <para>Is used to create or update an entire series of user
476 accounts</para>
477 <indexterm zone="ch-system-shadow newusers">
478 <primary sortas="b-newusers">newusers</primary>
479 </indexterm>
480 </listitem>
481 </varlistentry>
482
483 <varlistentry id="nologin">
484 <term><command>nologin</command></term>
485 <listitem>
486 <para>Displays a message that an account is not available; it is designed
487 to be used as the default shell for accounts that have been
488 disabled</para>
489 <indexterm zone="ch-system-shadow nologin">
490 <primary sortas="b-nologin">nologin</primary>
491 </indexterm>
492 </listitem>
493 </varlistentry>
494
495 <varlistentry id="passwd">
496 <term><command>passwd</command></term>
497 <listitem>
498 <para>Is used to change the password for a user or group account</para>
499 <indexterm zone="ch-system-shadow passwd">
500 <primary sortas="b-passwd">passwd</primary>
501 </indexterm>
502 </listitem>
503 </varlistentry>
504
505 <varlistentry id="pwck">
506 <term><command>pwck</command></term>
507 <listitem>
508 <para>Verifies the integrity of the password files
509 <filename>/etc/passwd</filename> and
510 <filename>/etc/shadow</filename></para>
511 <indexterm zone="ch-system-shadow pwck">
512 <primary sortas="b-pwck">pwck</primary>
513 </indexterm>
514 </listitem>
515 </varlistentry>
516
517 <varlistentry id="pwconv">
518 <term><command>pwconv</command></term>
519 <listitem>
520 <para>Creates or updates the shadow password file from the normal
521 password file</para>
522 <indexterm zone="ch-system-shadow pwconv">
523 <primary sortas="b-pwconv">pwconv</primary>
524 </indexterm>
525 </listitem>
526 </varlistentry>
527
528 <varlistentry id="pwunconv">
529 <term><command>pwunconv</command></term>
530 <listitem>
531 <para>Updates <filename>/etc/passwd</filename> from
532 <filename>/etc/shadow</filename> and then deletes the latter</para>
533 <indexterm zone="ch-system-shadow pwunconv">
534 <primary sortas="b-pwunconv">pwunconv</primary>
535 </indexterm>
536 </listitem>
537 </varlistentry>
538
539 <varlistentry id="sg">
540 <term><command>sg</command></term>
541 <listitem>
542 <para>Executes a given command while the user's GID
543 is set to that of the given group</para>
544 <indexterm zone="ch-system-shadow sg">
545 <primary sortas="b-sg">sg</primary>
546 </indexterm>
547 </listitem>
548 </varlistentry>
549
550 <varlistentry id="su">
551 <term><command>su</command></term>
552 <listitem>
553 <para>Runs a shell with substitute user and group IDs</para>
554 <indexterm zone="ch-system-shadow su">
555 <primary sortas="b-su">su</primary>
556 </indexterm>
557 </listitem>
558 </varlistentry>
559
560 <varlistentry id="useradd">
561 <term><command>useradd</command></term>
562 <listitem>
563 <para>Creates a new user with the given name, or updates the default
564 new-user information</para>
565 <indexterm zone="ch-system-shadow useradd">
566 <primary sortas="b-useradd">useradd</primary>
567 </indexterm>
568 </listitem>
569 </varlistentry>
570
571 <varlistentry id="userdel">
572 <term><command>userdel</command></term>
573 <listitem>
574 <para>Deletes the given user account</para>
575 <indexterm zone="ch-system-shadow userdel">
576 <primary sortas="b-userdel">userdel</primary>
577 </indexterm>
578 </listitem>
579 </varlistentry>
580
581 <varlistentry id="usermod">
582 <term><command>usermod</command></term>
583 <listitem>
584 <para>Is used to modify the given user's login name, User
585 Identification (UID), shell, initial group, home directory, etc.</para>
586 <indexterm zone="ch-system-shadow usermod">
587 <primary sortas="b-usermod">usermod</primary>
588 </indexterm>
589 </listitem>
590 </varlistentry>
591
592 <varlistentry id="vigr">
593 <term><command>vigr</command></term>
594 <listitem>
595 <para>Edits the <filename>/etc/group</filename> or
596 <filename>/etc/gshadow</filename> files</para>
597 <indexterm zone="ch-system-shadow vigr">
598 <primary sortas="b-vigr">vigr</primary>
599 </indexterm>
600 </listitem>
601 </varlistentry>
602
603 <varlistentry id="vipw">
604 <term><command>vipw</command></term>
605 <listitem>
606 <para>Edits the <filename>/etc/passwd</filename> or
607 <filename>/etc/shadow</filename> files</para>
608 <indexterm zone="ch-system-shadow vipw">
609 <primary sortas="b-vipw">vipw</primary>
610 </indexterm>
611 </listitem>
612 </varlistentry>
613
614 </variablelist>
615
616 </sect2>
617
618</sect1>
Note: See TracBrowser for help on using the repository browser.