Home Explore Help
Sign In
lfs
/
lfs-book
2
0
Fork 0
Files Issues Pull Requests 0 Wiki
Tree: a985250fa8
Branches Tags
lfs-book
/
chapter06
/
shadowpwd-inst.xml

shadowpwd-inst.xml 4.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110 
  1. <sect2><title>&nbsp;</title><para>&nbsp;</para></sect2>
    2. 

  2. 

  3. <sect2>
    4. 

  4. <title>Installation of Shadow Password Suite</title>
    5. 

  5. 

  6. <para>The <userinput>login</userinput>, <userinput>getty</userinput> and
    7. 

  7. <userinput>init</userinput> programs (and some others) maintain a number
    8. 

  8. of logfiles to record who are and who were logged in to the system.  These
    9. 

  9. programs, however, don't create these logfiles when they don't exist, so if
    10. 

  10. you want this logging to occur you will have to create the files yourself.
    11. 

  11. To let the Shadow package (that is installed next) detect these files in their
    12. 

  12. proper place, create them now, with their proper permissions:</para>
    13. 

  13. 

  14. <para>Create these files with their proper permissions by running the
    15. 

  15. following commands:</para>
    16. 

  16. 

  17. <para><screen><userinput>touch /var/run/utmp /var/log/{btmp,lastlog,wtmp}
    18. 

  18. chmod 644 /var/run/utmp /var/log/{btmp,lastlog,wtmp}</userinput></screen></para>
    19. 

  19. 

  20. <para>The <filename>/var/run/utmp</filename> file lists the users that are
    21. 

  21. currently logged in, the <filename>/var/log/wtmp</filename> file who
    22. 

  22. <emphasis>were</emphasis> logged in and when.
    23. 

  23. The <filename>/var/log/lastlog</filename> file shows for each user when he
    24. 

  24. or she last logged in, and the <filename>/var/log/btmp</filename> lists the
    25. 

  25. bad login attempts.</para>
    26. 

  26. 

  27. <para>Shadow hard-wires the path to the <userinput>passwd</userinput> binary
    28. 

  28. within the binary itself, but does this the wrong way. If a
    29. 

  29. <userinput>passwd</userinput> binary is not present before installing Shadow,
    30. 

  30. the package wrongly assumes it is going to be located at
    31. 

  31. <filename>/bin/passwd</filename>, but then installs it in
    32. 

  32. <filename>/usr/bin/passwd</filename>. This will lead to weird errors about not
    33. 

  33. finding <filename>/bin/passwd</filename>. To work around this bug, create a
    34. 

  34. dummy <filename>passwd</filename> file, so that it gets hard-wired
    35. 

  35. properly:</para>
    36. 

  36. 

  37. <para><screen><userinput>touch /usr/bin/passwd</userinput></screen></para>
    38. 

  38. 

  39. <para>The current shadow suite has a problem in the newgrp command which causes
    40. 

  40. it to fail.  The following patch (also appearing in Shadow's CVS code) fixes
    41. 

  41. this problem.</para>
    42. 

  42. 

  43. <para><screen><userinput>patch -Np1 -i ../shadow-&shadow-patch-version;.patch
    44. 

  44. </userinput></screen></para>
    45. 

  45. 

  46. <para>Now prepare Shadow for compilation:</para>
    47. 

  47. 

  48. <para><screen><userinput>./configure --prefix=/usr --libdir=/usr/lib --enable-shared</userinput></screen></para>
    49. 

  49. 

  50. <para>Compile the package:</para>
    51. 

  51. 

  52. <para><screen><userinput>make</userinput></screen></para>
    53. 

  53. 

  54. <para>And install it:</para>
    55. 

  55. 

  56. <para><screen><userinput>make install</userinput></screen></para>
    57. 

  57. 

  58. <para>Shadow uses two files to configure authentication settings for the
    59. 

  59. system. Install these two config files:</para>
    60. 

  60. 

  61. <para><screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen></para>
    62. 

  62. 

  63. <para>We want to change the password method to enable MD5 passwords which are
    64. 

  64. theoretically more secure than the default "crypt" method and also allow
    65. 

  65. password lengths greater than 8 characters. We also need to change the old
    66. 

  66. <filename class="directory">/var/spool/mail</filename> location for user
    67. 

  67. mailboxes to the current location at
    68. 

  68. <filename class="directory">/var/mail</filename>. We do this by changing the
    69. 

  69. relevant configuration file while copying it to its destination:</para>
    70. 

  70. 

  71. <para><screen><userinput>sed -e 's%/var/spool/mail%/var/mail%' \
    72. 

  72. &nbsp;&nbsp;&nbsp;&nbsp;-e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
    73. 

  73. &nbsp;&nbsp;&nbsp;&nbsp;etc/login.defs.linux &gt; /etc/login.defs</userinput></screen></para>
    74. 

  74. 

  75. <note><para>Be extra careful when typing all of the above. It is probably safer
    76. 

  76. to cut-and-paste it rather than try and type it all in.</para></note>
    77. 

  77. 

  78. <para>According to the man page of <userinput>vipw</userinput>, a
    79. 

  79. <userinput>vigr</userinput> program should exist too. Since the installation
    80. 

  80. procedure doesn't create this program, create a symlink manually:</para>
    81. 

  81. 

  82. <para><screen><userinput>ln -s vipw /usr/sbin/vigr</userinput></screen></para>
    83. 

  83. 

  84. <para>As the <filename>/bin/vipw</filename> symlink is redundant (and even
    85. 

  85. pointing to a non-existent file), remove it:</para>
    86. 

  86. 

  87. <para><screen><userinput>rm /bin/vipw</userinput></screen></para>
    88. 

  88. 

  89. <para>Now move the <userinput>sg</userinput> program to its proper place:</para>
    90. 

  90. 

  91. <para><screen><userinput>mv /bin/sg /usr/bin</userinput></screen></para>
    92. 

  92. 

  93. <para>And move Shadow's dynamic libraries to a more appropriate location:</para>
    94. 

  94. 

  95. <para><screen><userinput>mv /usr/lib/lib{shadow,misc}.so.0* /lib</userinput></screen></para>
    96. 

  96. 

  97. <para>As some packages expect to find the just-moved libraries in
    98. 

  98. <filename>/usr/lib</filename>, create the following symlinks:</para>
    99. 

  99. 

  100. <para><screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
    101. 

  101. ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</userinput></screen></para>
    102. 

  102. 

  103. <para>Coreutils has already installed a <userinput>groups</userinput> program
    104. 

  104. in <filename>/usr/bin</filename>. If you wish, you can remove the one
    105. 

  105. installed by Shadow:</para>
    106. 

  106. 

  107. <para><screen><userinput>rm /bin/groups</userinput></screen></para>
    108. 

  108. 

  109. </sect2>
    110. 

  110.