Hardened Linux From Scratch - Version SVN-20070501

Chapter 6. Installing Basic System Software

6.54. Shadow-4.0.18.1

The Shadow package contains programs for handling passwords in a secure way.

6.54.1. Installation of Shadow

[Note]

Note

If you would like to enforce the use of strong passwords, refer to http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cracklib.html for installing Cracklib prior to building Shadow. Then add --with-libcrack to the configure command below.

The following patch fixes a bug in useradd and usermod, from upstream. See: http://zie.pg.gda.pl/mailman/pipermail/shadow/2006-August/000385.html for more information: 

patch -Np1 -i ../shadow-4.0.18.1-useradd_fix-2.patch

Prepare Shadow for compilation: 

./configure --libdir=/lib --sysconfdir=/etc --enable-shared --without-selinux

The meaning of the configure options:

--without-selinux

Support for selinux is enabled by default, but selinux is not built in a base HLFS system. The configure script will fail if this option is not used.

Disable the installation of the groups program and its man pages, as Coreutils provides a better version: 

sed 's/groups$(EXEEXT) //' -i.orig src/Makefile
find man -name Makefile -exec sed '/groups/d' -i.orig {} \;

Instead of using the default crypt method, use the more secure MD5 method of password encryption, which also allows passwords longer than 8 characters. It is also necessary to change the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location used currently. 

sed -e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
    -e 's@/var/spool/mail@/var/mail@' -i.orig etc/login.defs
[Note]

Note

If you built Shadow with Cracklib support, run the following: 

sed 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' \
    -i.orig etc/login.defs

Compile the package: 

make
[Important]

Important

The nologin program in this package suffers from the same issues as true and false from Coreutils. An assembly language version of nologin is less vulnerable to issues with the C library. nologin should be used in place of false in /etc/passwd when adding new accounts, such as accounts for network services. The following commands will build an assembly language version of nologin which will be installed with this package: 

cat > src/nologin.S << "EOF"
/* Public Domain - i386 nologin.S */
.section .data
message:
   .ascii "This account is not available.\n"
   len = . - message
.section .text
.globl _start
_start:
   movl $4, %eax
   movl $len, %edx
   movl $message, %ecx
   movl $1, %ebx /* Use "$2" to write to stderr,
                         "$1" for stdout */
   int $0x80
   movl $1, %eax
   movl $1, %ebx
   int $0x80
EOF

rm -v src/nologin
gcc -nostdlib src/nologin.S -o src/nologin

This package does not come with a test suite.

[Important]

Important

If you do not want to install the su from this package, such as if you will be using the su from Section 6.18, “Coreutils-6.7”, then run the following commands to install without su from this package: 

make DESTDIR=$(pwd)/DESTDIR install
find DESTDIR/ -name su.1 -exec rm -v {} \;
rm -v DESTDIR/bin/su
cp -va DESTDIR/* /

To install the whole package, including su: 

make install

Move a misplaced program to its proper location: 

mv -v /usr/bin/passwd /bin

Move Shadow's libraries to more appropriate locations: 

mv -v /lib/libshadow.*a /usr/lib
rm -v /lib/libshadow.so
ln -vsf ../../lib/libshadow.so.0 /usr/lib/libshadow.so

6.54.2. Configuring Shadow

This package contains utilities to add, modify, and delete users and groups; set and change their passwords; and perform other administrative tasks. For a full explanation of what password shadowing means, see the doc/HOWTO file within the unpacked source tree. If using Shadow support, keep in mind that programs which need to verify passwords (display managers, FTP programs, pop3 daemons, etc.) must be Shadow-compliant. That is, they need to be able to work with shadowed passwords. You can read more about passwords at http://geodsoft.com/howto/password/.

To enable shadowed passwords, run the following command: 

pwconv

To enable shadowed group passwords, run: 

grpconv

Shadow's stock configuration for the useradd utility is not suitable for LFS systems. Use the following commands to change the default home directory for new users and prevent the creation of mail spool files: 

useradd -D -b /home
sed 's/yes/no/' -i /etc/default/useradd

6.54.3. Setting the root password

Choose a password for user root and set it by running: 

passwd root

6.54.4. Contents of Shadow

Installed programs: chage, chfn, chgpasswd, chpasswd, chsh, expiry, faillog, gpasswd, groupadd, groupdel, groupmod, grpck, grpconv, grpunconv, lastlog, login, logoutd, newgrp, newusers, nologin, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), su, useradd, userdel, usermod, vigr (link to vipw), and vipw
Installed libraries: libshadow.{a,so}

Short Descriptions

chage

Used to change the maximum number of days between obligatory password changes

chfn

Used to change a user's full name and other information

chgpasswd

Used to update group passwords in batch mode

chpasswd

Used to update user passwords in batch mode

chsh

Used to change a user's default login shell

expiry

Checks and enforces the current password expiration policy

faillog

Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count

gpasswd

Is used to add and delete members and administrators to groups

groupadd

Creates a group with the given name

groupdel

Deletes the group with the given name

groupmod

Is used to modify the given group's name or GID

grpck

Verifies the integrity of the group files /etc/group and /etc/gshadow

grpconv

Creates or updates the shadow group file from the normal group file

grpunconv

Updates /etc/group from /etc/gshadow and then deletes the latter

lastlog

Reports the most recent login of all users or of a given user

login

Is used by the system to let users sign on

logoutd

Is a daemon used to enforce restrictions on log-on time and ports

newgrp

Is used to change the current GID during a login session

newusers

Is used to create or update an entire series of user accounts

nologin

Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled

passwd

Is used to change the password for a user or group account

pwck

Verifies the integrity of the password files /etc/passwd and /etc/shadow

pwconv

Creates or updates the shadow password file from the normal password file

pwunconv

Updates /etc/passwd from /etc/shadow and then deletes the latter

sg

Executes a given command while the user's GID is set to that of the given group

su

Runs a shell with substitute user and group IDs

useradd

Creates a new user with the given name, or updates the default new-user information

userdel

Deletes the given user account

usermod

Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc.

vigr

Edits the /etc/group or /etc/gshadow files

vipw

Edits the /etc/passwd or /etc/shadow files

libshadow

Contains functions used by most programs in this package