352 lines
13 KiB
HTML
352 lines
13 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux Shadow Password HOWTO: Other programs you may need to upgrade or patch</TITLE>
|
|
<LINK HREF="Shadow-Password-HOWTO-7.html" REL=next>
|
|
<LINK HREF="Shadow-Password-HOWTO-5.html" REL=previous>
|
|
<LINK HREF="Shadow-Password-HOWTO.html#toc6" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Shadow-Password-HOWTO-7.html">Next</A>
|
|
<A HREF="Shadow-Password-HOWTO-5.html">Previous</A>
|
|
<A HREF="Shadow-Password-HOWTO.html#toc6">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s6">6. Other programs you may need to upgrade or patch</A></H2>
|
|
|
|
<P>Even though the shadow suite contains replacement programs for most
|
|
programs that need to access passwords, there are a few additional programs
|
|
on most systems that require access to passwords.
|
|
<P>If you are running a <EM>Debian Distribution</EM> (or even if you are not),
|
|
you can obtain Debian sources for the programs that need to be rebuild from:
|
|
ftp://ftp.debian.org/debian/stable/source/
|
|
<P>The remainder of this section discusses how to upgrade <CODE>adduser</CODE>,
|
|
<CODE>wu_ftpd</CODE>, <CODE>ftpd</CODE>, <CODE>pop3d</CODE>, <CODE>xlock</CODE>,
|
|
<CODE>xdm</CODE> and <CODE>sudo</CODE> so that they support the shadow suite.
|
|
<P>See the section
|
|
<A HREF="Shadow-Password-HOWTO-8.html#sec-adding">Adding Shadow Support to a C program</A>
|
|
for a discussion on how to put shadow support into any other program
|
|
that needs it (although the program must then be run SUID root or SGID shadow
|
|
to be able to actually access the shadow file).
|
|
<P>
|
|
<H2><A NAME="ss6.1">6.1 Slackware adduser program</A>
|
|
</H2>
|
|
|
|
<P>Slackware distributions (and possibly some others) contain a interactive
|
|
program for adding users called <CODE>/sbin/adduser</CODE>. A shadow version
|
|
of this program can be obtained from
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Admin/accounts/adduser.shadow-1.4.tgz">ftp://sunsite.unc.edu/pub/Linux/ system/Admin/accounts/adduser.shadow-1.4.tar.gz</A>.
|
|
<P>I would encourage you to use the programs that are supplied with the
|
|
<EM>Shadow Suite</EM> (<CODE>useradd</CODE>, <CODE>usermod</CODE>, and
|
|
<CODE>userdel</CODE>) instead of the slackware <CODE>adduser</CODE> program. They
|
|
take a little time to learn how to use, but it's well worth the effort
|
|
because you have much more control and they perform proper file locking on
|
|
the <CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE> file (<CODE>adduser</CODE>
|
|
doesn't).
|
|
<P>See the section on
|
|
<A HREF="Shadow-Password-HOWTO-7.html#sec-work">Putting the Shadow Suite to use</A>
|
|
for more information.
|
|
<P>But if you gotta have it, here is what you do:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
tar -xzvf adduser.shadow-1.4.tar.gz
|
|
cd adduser
|
|
make clean
|
|
make adduser
|
|
chmod 700 adduser
|
|
cp adduser /sbin
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H2><A NAME="ss6.2">6.2 The wu_ftpd Server</A>
|
|
</H2>
|
|
|
|
<P>Most Linux systems some with the <CODE>wu_ftpd</CODE> server. If your
|
|
distribution does not come with shadow installed, then your <CODE>wu_ftpd</CODE>
|
|
will not be compiled for shadow. <CODE>wu_ftpd</CODE> is launched from
|
|
<CODE>inetd/tcpd</CODE> as a <EM>root</EM> process. If you are running an old
|
|
<CODE>wu_ftpd</CODE> daemon, you will want to upgrade it anyway because older
|
|
ones had a bug that would allow the <EM>root</EM> account to be compromised
|
|
(For more info see the
|
|
<A HREF="http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-wu.ftpd-2.4-Update.html">Linux security home page</A>).
|
|
<P>Fortunately, you only need to get the source code and recompile it
|
|
with shadow enabled.
|
|
<P>If you are not running an ELF system, The <CODE>wu_ftp</CODE> server can be
|
|
found on Sunsite as
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/wu-ftpd-2.4-fixed.tar.gz">wu-ftp-2.4-fixed.tar.gz</A><P>Once you retrieve the server, put it in <CODE>/usr/src</CODE>, then type:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /usr/src
|
|
tar -xzvf wu-ftpd-2.4-fixed.tar.gz
|
|
cd wu-ftpd-2.4-fixed
|
|
cp ./src/config/config.lnx.shadow ./src/config/config.lnx
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Then edit <CODE>./src/makefiles/Makefile.lnx</CODE>, and change the line:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
LIBES = -lbsd -support
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
to:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
LIBES = -lbsd -support -lshadow
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Now you are ready to run the build script and install:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /usr/src/wu-ftpd-2.4-fixed
|
|
/usr/src/wu-ftp-2.4.fixed/build lnx
|
|
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
|
|
cp ./bin/ftpd /usr/sbin/wu.ftpd
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
<P>This uses the Linux shadow configuration file, compiles and installs
|
|
the server.
|
|
<P>On my Slackware 2.3 system I also had to do the following before running
|
|
<CODE>build</CODE>:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /usr/include/netinet
|
|
ln -s in_systm.h in_system.h
|
|
cd -
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Problems have been reported compiling this package under ELF systems, but
|
|
the Beta version of the next release works fine.
|
|
It can be found as
|
|
<A HREF="ftp://tscnet.com/pub/linux/network/ftp/wu-ftpd-2.4.2-beta-10.tar.gz">wu-ftp-2.4.2-beta-10.tar.gz</A><P>Once you retrieve the server, put it in <CODE>/usr/src</CODE>, then type:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /usr/src
|
|
tar -xzvf wu-ftpd-2.4.2-beta-9.tar.gz
|
|
cd wu-ftpd-beta-9
|
|
cd ./src/config
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Then edit <CODE>config.lnx</CODE>, and change:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
#undef SHADOW.PASSWORD
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
to:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
#define SHADOW.PASSWORD
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Then,
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd ../Makefiles
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
and edit the file <CODE>Makefile.lnx</CODE>
|
|
and change:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
LIBES = -lsupport -lbsd # -lshadow
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
to:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
LIBES = -lsupport -lbsd -lshadow
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Then build and install:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd ..
|
|
build lnx
|
|
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
|
|
cp ./bin/ftpd /usr/sbin/wu.ftpd
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
<P>Note that you should check your <CODE>/etc/inetd.conf</CODE> file to make sure
|
|
that this is where your wu.ftpd server really lives. It has been reported
|
|
that some distributions place the server daemons in different places, and
|
|
then wu.ftpd in particular may be named something else.
|
|
<P>
|
|
<H2><A NAME="ss6.3">6.3 Standard ftpd</A>
|
|
</H2>
|
|
|
|
<P>If you are running the standard <CODE>ftpd</CODE> server, I would recommend that
|
|
you upgrade to the <CODE>wu_ftpd</CODE> server. Aside from the known bug
|
|
discussed above, it's generally thought to be more secure.
|
|
<P>If you insist on the standard one, or you need <EM>NIS</EM> support, Sunsite
|
|
has
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/ftpd-shadow-nis.tgz">ftpd-shadow-nis.tgz</A><P>
|
|
<H2><A NAME="ss6.4">6.4 pop3d (Post Office Protocol 3)</A>
|
|
</H2>
|
|
|
|
<P>If you need to support the third <EM>Post Office Protocol (POP3)</EM>, you
|
|
will need to recompile a <CODE>pop3d</CODE> program. <CODE>pop3d</CODE> is normally
|
|
run by <CODE>inetd/tcpd</CODE> as <CODE>root</CODE>.
|
|
<P>There are two versions available from Sunsite:
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d-1.00.4.linux.shadow.tar.gz">pop3d-1.00.4.linux.shadow.tar.gz</A>
|
|
and
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d+shadow+elf.tar.gz">pop3d+shadow+elf.tar.gz</A><P>Both of these are fairly straight forward to install.
|
|
<P>
|
|
<H2><A NAME="ss6.5">6.5 xlock</A>
|
|
</H2>
|
|
|
|
<P>If you install the shadow suite, and then run <EM>X Windows System</EM> and
|
|
lock the screen without upgrading your <CODE>xlock</CODE>, you will have to use
|
|
<CODE>CNTL-ALT-Fx</CODE> to switch to another <EM>tty</EM>, login, and kill the
|
|
<CODE>xlock</CODE> process (or use <CODE>CNTL-ALT-BS</CODE> to kill the X server).
|
|
Fortunately it's fairly easy to upgrade your <CODE>xlock</CODE> program.
|
|
<P>If you are running XFree86 Versions 3.x.x, you are probably using
|
|
<CODE>xlockmore</CODE> (which is a great screen-saver in addition to a lock).
|
|
This package supports <EM>shadow</EM> with a recompile. If you have an
|
|
older <CODE>xlock</CODE>, I recommend that you upgrade to this one.
|
|
<P><CODE>xlockmore-3.5.tgz</CODE> is available at:
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz">ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz</A><P>Basically, this is what you need to do:
|
|
<P>Get the <CODE>xlockmore-3.7.tgz</CODE> file and put it in <CODE>/usr/src</CODE> unpack it:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
tar -xzvf xlockmore-3.7.tgz
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Edit the file: <CODE>/usr/X11R6/lib/X11/config/linux.cf</CODE>, and change the line:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
#define HasShadowPasswd NO
|
|
|
|
to
|
|
|
|
#define HasShadowPasswd YES
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Then build the executables:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /usr/src/xlockmore
|
|
xmkmf
|
|
make depend
|
|
make
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Then move everything into place and update file ownerships and permissions:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cp xlock /usr/X11R6/bin/
|
|
cp XLock /var/X11R6/lib/app-defaults/
|
|
chown root.shadow /usr/X11R6/bin/xlock
|
|
chmod 2755 /usr/X11R6/bin/xlock
|
|
chown root.shadow /etc/shadow
|
|
chmod 640 /etc/shadow
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Your xlock will now work correctly.
|
|
<P>
|
|
<H2><A NAME="ss6.6">6.6 xdm</A>
|
|
</H2>
|
|
|
|
<P><CODE>xdm</CODE> is a program that presents a login screen for X-Windows. Some
|
|
systems start <CODE>xdm</CODE> when the system is told to goto a specified run
|
|
level (see <CODE>/etc/inittab</CODE>.
|
|
<P>With the <EM>Shadow Suite</EM> install, <CODE>xdm</CODE> will need to be
|
|
updated. Fortunately it's fairly easy to upgrade your <CODE>xdm</CODE> program.
|
|
<P>
|
|
<P><CODE>xdm.tar.gz</CODE> is available at:
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz">ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz</A><P>Get the <CODE>xdm.tar.gz</CODE> file and put it in <CODE>/usr/src</CODE>, then to
|
|
unpack it:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
tar -xzvf xdm.tar.gz
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Edit the file: <CODE>/usr/X11R6/lib/X11/config/linux.cf</CODE>, and change the line:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
#define HasShadowPasswd NO
|
|
|
|
to
|
|
|
|
#define HasShadowPasswd YES
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Then build the executables:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /usr/src/xdm
|
|
xmkmf
|
|
make depend
|
|
make
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Then move everything into place:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cp xdm /usr/X11R6/bin/
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P><CODE>xdm</CODE> is run as <EM>root</EM> so you don't need to change it file
|
|
permissions.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss6.7">6.7 sudo</A>
|
|
</H2>
|
|
|
|
<P>The program <CODE>sudo</CODE> allows a system administrator to let users run
|
|
programs that would normally require root access. This is handy because it
|
|
lets the administrator limit access to the root account itself while still
|
|
allowing users to do things like mounting drives.
|
|
<P><CODE>sudo</CODE> needs to read passwords because it verifies the users password
|
|
when it's invoked. <CODE>sudo</CODE> already runs SUID root, so accessing the
|
|
<CODE>/etc/shadow</CODE> file is not a problem.
|
|
<P><CODE>sudo</CODE> for the shadow suite, is available as at:
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz">ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz</A><P><EM>Warning</EM>: When you install <CODE>sudo</CODE> your <CODE>/etc/sudoers</CODE>
|
|
file will be replaced with a default one, so you need to make a backup of it
|
|
if you have added anything to the default one. (you could also edit the
|
|
Makefile and remove the line that copies the default file to <CODE>/etc</CODE>).
|
|
<P>The package is already setup for shadow, so all that's required is to
|
|
recompile the package (put it in <CODE>/usr/src</CODE>):
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /usr/src
|
|
tar -xzvf sudo-1.2-shadow.tgz
|
|
cd sudo-1.2-shadow
|
|
make all
|
|
make install
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H2><A NAME="ss6.9">6.9 pppd (Point-to-Point Protocol Server)</A>
|
|
</H2>
|
|
|
|
<P>The pppd server can be setup to use several types of authentication:
|
|
<EM>Password Authentication Protocol</EM> (PAP) and <EM>Cryptographic
|
|
Handshake Authentication Protocol</EM> (CHAP). The pppd server usually
|
|
reads the password strings that it uses from <CODE>/etc/ppp/chap-secrets</CODE>
|
|
and/or <CODE>/etc/ppp/pap-secrets</CODE>. If you are using this default behavior
|
|
of pppd, it is not necessary to reinstall pppd.
|
|
<P>pppd also allows you to use the <EM>login</EM> parameter (either on the
|
|
command line, or in the configuration or <CODE>options</CODE> file). If the
|
|
<EM>login</EM> option is given, then pppd will use the <CODE>/etc/passwd</CODE>
|
|
file for the username and passwords for the <EM>PAP</EM>. This, of course,
|
|
will no longer work now that our password file is shadowed. For pppd-1.2.1d
|
|
this requires adding code for shadow support.
|
|
<P>The example given in the next section is adding shadow support to
|
|
<CODE>pppd-1.2.1d</CODE> (an older version of pppd).
|
|
<P><CODE>pppd-2.2.0</CODE> already contains shadow support.
|
|
<P>
|
|
<HR>
|
|
<A HREF="Shadow-Password-HOWTO-7.html">Next</A>
|
|
<A HREF="Shadow-Password-HOWTO-5.html">Previous</A>
|
|
<A HREF="Shadow-Password-HOWTO.html#toc6">Contents</A>
|
|
</BODY>
|
|
</HTML>
|