Estimated build time: 0.4 SBU Estimated required disk space: 7 MB |
(Last checked against version 4.0.3.)
The Shadow package was created to strengthen the security of system passwords.
Shadow installs the following:
chage, chfn, chpasswd, chsh, dpasswd, expiry, faillog, gpasswd, groupadd, groupdel, groupmod, groups, grpck, grpconv, grpunconv, lastlog, login, logoutd, mkpasswd, newgrp, newusers, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), useradd, userdel, usermod, vigr (link to vipw) and vipw
(Last checked against version 20001016.)
Bash: sh
Binutils: ar, as, ld, nm, ranlib
Coreutils: basename, cat, chmod, cp, echo, expr, install, ln, ls,
mkdir, mv, rm, rmdir, sleep, sort, tr, uname, uniq
Diffutils: cmp
Gawk: gawk
GCC: cc1, collect2, cpp0, gcc
Gettext: msgfmt, xgettext
Glibc: ldconfig
Grep: egrep, grep
M4: m4
Make: make
Net-tools: hostname
Sed: sed
Texinfo: makeinfo
Before you install this package, you may want to have a look at the Shadow hint. It discusses how you can make your system more secure regarding passwords, such as how to enable the more secure MD5 passwords and how to get the most out of this Shadow package. The Shadow hint can be found at http://www.linuxfromscratch.org/hints/downloads/files/shadowpasswd_plus.txt.
The login, getty and init programs (and some others) maintain a number of logfiles to record who are and who were logged in to the system. These programs, however, don't create these logfiles when they don't exist, so if you want this logging to occur you will have to create the files yourself. To let the Shadow package (that is installed next) detect these files in their proper place, create them now, with their proper permissions:
Create these files with their proper permissions by running the following commands:
touch /var/run/utmp /var/log/{btmp,lastlog,wtmp}
chmod 644 /var/run/utmp /var/log/{btmp,lastlog,wtmp} |
The /var/run/utmp file lists the users that are currently logged in, the /var/log/wtmp file who were logged in and when. The /var/log/lastlog file shows for each user when he or she last logged in, and the /var/log/btmp lists the bad login attempts.
Shadow hard-wires the path to the passwd binary within the binary itself, but does this the wrong way. If before installing Shadow no passwd binary is present , the package wrongly assumes it is going to be located at /bin/passwd, but then installs it in /usr/bin/passwd. This will lead to weird errors about not finding /bin/passwd. To work around this bug, create a dummy passwd file, so that it gets hard-wired properly:
touch /usr/bin/passwd |
The current shadow suite has a problem in the newgrp command which causes it to fail. The following patch (also appearing in Shadow's CVS code) fixes this problem.
patch -Np1 -i ../shadow-4.0.3-newgrp-fix.patch |
Now prepare Shadow for compilation:
./configure --prefix=/usr --libdir=/usr/lib --enable-shared |
Compile the package:
make |
And install it:
make install |
Shadow uses two files to configure authentication settings for the system. Install these two config files:
cp etc/{limits,login.access} /etc |
In the old days /var/spool/mail was the location for the user mailboxes, but nowadays /var/mail is used. Change the default mailbox location in the relevant configuration file while copying it to its destination:
sed 's%/var/spool/mail%/var/mail%' \
etc/login.defs.linux > /etc/login.defs |
According to the man page of vipw, a vigr program should exist too. Since the installation procedure doesn't create this program, create a symlink manually:
ln -s vipw /usr/sbin/vigr |
As the /bin/vipw symlink is redundant (and even pointing to a non-existent file), remove it:
rm /bin/vipw |
Now move the sg program to its proper place:
mv /bin/sg /usr/bin |
And move Shadow's dynamic libraries to a more appropriate location:
mv /usr/lib/lib{shadow,misc}.so.0* /lib |
As some packages expect to find the just-moved libraries in /usr/lib, create the following symlinks:
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so |
Coreutils has already installed a groups program in /usr/bin. If you wish, you can remove the one installed by Shadow:
rm /bin/groups |
This package contains utilities to modify users' passwords, add or delete users and groups, and the like. We're not going to explain what 'password shadowing' means. A full explanation can be found in the doc/HOWTO file within the unpacked shadow password suite's source tree. There's one thing to keep in mind if you decide to use shadow support: programs that need to verify passwords (for example xdm, ftp daemons, pop3 daemons) need to be 'shadow-compliant', that is they need to be able to work with shadowed passwords.
To enable shadowed passwords, run the following command:
/usr/sbin/pwconv |
And to enable shadowed group passwords, run the following command:
/usr/sbin/grpconv |