Next
Previous
Contents
DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS
The original Shadow Suite was written by John F. Haugh II.
There are several versions that have been used on Linux systems:
shadow-3.3.1 is the original.shadow-3.3.1-2 is Linux specific patch made by
Florian La Roche <flla at stud.uni-sb.de> and contains some further
enhancements.shadow-mk was specifically packaged for Linux.
The shadow-mk package contains the shadow-3.3.1 package
distributed by John F. Haugh II with the shadow-3.3.1-2 patch
installed, a few fixes made by
Mohan Kokal <magnus at texas.net>
that make installation a lot easier, a patch by Joseph R.M. Zbiciak
for login1.c (login.secure) that eliminates the -f, -h security
holes in /bin/login, and some other miscellaneous patches.
The shadow.mk package was the previously recommended
package, but should be replaced due to a security problem with the
login program.
There are security problems with Shadow versions 3.3.1, 3.3.1-2,
and shadow-mk involving the login program. This login bug
involves not checking the length of a login name. This causes the buffer to
overflow causing crashes or worse. It has been rumored that this buffer
overflow can allow someone with an account on the system to use this bug and
the shared libraries to gain root access. I won't discuss exactly
how this is possible because there are a lot of Linux systems that are
affected, but systems with these Shadow Suites installed, and
most pre-ELF distributions without the Shadow Suite
are vulnerable!
For more information on this and other Linux security issues, see the
Linux Security home page (Shared Libraries and login Program Vulnerability)
The only recommended Shadow Suite is still in BETA testing, however
the latest versions are safe in a production environment and don't contain a
vulnerable login program.
The package uses the following naming convention:
shadow-YYMMDD.tar.gz
where YYMMDD is the issue date of the Suite.
This version will eventually be Version 3.3.3 when it is released
from Beta testing, and is maintained by
Marek Michalkiewicz <marekm at i17linuxb.ists.pwr.wroc.pl>.
It's available as:
shadow-current.tar.gz.
The following mirror sites have also been established:
You should use the currently available version.
You should NOT use a version older than shadow-960129 as
they also have the login security problem discussed above.
When this document refers to the Shadow Suite I am referring to the
this package. It is assumed that this is the package that you are using.
For reference, I used shadow-960129 to make these installation
instructions.
If you were previously using shadow-mk, you should upgrade to this
version and rebuild everything that you originally compiled.
The Shadow Suite contains replacement programs for:
su, login, passwd, newgrp, chfn, chsh, and id
The package also contains the new programs:
chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod, groupadd,
groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv, and pwunconv
Additionally, the library: libshadow.a is included for writing and/or
compiling programs that need to access user passwords.
Also, manual pages for the programs are also included.
There is also a configuration file for the login program which will be
installed as /etc/login.defs.
Next
Previous
Contents
| 
Take our 
