Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Documentation
3. Getting the Shadow Suite.
3.1 History of the Shadow Suite for Linux
DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS
The original Shadow Suite was written by John F.
Haugh II.
There are several versions that have been used on Linux systems:
-
shadow-3.3.1is the original. -
shadow-3.3.1-2is Linux specific patch made by Florian La Roche <flla@stud.uni-sb.de> and contains some further enhancements. -
shadow-mkwas specifically packaged for Linux.
The shadow-mk package contains the
shadow-3.3.1 package distributed by John F.
Haugh II with the shadow-3.3.1-2 patch
installed, a few fixes made by Mohan Kokal
<magnus@texas.net> that make installation a lot easier,
a patch by Joseph R.M. Zbiciak for
login1.c (login.secure) that eliminates the -f, -h
security holes in /bin/login, and some other miscellaneous
patches.
The shadow.mk package was the previously
recommended package, but should be replaced due to a security
problem with the login program.
There are security problems with Shadow versions 3.3.1,
3.3.1-2, and shadow-mk involving the login program.
This login bug involves not checking the length of a
login name. This causes the buffer to overflow causing crashes or
worse. It has been rumored that this buffer overflow can allow
someone with an account on the system to use this bug and the
shared libraries to gain root access. I won't discuss
exactly how this is possible because there are a lot of Linux
systems that are affected, but systems with these Shadow
Suites installed, and most pre-ELF distributions
without the Shadow Suite are vulnerable!
For more information on this and other Linux security issues, see the Linux Security home page (Shared Libraries and login Program Vulnerability)
3.2 Where to get the Shadow Suite.
The only recommended Shadow Suite is still in BETA
testing, however the latest versions are safe in a production
environment and don't contain a vulnerable login
program.
The package uses the following naming convention:
whereshadow-YYMMDD.tar.gz
YYMMDD is the issue date of the
Suite.
This version will eventually be Version 3.3.3 when it is released from Beta testing, and is maintained by Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>. It's available as: shadow-current.tar.gz.
The following mirror sites have also been established:
- ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz
- ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz
- ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz
- ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz
You should use the currently available version.
You should NOT use a version older than
shadow-960129 as they also have the
login security problem discussed above.
When this document refers to the Shadow Suite I am referring to the this package. It is assumed that this is the package that you are using.
For reference, I used shadow-960129 to make these
installation instructions.
If you were previously using shadow-mk, you should
upgrade to this version and rebuild everything that you
originally compiled.
3.3 What is included with the Shadow Suite.
The Shadow Suite contains replacement programs for:
su, login, passwd, newgrp, chfn, chsh, and id
The package also contains the new programs:
chage, newusers, dpasswd, gpasswd, useradd, userdel,
usermod, groupadd, groupdel, groupmod, groups, pwck, grpck,
lastlog, pwconv, and pwunconv
Additionally, the library: libshadow.a is included
for writing and/or compiling programs that need to access user
passwords.
Also, manual pages for the programs are also included.
There is also a configuration file for the login program which
will be installed as /etc/login.defs.
Next Previous Contents
