LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Shadow-Password-HOWTO-6.html

352 lines
13 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Linux Shadow Password HOWTO: Other programs you may need to upgrade or patch</TITLE>
<LINK HREF="Shadow-Password-HOWTO-7.html" REL=next>
<LINK HREF="Shadow-Password-HOWTO-5.html" REL=previous>
<LINK HREF="Shadow-Password-HOWTO.html#toc6" REL=contents>
</HEAD>
<BODY>
<A HREF="Shadow-Password-HOWTO-7.html">Next</A>
<A HREF="Shadow-Password-HOWTO-5.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc6">Contents</A>
<HR>
<H2><A NAME="s6">6. Other programs you may need to upgrade or patch</A></H2>
<P>Even though the shadow suite contains replacement programs for most
programs that need to access passwords, there are a few additional programs
on most systems that require access to passwords.
<P>If you are running a <EM>Debian Distribution</EM> (or even if you are not),
you can obtain Debian sources for the programs that need to be rebuild from:
ftp://ftp.debian.org/debian/stable/source/
<P>The remainder of this section discusses how to upgrade <CODE>adduser</CODE>,
<CODE>wu_ftpd</CODE>, <CODE>ftpd</CODE>, <CODE>pop3d</CODE>, <CODE>xlock</CODE>,
<CODE>xdm</CODE> and <CODE>sudo</CODE> so that they support the shadow suite.
<P>See the section
<A HREF="Shadow-Password-HOWTO-8.html#sec-adding">Adding Shadow Support to a C program</A>
for a discussion on how to put shadow support into any other program
that needs it (although the program must then be run SUID root or SGID shadow
to be able to actually access the shadow file).
<P>
<H2><A NAME="ss6.1">6.1 Slackware adduser program</A>
</H2>
<P>Slackware distributions (and possibly some others) contain a interactive
program for adding users called <CODE>/sbin/adduser</CODE>. A shadow version
of this program can be obtained from
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Admin/accounts/adduser.shadow-1.4.tgz">ftp://sunsite.unc.edu/pub/Linux/ system/Admin/accounts/adduser.shadow-1.4.tar.gz</A>.
<P>I would encourage you to use the programs that are supplied with the
<EM>Shadow Suite</EM> (<CODE>useradd</CODE>, <CODE>usermod</CODE>, and
<CODE>userdel</CODE>) instead of the slackware <CODE>adduser</CODE> program. They
take a little time to learn how to use, but it's well worth the effort
because you have much more control and they perform proper file locking on
the <CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE> file (<CODE>adduser</CODE>
doesn't).
<P>See the section on
<A HREF="Shadow-Password-HOWTO-7.html#sec-work">Putting the Shadow Suite to use</A>
for more information.
<P>But if you gotta have it, here is what you do:
<BLOCKQUOTE><CODE>
<PRE>
tar -xzvf adduser.shadow-1.4.tar.gz
cd adduser
make clean
make adduser
chmod 700 adduser
cp adduser /sbin
</PRE>
</CODE></BLOCKQUOTE>
<P>
<H2><A NAME="ss6.2">6.2 The wu_ftpd Server</A>
</H2>
<P>Most Linux systems some with the <CODE>wu_ftpd</CODE> server. If your
distribution does not come with shadow installed, then your <CODE>wu_ftpd</CODE>
will not be compiled for shadow. <CODE>wu_ftpd</CODE> is launched from
<CODE>inetd/tcpd</CODE> as a <EM>root</EM> process. If you are running an old
<CODE>wu_ftpd</CODE> daemon, you will want to upgrade it anyway because older
ones had a bug that would allow the <EM>root</EM> account to be compromised
(For more info see the
<A HREF="http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-wu.ftpd-2.4-Update.html">Linux security home page</A>).
<P>Fortunately, you only need to get the source code and recompile it
with shadow enabled.
<P>If you are not running an ELF system, The <CODE>wu_ftp</CODE> server can be
found on Sunsite as
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/wu-ftpd-2.4-fixed.tar.gz">wu-ftp-2.4-fixed.tar.gz</A><P>Once you retrieve the server, put it in <CODE>/usr/src</CODE>, then type:
<BLOCKQUOTE><CODE>
<PRE>
cd /usr/src
tar -xzvf wu-ftpd-2.4-fixed.tar.gz
cd wu-ftpd-2.4-fixed
cp ./src/config/config.lnx.shadow ./src/config/config.lnx
</PRE>
</CODE></BLOCKQUOTE>
<P>Then edit <CODE>./src/makefiles/Makefile.lnx</CODE>, and change the line:
<BLOCKQUOTE><CODE>
<PRE>
LIBES = -lbsd -support
</PRE>
</CODE></BLOCKQUOTE>
to:
<BLOCKQUOTE><CODE>
<PRE>
LIBES = -lbsd -support -lshadow
</PRE>
</CODE></BLOCKQUOTE>
<P>Now you are ready to run the build script and install:
<BLOCKQUOTE><CODE>
<PRE>
cd /usr/src/wu-ftpd-2.4-fixed
/usr/src/wu-ftp-2.4.fixed/build lnx
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
cp ./bin/ftpd /usr/sbin/wu.ftpd
</PRE>
</CODE></BLOCKQUOTE>
<P>This uses the Linux shadow configuration file, compiles and installs
the server.
<P>On my Slackware 2.3 system I also had to do the following before running
<CODE>build</CODE>:
<BLOCKQUOTE><CODE>
<PRE>
cd /usr/include/netinet
ln -s in_systm.h in_system.h
cd -
</PRE>
</CODE></BLOCKQUOTE>
<P>Problems have been reported compiling this package under ELF systems, but
the Beta version of the next release works fine.
It can be found as
<A HREF="ftp://tscnet.com/pub/linux/network/ftp/wu-ftpd-2.4.2-beta-10.tar.gz">wu-ftp-2.4.2-beta-10.tar.gz</A><P>Once you retrieve the server, put it in <CODE>/usr/src</CODE>, then type:
<BLOCKQUOTE><CODE>
<PRE>
cd /usr/src
tar -xzvf wu-ftpd-2.4.2-beta-9.tar.gz
cd wu-ftpd-beta-9
cd ./src/config
</PRE>
</CODE></BLOCKQUOTE>
<P>Then edit <CODE>config.lnx</CODE>, and change:
<BLOCKQUOTE><CODE>
<PRE>
#undef SHADOW.PASSWORD
</PRE>
</CODE></BLOCKQUOTE>
to:
<BLOCKQUOTE><CODE>
<PRE>
#define SHADOW.PASSWORD
</PRE>
</CODE></BLOCKQUOTE>
Then,
<BLOCKQUOTE><CODE>
<PRE>
cd ../Makefiles
</PRE>
</CODE></BLOCKQUOTE>
and edit the file <CODE>Makefile.lnx</CODE>
and change:
<BLOCKQUOTE><CODE>
<PRE>
LIBES = -lsupport -lbsd # -lshadow
</PRE>
</CODE></BLOCKQUOTE>
to:
<BLOCKQUOTE><CODE>
<PRE>
LIBES = -lsupport -lbsd -lshadow
</PRE>
</CODE></BLOCKQUOTE>
Then build and install:
<BLOCKQUOTE><CODE>
<PRE>
cd ..
build lnx
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
cp ./bin/ftpd /usr/sbin/wu.ftpd
</PRE>
</CODE></BLOCKQUOTE>
<P>Note that you should check your <CODE>/etc/inetd.conf</CODE> file to make sure
that this is where your wu.ftpd server really lives. It has been reported
that some distributions place the server daemons in different places, and
then wu.ftpd in particular may be named something else.
<P>
<H2><A NAME="ss6.3">6.3 Standard ftpd</A>
</H2>
<P>If you are running the standard <CODE>ftpd</CODE> server, I would recommend that
you upgrade to the <CODE>wu_ftpd</CODE> server. Aside from the known bug
discussed above, it's generally thought to be more secure.
<P>If you insist on the standard one, or you need <EM>NIS</EM> support, Sunsite
has
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/ftpd-shadow-nis.tgz">ftpd-shadow-nis.tgz</A><P>
<H2><A NAME="ss6.4">6.4 pop3d (Post Office Protocol 3)</A>
</H2>
<P>If you need to support the third <EM>Post Office Protocol (POP3)</EM>, you
will need to recompile a <CODE>pop3d</CODE> program. <CODE>pop3d</CODE> is normally
run by <CODE>inetd/tcpd</CODE> as <CODE>root</CODE>.
<P>There are two versions available from Sunsite:
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d-1.00.4.linux.shadow.tar.gz">pop3d-1.00.4.linux.shadow.tar.gz</A>
and
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d+shadow+elf.tar.gz">pop3d+shadow+elf.tar.gz</A><P>Both of these are fairly straight forward to install.
<P>
<H2><A NAME="ss6.5">6.5 xlock</A>
</H2>
<P>If you install the shadow suite, and then run <EM>X Windows System</EM> and
lock the screen without upgrading your <CODE>xlock</CODE>, you will have to use
<CODE>CNTL-ALT-Fx</CODE> to switch to another <EM>tty</EM>, login, and kill the
<CODE>xlock</CODE> process (or use <CODE>CNTL-ALT-BS</CODE> to kill the X server).
Fortunately it's fairly easy to upgrade your <CODE>xlock</CODE> program.
<P>If you are running XFree86 Versions 3.x.x, you are probably using
<CODE>xlockmore</CODE> (which is a great screen-saver in addition to a lock).
This package supports <EM>shadow</EM> with a recompile. If you have an
older <CODE>xlock</CODE>, I recommend that you upgrade to this one.
<P><CODE>xlockmore-3.5.tgz</CODE> is available at:
<A HREF="ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz">ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz</A><P>Basically, this is what you need to do:
<P>Get the <CODE>xlockmore-3.7.tgz</CODE> file and put it in <CODE>/usr/src</CODE> unpack it:
<BLOCKQUOTE><CODE>
<PRE>
tar -xzvf xlockmore-3.7.tgz
</PRE>
</CODE></BLOCKQUOTE>
<P>Edit the file: <CODE>/usr/X11R6/lib/X11/config/linux.cf</CODE>, and change the line:
<BLOCKQUOTE><CODE>
<PRE>
#define HasShadowPasswd NO
to
#define HasShadowPasswd YES
</PRE>
</CODE></BLOCKQUOTE>
<P>Then build the executables:
<BLOCKQUOTE><CODE>
<PRE>
cd /usr/src/xlockmore
xmkmf
make depend
make
</PRE>
</CODE></BLOCKQUOTE>
<P>Then move everything into place and update file ownerships and permissions:
<BLOCKQUOTE><CODE>
<PRE>
cp xlock /usr/X11R6/bin/
cp XLock /var/X11R6/lib/app-defaults/
chown root.shadow /usr/X11R6/bin/xlock
chmod 2755 /usr/X11R6/bin/xlock
chown root.shadow /etc/shadow
chmod 640 /etc/shadow
</PRE>
</CODE></BLOCKQUOTE>
<P>Your xlock will now work correctly.
<P>
<H2><A NAME="ss6.6">6.6 xdm</A>
</H2>
<P><CODE>xdm</CODE> is a program that presents a login screen for X-Windows. Some
systems start <CODE>xdm</CODE> when the system is told to goto a specified run
level (see <CODE>/etc/inittab</CODE>.
<P>With the <EM>Shadow Suite</EM> install, <CODE>xdm</CODE> will need to be
updated. Fortunately it's fairly easy to upgrade your <CODE>xdm</CODE> program.
<P>
<P><CODE>xdm.tar.gz</CODE> is available at:
<A HREF="ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz">ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz</A><P>Get the <CODE>xdm.tar.gz</CODE> file and put it in <CODE>/usr/src</CODE>, then to
unpack it:
<BLOCKQUOTE><CODE>
<PRE>
tar -xzvf xdm.tar.gz
</PRE>
</CODE></BLOCKQUOTE>
<P>Edit the file: <CODE>/usr/X11R6/lib/X11/config/linux.cf</CODE>, and change the line:
<BLOCKQUOTE><CODE>
<PRE>
#define HasShadowPasswd NO
to
#define HasShadowPasswd YES
</PRE>
</CODE></BLOCKQUOTE>
<P>Then build the executables:
<BLOCKQUOTE><CODE>
<PRE>
cd /usr/src/xdm
xmkmf
make depend
make
</PRE>
</CODE></BLOCKQUOTE>
<P>Then move everything into place:
<BLOCKQUOTE><CODE>
<PRE>
cp xdm /usr/X11R6/bin/
</PRE>
</CODE></BLOCKQUOTE>
<P><CODE>xdm</CODE> is run as <EM>root</EM> so you don't need to change it file
permissions.
<P>
<P>
<H2><A NAME="ss6.7">6.7 sudo</A>
</H2>
<P>The program <CODE>sudo</CODE> allows a system administrator to let users run
programs that would normally require root access. This is handy because it
lets the administrator limit access to the root account itself while still
allowing users to do things like mounting drives.
<P><CODE>sudo</CODE> needs to read passwords because it verifies the users password
when it's invoked. <CODE>sudo</CODE> already runs SUID root, so accessing the
<CODE>/etc/shadow</CODE> file is not a problem.
<P><CODE>sudo</CODE> for the shadow suite, is available as at:
<A HREF="ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz">ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz</A><P><EM>Warning</EM>: When you install <CODE>sudo</CODE> your <CODE>/etc/sudoers</CODE>
file will be replaced with a default one, so you need to make a backup of it
if you have added anything to the default one. (you could also edit the
Makefile and remove the line that copies the default file to <CODE>/etc</CODE>).
<P>The package is already setup for shadow, so all that's required is to
recompile the package (put it in <CODE>/usr/src</CODE>):
<BLOCKQUOTE><CODE>
<PRE>
cd /usr/src
tar -xzvf sudo-1.2-shadow.tgz
cd sudo-1.2-shadow
make all
make install
</PRE>
</CODE></BLOCKQUOTE>
<P>
<H2><A NAME="ss6.9">6.9 pppd (Point-to-Point Protocol Server)</A>
</H2>
<P>The pppd server can be setup to use several types of authentication:
<EM>Password Authentication Protocol</EM> (PAP) and <EM>Cryptographic
Handshake Authentication Protocol</EM> (CHAP). The pppd server usually
reads the password strings that it uses from <CODE>/etc/ppp/chap-secrets</CODE>
and/or <CODE>/etc/ppp/pap-secrets</CODE>. If you are using this default behavior
of pppd, it is not necessary to reinstall pppd.
<P>pppd also allows you to use the <EM>login</EM> parameter (either on the
command line, or in the configuration or <CODE>options</CODE> file). If the
<EM>login</EM> option is given, then pppd will use the <CODE>/etc/passwd</CODE>
file for the username and passwords for the <EM>PAP</EM>. This, of course,
will no longer work now that our password file is shadowed. For pppd-1.2.1d
this requires adding code for shadow support.
<P>The example given in the next section is adding shadow support to
<CODE>pppd-1.2.1d</CODE> (an older version of pppd).
<P><CODE>pppd-2.2.0</CODE> already contains shadow support.
<P>
<HR>
<A HREF="Shadow-Password-HOWTO-7.html">Next</A>
<A HREF="Shadow-Password-HOWTO-5.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc6">Contents</A>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink