113 lines
5.7 KiB
HTML
113 lines
5.7 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux Shadow Password HOWTO: Getting the Shadow Suite.</TITLE>
|
|
<LINK HREF="Shadow-Password-HOWTO-4.html" REL=next>
|
|
<LINK HREF="Shadow-Password-HOWTO-2.html" REL=previous>
|
|
<LINK HREF="Shadow-Password-HOWTO.html#toc3" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Shadow-Password-HOWTO-4.html">Next</A>
|
|
<A HREF="Shadow-Password-HOWTO-2.html">Previous</A>
|
|
<A HREF="Shadow-Password-HOWTO.html#toc3">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s3">3. Getting the Shadow Suite.</A></H2>
|
|
|
|
<H2><A NAME="ss3.1">3.1 History of the Shadow Suite for Linux</A>
|
|
</H2>
|
|
|
|
<P><EM>DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS</EM>
|
|
<P>The original <EM>Shadow Suite</EM> was written by <CODE>John F. Haugh II</CODE>.
|
|
<P>There are several versions that have been used on Linux systems:
|
|
<UL>
|
|
<LI><CODE>shadow-3.3.1</CODE> is the original.</LI>
|
|
<LI><CODE>shadow-3.3.1-2</CODE> is Linux specific patch made by
|
|
<A HREF="mailto:flla@stud.uni-sb.de">Florian La Roche <flla@stud.uni-sb.de></A> and contains some further
|
|
enhancements.</LI>
|
|
<LI><CODE>shadow-mk</CODE> was specifically packaged for Linux.</LI>
|
|
</UL>
|
|
<P>The <CODE>shadow-mk</CODE> package contains the <CODE>shadow-3.3.1</CODE> package
|
|
distributed by <CODE>John F. Haugh II</CODE> with the <CODE>shadow-3.3.1-2 patch</CODE>
|
|
installed, a few fixes made by
|
|
<A HREF="mailto:magnus@texas.net">Mohan Kokal <magnus@texas.net></A>
|
|
that make installation a lot easier, a patch by <CODE>Joseph R.M. Zbiciak</CODE>
|
|
for <CODE>login1.c</CODE> (login.secure) that eliminates the -f, -h security
|
|
holes in /bin/login, and some other miscellaneous patches.
|
|
<P>The <CODE>shadow.mk</CODE> package was the <EM>previously</EM> recommended
|
|
package, but should be replaced due to a <EM>security problem</EM> with the
|
|
<CODE>login</CODE> program.
|
|
<P>There are <EM>security problems</EM> with Shadow versions 3.3.1, 3.3.1-2,
|
|
and shadow-mk involving the <CODE>login</CODE> program. This <CODE>login</CODE> bug
|
|
involves not checking the length of a login name. This causes the buffer to
|
|
overflow causing crashes or worse. It has been rumored that this buffer
|
|
overflow can allow someone with an account on the system to use this bug and
|
|
the shared libraries to gain <EM>root</EM> access. I won't discuss exactly
|
|
how this is possible because there are a lot of Linux systems that are
|
|
affected, but systems with these <EM>Shadow Suites</EM> installed, and
|
|
most pre-ELF distributions <EM>without</EM> the <EM>Shadow Suite</EM>
|
|
are vulnerable!
|
|
<P>For more information on this and other Linux security issues, see the
|
|
<A HREF="http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-telnetd.html">Linux Security home page (Shared Libraries and login Program Vulnerability)</A><P>
|
|
<P>
|
|
<H2><A NAME="ss3.2">3.2 Where to get the Shadow Suite.</A>
|
|
</H2>
|
|
|
|
<P>The only recommended <EM>Shadow Suite</EM> is still in BETA testing, however
|
|
the latest versions are safe in a production environment and don't contain a
|
|
vulnerable <CODE>login</CODE> program.
|
|
<P>The package uses the following naming convention:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
shadow-YYMMDD.tar.gz
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
where <CODE>YYMMDD</CODE> is the issue date of the Suite.
|
|
<P>This version will eventually be <EM>Version 3.3.3</EM> when it is released
|
|
from Beta testing, and is maintained by
|
|
<A HREF="mailto:marekm@i17linuxb.ists.pwr.wroc.pl">Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl></A>.
|
|
It's available as:
|
|
<A HREF="ftp://i17linuxb.ists.pwr.wroc.pl/pub/linux/shadow/shadow-current.tar.gz">shadow-current.tar.gz</A>.
|
|
<P>The following mirror sites have also been established:
|
|
<UL>
|
|
<LI>
|
|
<A HREF="ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz">ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz</A></LI>
|
|
<LI>
|
|
<A HREF="ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz">ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz</A></LI>
|
|
<LI>
|
|
<A HREF="ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz">ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz</A></LI>
|
|
<LI>
|
|
<A HREF="ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz">ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz</A></LI>
|
|
</UL>
|
|
<P>You should use the currently available version.
|
|
<P>You should NOT use a version <EM>older</EM> than <CODE>shadow-960129</CODE> as
|
|
they also have the <CODE>login</CODE> security problem discussed above.
|
|
<P>When this document refers to the <EM>Shadow Suite</EM> I am referring to the
|
|
this package. It is assumed that this is the package that you are using.
|
|
<P>For reference, I used <CODE>shadow-960129</CODE> to make these installation
|
|
instructions.
|
|
<P>If you were previously using <CODE>shadow-mk</CODE>, you should upgrade to this
|
|
version and rebuild everything that you originally compiled.
|
|
<P>
|
|
<H2><A NAME="ss3.3">3.3 What is included with the Shadow Suite.</A>
|
|
</H2>
|
|
|
|
<P>The <EM>Shadow Suite</EM> contains replacement programs for:
|
|
<P><CODE>su, login, passwd, newgrp, chfn, chsh, and id</CODE>
|
|
<P>The package also contains the new programs:
|
|
<P><CODE>chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod, groupadd,
|
|
groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv, and pwunconv</CODE>
|
|
<P>Additionally, the library: <CODE>libshadow.a</CODE> is included for writing and/or
|
|
compiling programs that need to access user passwords.
|
|
<P>Also, manual pages for the programs are also included.
|
|
<P>There is also a configuration file for the login program which will be
|
|
installed as <CODE>/etc/login.defs</CODE>.
|
|
<P>
|
|
<HR>
|
|
<A HREF="Shadow-Password-HOWTO-4.html">Next</A>
|
|
<A HREF="Shadow-Password-HOWTO-2.html">Previous</A>
|
|
<A HREF="Shadow-Password-HOWTO.html#toc3">Contents</A>
|
|
</BODY>
|
|
</HTML>
|