Even though the shadow suite contains replacement programs for most programs that need to access passwords, there are a few additional programs on most systems that require access to passwords.
There is a package of pre-compiled binaries that are compiled for shadow support available on ftp://ftp.texas.net/pub/unix/linux/shadow/shad-bin.tar.gz
This package contains: ftpd, pop2d, pop3d, mesg, wall, finger, and
xdm
. I can't imagine why finger
, wall
, or
mesg
would ever need access to passwords. Also, you don't get
the source code, so I don't recommend this package, but it's
location in included for completeness.
The remainder of this section discusses how to upgrade adduser
,
wu_ftpd
, ftpd
, pop3d
, xlock
,
and sudo
so that they support the shadow suite.
See the section Adding Shadow Support to a C program for a discussion on how to put shadow support into any other program that needs it (although the program must then be run SUID root or SGID shadow to be able to actually access the shadow file).
Slackware distributions (and possibly some others) contain a interactive
program for adding users called /sbin/adduser
. A shadow version
of this program can be obtained from
ftp://sunsite.unc.edu/pub/Linux/ system/Admin/accounts/adduser.shadow-1.4.tar.gz.
Installation is simple:
# tar -xzvf adduser.shadow-1.4.tar.gz
# cd adduser.shadow.1.4
# make adduser
# chmod 700 adduser
# make install
Most Linux systems some with the wu_ftpd
server. If your
distribution does not come with shadow installed, then your wu_ftpd
will not be compiled for shadow. wu_ftpd
is launched from
inetd/tcpd
as a root process. If you are running an old
wu_ftpd
daemon, you will want to upgrade it anyway because older
ones had a bug that would allow the root account to be compromised
(For more info see the
Linux security home page).
Fortunately, you only need to get the source code and recompile it with shadow enabled.
The wu_ftp
server can be found on Sunsite as
wu-ftp-2.4-fixed.tar.gz
Once you retrieve the server, put it in /usr/src
, then type:
# cd /usr/src
# tar -xzvf wu-ftpd-2.4-fixed.tar.gz
# cd wu-ftpd-2.4-fixed
# cp ./src/config/config.lnx.shadow ./src/config/config.lnx
# ./build lnx
# cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
# cp ./bin/ftpd /usr/sbin/wu.ftpd
This uses the Linux shadow configuration file, compiles and installs the server.
On my Slackware 3.0 system I also had to do the following before running
build
:
# cd /usr/include/netinet
# ln -s in_systm.h in_system.h
# cd -
If you are running the standard ftpd
server, I would recommend that
you upgrade to the wu_ftpd
server. Aside from the known bug
discussed above, it's generally thought to be more secure.
If you insist on the standard one, or you need NIS support, Sunsite has ftpd-shadow-nis.tgz
If you need to support the third Post Office Protocol (POP3), you
will need to recompile a pop3d
program. pop3d
is normally
run by inetd/tcpd
as root
.
There are two versions available from Sunsite: pop3d-1.00.4.linux.shadow.tar.gz and pop3d+shadow+elf.tar.gz
Both of these are fairly straight forward to install.
If you install the shadow suite, and then run X-windows and lock
the screen without upgrading your xlock
, you will have to use
CNTL-ALT-Fx
to switch to another tty, login, and kill the
xlock
process (or use CNTL-ALT-BS
to kill the X server).
Fortunately it's fairly easy to upgrade your xlock
program.
If you are running XFree86 Versions 3.x.x, you are probably using
xlockmore
(which is a great screen-saver in addition to a lock).
This package supports shadow with a recompile. If you have an
older xlock
, I recommend that you upgrade to this one.
xlockmore-3.5.tgz
is available at:
ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screen-savers/xlockmore-3.5.tgz
Basically, this is what you need to do:
Get the xlockmore-3.5.tgz
file and put it in /usr/src
unpack it:
# tar -xzvf xlockmore-3.5.tgz
Edit the file: /usr/X11R6/lib/X11/config/linux.cf
, and change the line:
#define HasShadowPasswd NO
to
#define HasShadowPasswd YES
Then build the executables:
# cd /usr/src/xlockmore
# xmkmf
# make depend
# make
Then move everything into place and update file ownerships and permissions:
# cp xlock /usr/X11R6/bin/
# cp XLock /var/X11R6/lib/app-defaults/
# chown root.shadow /usr/X11R6/bin/xlock
# chmod 2755 /usr/X11R6/bin/xlock
# chown root.shadow /etc/shadow
# chmod 640 /etc/shadow
Your xlock will now work correctly.
The program sudo
allows a system administrator to let users run
programs that would normally require root access. This is handy because it
lets the administrator limit access to the root account itself while still
allowing users to do things like mounting drives.
sudo
needs to read passwords because it verifies the users password
when it's invoked. sudo
already runs SUID root, so accessing the
/etc/shadow
file is not a problem.
sudo
for the shadow suite, is available as at:
ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz
The package is already setup for shadow, so all that's required is to
recompile the package (put it in /usr/src
):
# cd /usr/src
# tar -xzvf sudo-1.2-shadow.tgz
# cd sudo-1.2-shadow
# make all
# make install
imapd is an e-mail server similar to pop3d. imapd comes with the pine e-mail package. The documentation that comes with the package states that the default for Linux systems is to include support for shadow. However, I have found that this is not true. Furthermore, the build script / Makefile combination on this package is something that I just haven't figured out yet, so I was unable to add shadow support for imapd.
If anyone has this figured out, please e-mail me, and I'll include it here.
The pppd server can be setup to use several types of authentication:
Password Authentication Protocol (PAP) and Cryptographic
Handshake Authentication Protocol (CHAP). The pppd server usually
reads the password strings that it uses from /etc/ppp/chap-secrets
and/or /etc/ppp/pap-secrets
. If you are using this default behavior
of pppd, it is not necessary to reinstall pppd.
pppd also allows you to use the login parameter (either on the
command line, or in the configuration or options
file). If the
login option is given, then pppd will use the /etc/passwd
file for the username and passwords for the PAP. This, of course,
will no longer work now that our password file is shadowed. For pppd-1.2.1d
this requires adding code for shadow support.
The example given in the next section is adding shadow support to
pppd-1.2.1d
(an older version of pppd).
pppd-2.2.0
already contains shadow support.