source: chapter08/shadow.xml@ a4053b5b

10.0 10.0-rc1 10.1 10.1-rc1 11.0 11.0-rc1 11.0-rc2 11.0-rc3 11.1 11.1-rc1 11.2 11.2-rc1 11.3 11.3-rc1 12.0 12.0-rc1 12.1 12.1-rc1 arm bdubbs/gcc13 ml-11.0 multilib renodr/libudev-from-systemd s6-init trunk xry111/arm64 xry111/arm64-12.0 xry111/clfs-ng xry111/lfs-next xry111/loongarch xry111/loongarch-12.0 xry111/loongarch-12.1 xry111/mips64el xry111/pip3 xry111/rust-wip-20221008 xry111/update-glibc
Last change on this file since a4053b5b was 6a156bab, checked in by Bruce Dubbs <bdubbs@…>, 4 years ago

Mostly text updates in Chapter 8.
There are a couple of minor command changes.

git-svn-id: http://svn.linuxfromscratch.org/LFS/branches/cross2@11924 4aa44e1e-78dd-0310-a6d2-fbcd4c07a689
  • Property mode set to 100644
File size: 21.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="ch-system-shadow" role="wrap">
9 <?dbhtml filename="shadow.html"?>
10
11 <sect1info condition="script">
12 <productname>shadow</productname>
13 <productnumber>&shadow-version;</productnumber>
14 <address>&shadow-url;</address>
15 </sect1info>
16
17 <title>Shadow-&shadow-version;</title>
18
19 <indexterm zone="ch-system-shadow">
20 <primary sortas="a-Shadow">Shadow</primary>
21 </indexterm>
22
23 <sect2 role="package">
24 <title/>
25
26 <para>The Shadow package contains programs for handling passwords in a secure
27 way.</para>
28
29 <segmentedlist>
30 <segtitle>&buildtime;</segtitle>
31 <segtitle>&diskspace;</segtitle>
32
33 <seglistitem>
34 <seg>&shadow-fin-sbu;</seg>
35 <seg>&shadow-fin-du;</seg>
36 </seglistitem>
37 </segmentedlist>
38
39 </sect2>
40
41 <sect2 role="installation">
42 <title>Installation of Shadow</title>
43
44 <note>
45 <para>If you would like to enforce the use of strong passwords, refer to
46 <ulink url="&blfs-book;postlfs/cracklib.html"/> for installing
47 CrackLib prior to building Shadow. Then add
48 <parameter>--with-libcrack</parameter> to the <command>configure</command>
49 command below.</para>
50 </note>
51
52 <para>Disable the installation of the <command>groups</command> program
53 and its man pages, as Coreutils provides a better version. Also,
54 prevent the installation of manual pages that were already installed in
55 <xref linkend="ch-system-man-pages"/>:</para>
56
57<screen><userinput remap="pre">sed -i 's/groups$(EXEEXT) //' src/Makefile.in
58find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;
59find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
60find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></screen>
61
62 <para id="shadow-login_defs">Instead of using the default
63 <emphasis>crypt</emphasis> method, use the more secure
64 <emphasis>SHA-512</emphasis> method of password encryption, which also
65 allows passwords longer than 8 characters. It is also necessary to change
66 the obsolete <filename class="directory">/var/spool/mail</filename> location
67 for user mailboxes that Shadow uses by default to the <filename
68 class="directory">/var/mail</filename> location used currently:</para>
69
70<screen><userinput remap="pre">
71sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
72 -e 's:/var/spool/mail:/var/mail:' \
73 -i etc/login.defs</userinput></screen>
74
75 <note>
76 <para>If you chose to build Shadow with Cracklib support, run the following:</para>
77
78<screen role="nodump"><userinput>sed -i 's:DICTPATH.*:DICTPATH\t/lib/cracklib/pw_dict:' etc/login.defs</userinput></screen>
79 </note>
80
81 <para>Make a minor change to make the first group number generated
82 by useradd 1000:</para>
83
84<screen><userinput remap="pre">sed -i 's/1000/999/' etc/useradd</userinput></screen>
85
86 <para>Prepare Shadow for compilation:</para>
87
88<screen><userinput remap="configure">touch /usr/bin/passwd
89./configure --sysconfdir=/etc \
90 --with-group-name-max-length=32</userinput></screen>
91
92 <variablelist>
93 <title>The meaning of the configure option:</title>
94
95 <varlistentry>
96 <term><command>touch /usr/bin/passwd</command></term>
97 <listitem>
98 <para>The file <filename>/usr/bin/passwd</filename> needs
99 to exist because its location is harcoded in some programs, and
100 the default location if it does not exist is not right.</para>
101 </listitem>
102 </varlistentry>
103 <varlistentry>
104 <term><parameter>--with-group-name-max-length=32</parameter></term>
105 <listitem>
106 <para>The maximum user name is 32 characters. Make the maximum
107 group name the same.</para>
108 </listitem>
109 </varlistentry>
110
111 </variablelist>
112
113 <para>Compile the package:</para>
114
115<screen><userinput remap="make">make</userinput></screen>
116
117 <para>This package does not come with a test suite.</para>
118
119 <para>Install the package:</para>
120
121<screen><userinput remap="install">make install</userinput></screen>
122 <!--
123 <para>Move a misplaced program to its proper location:</para>
124
125<screen><userinput remap="install">mv -v /usr/bin/passwd /bin</userinput></screen>
126 -->
127
128 <!-- <para>Move Shadow's libraries to more appropriate locations:</para>
129
130<screen><userinput remap="install">mv -v /lib/libshadow.*a /usr/lib
131rm -v /lib/libshadow.so
132ln -sfv ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen> -->
133
134 </sect2>
135
136 <sect2 id="conf-shadow" role="configuration">
137 <title>Configuring Shadow</title>
138
139 <indexterm zone="conf-shadow">
140 <primary sortas="a-Shadow">Shadow</primary>
141 <secondary>configuring</secondary>
142 </indexterm>
143
144 <para>This package contains utilities to add, modify, and delete users and
145 groups; set and change their passwords; and perform other administrative
146 tasks. For a full explanation of what <emphasis>password shadowing</emphasis>
147 means, see the <filename>doc/HOWTO</filename> file within the unpacked
148 source tree. If using Shadow support, keep in mind that programs which need
149 to verify passwords (display managers, FTP programs, pop3 daemons, etc.)
150 must be Shadow-compliant. That is, they need to be able to work with
151 shadowed passwords.</para>
152
153 <para>To enable shadowed passwords, run the following command:</para>
154
155<screen><userinput>pwconv</userinput></screen>
156
157 <para>To enable shadowed group passwords, run:</para>
158
159<screen><userinput>grpconv</userinput></screen>
160
161 <para>Shadow's stock configuration for the <command>useradd</command>
162 utility has a few caveats that need some explanation. First, the default
163 action for the <command>useradd</command> utility is to create the user and
164 a group of the same name as the user. By default the user ID (UID) and
165 group ID (GID) numbers will begin with 1000. This means if you don't pass
166 parameters to <command>useradd</command>, each user will be a member of a
167 unique group on the system. If this behavior is undesirable, you'll need
168 to pass the <parameter>-g</parameter> parameter to
169 <command>useradd</command>. The default parameters are stored in the
170 <filename>/etc/default/useradd</filename> file. You may need to modify two
171 parameters in this file to suit your particular needs.</para>
172
173 <variablelist>
174 <title><filename>/etc/default/useradd</filename> Parameter Explanations</title>
175
176 <varlistentry>
177 <term><parameter>GROUP=1000</parameter></term>
178 <listitem>
179 <para>This parameter sets the beginning of the group numbers used in
180 the /etc/group file. You can modify it to anything you desire. Note
181 that <command>useradd</command> will never reuse a UID or GID. If the
182 number identified in this parameter is used, it will use the next
183 available number after this. Note also that if you don't have a group
184 1000 on your system the first time you use <command>useradd</command>
185 without the <parameter>-g</parameter> parameter, you'll get a message
186 displayed on the terminal that says:
187 <computeroutput>useradd: unknown GID 1000</computeroutput>. You may
188 disregard this message and group number 1000 will be used.</para>
189 </listitem>
190 </varlistentry>
191 <varlistentry>
192 <term><parameter>CREATE_MAIL_SPOOL=yes</parameter></term>
193 <listitem>
194 <para>This parameter causes <command>useradd</command> to create a
195 mailbox file for the newly created user. <command>useradd</command>
196 will make the group ownership of this file to the
197 <systemitem class="groupname">mail</systemitem> group with 0660
198 permissions. If you would prefer that these mailbox files are not
199 created by <command>useradd</command>, issue the following
200 command:</para>
201
202<screen><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
203 </listitem>
204 </varlistentry>
205
206 </variablelist>
207
208
209 </sect2>
210
211 <sect2 role="configuration">
212 <title>Setting the root password</title>
213
214 <para>Choose a password for user <emphasis>root</emphasis> and set it
215 by running:</para>
216
217<screen role="nodump"><userinput>passwd root</userinput></screen>
218
219 </sect2>
220
221 <sect2 id="contents-shadow" role="content">
222 <title>Contents of Shadow</title>
223
224 <segmentedlist>
225 <segtitle>Installed programs</segtitle>
226 <segtitle>Installed directory</segtitle>
227
228 <seglistitem>
229 <seg>chage, chfn, chgpasswd, chpasswd, chsh, expiry, faillog, gpasswd,
230 groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv,
231 lastlog, login, logoutd, newgidmap, newgrp, newuidmap, newusers,
232 nologin, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), su,
233 useradd, userdel, usermod, vigr (link to vipw), and vipw</seg>
234 <seg>/etc/default</seg>
235 </seglistitem>
236 </segmentedlist>
237
238 <variablelist>
239 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
240 <?dbfo list-presentation="list"?>
241 <?dbhtml list-presentation="table"?>
242
243 <varlistentry id="chage">
244 <term><command>chage</command></term>
245 <listitem>
246 <para>Used to change the maximum number of days between obligatory
247 password changes</para>
248 <indexterm zone="ch-system-shadow chage">
249 <primary sortas="b-chage">chage</primary>
250 </indexterm>
251 </listitem>
252 </varlistentry>
253
254 <varlistentry id="chfn">
255 <term><command>chfn</command></term>
256 <listitem>
257 <para>Used to change a user's full name and other information</para>
258 <indexterm zone="ch-system-shadow chfn">
259 <primary sortas="b-chfn">chfn</primary>
260 </indexterm>
261 </listitem>
262 </varlistentry>
263
264 <varlistentry id="chgpasswd">
265 <term><command>chgpasswd</command></term>
266 <listitem>
267 <para>Used to update group passwords in batch mode</para>
268 <indexterm zone="ch-system-shadow chgpasswd">
269 <primary sortas="b-chgpasswd">chgpasswd</primary>
270 </indexterm>
271 </listitem>
272 </varlistentry>
273
274 <varlistentry id="chpasswd">
275 <term><command>chpasswd</command></term>
276 <listitem>
277 <para>Used to update user passwords in batch mode</para>
278 <indexterm zone="ch-system-shadow chpasswd">
279 <primary sortas="b-chpasswd">chpasswd</primary>
280 </indexterm>
281 </listitem>
282 </varlistentry>
283
284 <varlistentry id="chsh">
285 <term><command>chsh</command></term>
286 <listitem>
287 <para>Used to change a user's default login shell</para>
288 <indexterm zone="ch-system-shadow chsh">
289 <primary sortas="b-chsh">chsh</primary>
290 </indexterm>
291 </listitem>
292 </varlistentry>
293
294 <varlistentry id="expiry">
295 <term><command>expiry</command></term>
296 <listitem>
297 <para>Checks and enforces the current password expiration policy</para>
298 <indexterm zone="ch-system-shadow expiry">
299 <primary sortas="b-expiry">expiry</primary>
300 </indexterm>
301 </listitem>
302 </varlistentry>
303
304 <varlistentry id="faillog">
305 <term><command>faillog</command></term>
306 <listitem>
307 <para>Is used to examine the log of login failures, to set a maximum
308 number of failures before an account is blocked, or to reset the
309 failure count</para>
310 <indexterm zone="ch-system-shadow faillog">
311 <primary sortas="b-faillog">faillog</primary>
312 </indexterm>
313 </listitem>
314 </varlistentry>
315
316 <varlistentry id="gpasswd">
317 <term><command>gpasswd</command></term>
318 <listitem>
319 <para>Is used to add and delete members and administrators to
320 groups</para>
321 <indexterm zone="ch-system-shadow gpasswd">
322 <primary sortas="b-gpasswd">gpasswd</primary>
323 </indexterm>
324 </listitem>
325 </varlistentry>
326
327 <varlistentry id="groupadd">
328 <term><command>groupadd</command></term>
329 <listitem>
330 <para>Creates a group with the given name</para>
331 <indexterm zone="ch-system-shadow groupadd">
332 <primary sortas="b-groupadd">groupadd</primary>
333 </indexterm>
334 </listitem>
335 </varlistentry>
336
337 <varlistentry id="groupdel">
338 <term><command>groupdel</command></term>
339 <listitem>
340 <para>Deletes the group with the given name</para>
341 <indexterm zone="ch-system-shadow groupdel">
342 <primary sortas="b-groupdel">groupdel</primary>
343 </indexterm>
344 </listitem>
345 </varlistentry>
346
347 <varlistentry id="groupmems">
348 <term><command>groupmems</command></term>
349 <listitem>
350 <para>Allows a user to administer his/her own group membership list
351 without the requirement of super user privileges.</para>
352 <indexterm zone="ch-system-shadow groupmems">
353 <primary sortas="b-groupmems">groupmems</primary>
354 </indexterm>
355 </listitem>
356 </varlistentry>
357
358 <varlistentry id="groupmod">
359 <term><command>groupmod</command></term>
360 <listitem>
361 <para>Is used to modify the given group's name or GID</para>
362 <indexterm zone="ch-system-shadow groupmod">
363 <primary sortas="b-groupmod">groupmod</primary>
364 </indexterm>
365 </listitem>
366 </varlistentry>
367
368 <varlistentry id="grpck">
369 <term><command>grpck</command></term>
370 <listitem>
371 <para>Verifies the integrity of the group files
372 <filename>/etc/group</filename> and
373 <filename>/etc/gshadow</filename></para>
374 <indexterm zone="ch-system-shadow grpck">
375 <primary sortas="b-grpck">grpck</primary>
376 </indexterm>
377 </listitem>
378 </varlistentry>
379
380 <varlistentry id="grpconv">
381 <term><command>grpconv</command></term>
382 <listitem>
383 <para>Creates or updates the shadow group file from the normal
384 group file</para>
385 <indexterm zone="ch-system-shadow grpconv">
386 <primary sortas="b-grpconv">grpconv</primary>
387 </indexterm>
388 </listitem>
389 </varlistentry>
390
391 <varlistentry id="grpunconv">
392 <term><command>grpunconv</command></term>
393 <listitem>
394 <para>Updates <filename>/etc/group</filename> from
395 <filename>/etc/gshadow</filename> and then deletes the latter</para>
396 <indexterm zone="ch-system-shadow grpunconv">
397 <primary sortas="b-grpunconv">grpunconv</primary>
398 </indexterm>
399 </listitem>
400 </varlistentry>
401
402 <varlistentry id="lastlog">
403 <term><command>lastlog</command></term>
404 <listitem>
405 <para>Reports the most recent login of all users or of a
406 given user</para>
407 <indexterm zone="ch-system-shadow lastlog">
408 <primary sortas="b-lastlog">lastlog</primary>
409 </indexterm>
410 </listitem>
411 </varlistentry>
412
413 <varlistentry id="login">
414 <term><command>login</command></term>
415 <listitem>
416 <para>Is used by the system to let users sign on</para>
417 <indexterm zone="ch-system-shadow login">
418 <primary sortas="b-login">login</primary>
419 </indexterm>
420 </listitem>
421 </varlistentry>
422
423 <varlistentry id="logoutd">
424 <term><command>logoutd</command></term>
425 <listitem>
426 <para>Is a daemon used to enforce restrictions on log-on time
427 and ports</para>
428 <indexterm zone="ch-system-shadow logoutd">
429 <primary sortas="b-logoutd">logoutd</primary>
430 </indexterm>
431 </listitem>
432 </varlistentry>
433
434 <varlistentry id="newgidmap">
435 <term><command>newgidmap</command></term>
436 <listitem>
437 <para>Is used to set the gid mapping of a user namespace</para>
438 <indexterm zone="ch-system-shadow newgidmap">
439 <primary sortas="b-newgidmap">newgidmap</primary>
440 </indexterm>
441 </listitem>
442 </varlistentry>
443
444 <varlistentry id="newgrp">
445 <term><command>newgrp</command></term>
446 <listitem>
447 <para>Is used to change the current GID during a login session</para>
448 <indexterm zone="ch-system-shadow newgrp">
449 <primary sortas="b-newgrp">newgrp</primary>
450 </indexterm>
451 </listitem>
452 </varlistentry>
453
454 <varlistentry id="newuidmap">
455 <term><command>newuidmap</command></term>
456 <listitem>
457 <para>Is used to set the uid mapping of a user namespace</para>
458 <indexterm zone="ch-system-shadow newuidmap">
459 <primary sortas="b-newuidmap">newuidmap</primary>
460 </indexterm>
461 </listitem>
462 </varlistentry>
463
464 <varlistentry id="newusers">
465 <term><command>newusers</command></term>
466 <listitem>
467 <para>Is used to create or update an entire series of user
468 accounts</para>
469 <indexterm zone="ch-system-shadow newusers">
470 <primary sortas="b-newusers">newusers</primary>
471 </indexterm>
472 </listitem>
473 </varlistentry>
474
475 <varlistentry id="nologin">
476 <term><command>nologin</command></term>
477 <listitem>
478 <para>Displays a message that an account is not available; it is designed
479 to be used as the default shell for accounts that have been
480 disabled</para>
481 <indexterm zone="ch-system-shadow nologin">
482 <primary sortas="b-nologin">nologin</primary>
483 </indexterm>
484 </listitem>
485 </varlistentry>
486
487 <varlistentry id="passwd">
488 <term><command>passwd</command></term>
489 <listitem>
490 <para>Is used to change the password for a user or group account</para>
491 <indexterm zone="ch-system-shadow passwd">
492 <primary sortas="b-passwd">passwd</primary>
493 </indexterm>
494 </listitem>
495 </varlistentry>
496
497 <varlistentry id="pwck">
498 <term><command>pwck</command></term>
499 <listitem>
500 <para>Verifies the integrity of the password files
501 <filename>/etc/passwd</filename> and
502 <filename>/etc/shadow</filename></para>
503 <indexterm zone="ch-system-shadow pwck">
504 <primary sortas="b-pwck">pwck</primary>
505 </indexterm>
506 </listitem>
507 </varlistentry>
508
509 <varlistentry id="pwconv">
510 <term><command>pwconv</command></term>
511 <listitem>
512 <para>Creates or updates the shadow password file from the normal
513 password file</para>
514 <indexterm zone="ch-system-shadow pwconv">
515 <primary sortas="b-pwconv">pwconv</primary>
516 </indexterm>
517 </listitem>
518 </varlistentry>
519
520 <varlistentry id="pwunconv">
521 <term><command>pwunconv</command></term>
522 <listitem>
523 <para>Updates <filename>/etc/passwd</filename> from
524 <filename>/etc/shadow</filename> and then deletes the latter</para>
525 <indexterm zone="ch-system-shadow pwunconv">
526 <primary sortas="b-pwunconv">pwunconv</primary>
527 </indexterm>
528 </listitem>
529 </varlistentry>
530
531 <varlistentry id="sg">
532 <term><command>sg</command></term>
533 <listitem>
534 <para>Executes a given command while the user's GID
535 is set to that of the given group</para>
536 <indexterm zone="ch-system-shadow sg">
537 <primary sortas="b-sg">sg</primary>
538 </indexterm>
539 </listitem>
540 </varlistentry>
541
542 <varlistentry id="su">
543 <term><command>su</command></term>
544 <listitem>
545 <para>Runs a shell with substitute user and group IDs</para>
546 <indexterm zone="ch-system-shadow su">
547 <primary sortas="b-su">su</primary>
548 </indexterm>
549 </listitem>
550 </varlistentry>
551
552 <varlistentry id="useradd">
553 <term><command>useradd</command></term>
554 <listitem>
555 <para>Creates a new user with the given name, or updates the default
556 new-user information</para>
557 <indexterm zone="ch-system-shadow useradd">
558 <primary sortas="b-useradd">useradd</primary>
559 </indexterm>
560 </listitem>
561 </varlistentry>
562
563 <varlistentry id="userdel">
564 <term><command>userdel</command></term>
565 <listitem>
566 <para>Deletes the given user account</para>
567 <indexterm zone="ch-system-shadow userdel">
568 <primary sortas="b-userdel">userdel</primary>
569 </indexterm>
570 </listitem>
571 </varlistentry>
572
573 <varlistentry id="usermod">
574 <term><command>usermod</command></term>
575 <listitem>
576 <para>Is used to modify the given user's login name, User
577 Identification (UID), shell, initial group, home directory, etc.</para>
578 <indexterm zone="ch-system-shadow usermod">
579 <primary sortas="b-usermod">usermod</primary>
580 </indexterm>
581 </listitem>
582 </varlistentry>
583
584 <varlistentry id="vigr">
585 <term><command>vigr</command></term>
586 <listitem>
587 <para>Edits the <filename>/etc/group</filename> or
588 <filename>/etc/gshadow</filename> files</para>
589 <indexterm zone="ch-system-shadow vigr">
590 <primary sortas="b-vigr">vigr</primary>
591 </indexterm>
592 </listitem>
593 </varlistentry>
594
595 <varlistentry id="vipw">
596 <term><command>vipw</command></term>
597 <listitem>
598 <para>Edits the <filename>/etc/passwd</filename> or
599 <filename>/etc/shadow</filename> files</para>
600 <indexterm zone="ch-system-shadow vipw">
601 <primary sortas="b-vipw">vipw</primary>
602 </indexterm>
603 </listitem>
604 </varlistentry>
605
606 </variablelist>
607
608 </sect2>
609
610</sect1>
Note: See TracBrowser for help on using the repository browser.