6.25.1. Installation of Shadow
Disable the installation of the groups program and its man pages,
as Coreutils provides a better version. Also Prevent the
installation of manual pages that were already installed by the
man pages
package:
sed -i 's/groups$(EXEEXT) //' src/Makefile.in
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;
find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;
Instead of
using the default crypt
method, use the more secure SHA-512 method of password encryption,
which also allows passwords longer than 8 characters. It is also
necessary to change the obsolete /var/spool/mail
location for user mailboxes that
Shadow uses by default to the /var/mail
location used currently:
sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
-e 's@/var/spool/mail@/var/mail@' etc/login.defs
Now fix a bug that prevents useradd from setting the shell
entry in the /etc/passwd file. In this case we need a short patch,
but can include it directly here without the need for a separate
file:
echo '--- src/useradd.c (old)
+++ src/useradd.c (new)
@@ -2027,6 +2027,8 @@
is_shadow_grp = sgr_file_present ();
#endif
+ get_defaults ();
+
process_flags (argc, argv);
#ifdef ENABLE_SUBIDS
@@ -2036,8 +2038,6 @@
(!user_id || (user_id <= uid_max && user_id >= uid_min));
#endif /* ENABLE_SUBIDS */
- get_defaults ();
-
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
{' | patch -p0 -l
Note
If you chose to build Shadow with Cracklib support, run the
following:
sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs
Make a minor change to make the default useradd consistent with the
LFS groups file:
sed -i 's/1000/999/' etc/useradd
Fix a security issue identified upstream:
sed -i -e '47 d' -e '60,65 d' libmisc/myname.c
Prepare Shadow for compilation:
./configure --sysconfdir=/etc --with-group-name-max-length=32
The meaning of the configure option:
-
--with-group-name-max-length=32
-
The maximum user name is 32 characters. Make the maximum
group name the same.
Compile the package:
make
This package does not come with a test suite.
Install the package:
make install
Move a misplaced program to its proper location:
mv -v /usr/bin/passwd /bin
6.25.2. Configuring
Shadow
This package contains utilities to add, modify, and delete users
and groups; set and change their passwords; and perform other
administrative tasks. For a full explanation of what password shadowing means, see the
doc/HOWTO
file within the unpacked
source tree. If using Shadow support, keep in mind that programs
which need to verify passwords (display managers, FTP programs,
pop3 daemons, etc.) must be Shadow-compliant. That is, they need to
be able to work with shadowed passwords.
To enable shadowed passwords, run the following command:
pwconv
To enable shadowed group passwords, run:
grpconv
Shadow's stock configuration for the useradd utility has a few caveats
that need some explanation. First, the default action for the
useradd utility is to
create the user and a group of the same name as the user. By
default the user ID (UID) and group ID (GID) numbers will begin
with 1000. This means if you don't pass parameters to useradd, each user will be a
member of a unique group on the system. If this behavior is
undesirable, you'll need to pass the -g
parameter to useradd. The default parameters
are stored in the /etc/default/useradd
file. You may need to modify
two parameters in this file to suit your particular needs.
/etc/default/useradd
Parameter Explanations
-
GROUP=1000
-
This parameter sets the beginning of the group numbers used
in the /etc/group file. You can modify it to anything you
desire. Note that useradd will never reuse a
UID or GID. If the number identified in this parameter is
used, it will use the next available number after this. Note
also that if you don't have a group 1000 on your system the
first time you use useradd without the
-g
parameter, you'll
get a message displayed on the terminal that says:
useradd: unknown GID
1000
. You may disregard this message and group number
1000 will be used.
-
CREATE_MAIL_SPOOL=yes
-
This parameter causes useradd to create a mailbox
file for the newly created user. useradd will make the group
ownership of this file to the mail
group with 0660 permissions. If you
would prefer that these mailbox files are not created by
useradd, issue
the following command:
sed -i 's/yes/no/' /etc/default/useradd