DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS
The original Shadow Suite was written by John F. Haugh II
.
There are several versions that have been used on Linux systems:
shadow-3.3.1
is the original.shadow-3.3.1-2
is Linux specific patch made by
Florian La Roche <flla@stud.uni-sb.de> and contains some further
enhancements.shadow-mk
was specifically packaged for Linux.The shadow-mk
package contains the shadow-3.3.1
package
distributed by John F. Haugh II
with the shadow-3.3.1-2 patch
installed, a few fixes made by
Mohan Kokal <magnus@texas.net>
that make installation a lot easier, a patch by Joseph R.M. Zbiciak
for login1.c
(login.secure) that eliminates the -f, -h security
holes in /bin/login, and some other miscellaneous patches.
The shadow.mk
package was the previously recommended
package, but should be replaced due to a security problem with the
login
program.
There are security problems with Shadow versions 3.3.1, 3.3.1-2,
and shadow-mk involving the login
program. This login
bug
involves not checking the length of a login name. This causes the buffer to
overflow causing crashes or worse. It has been rumored that this buffer
overflow can allow someone with an account on the system to use this bug and
the shared libraries to gain root access. I won't discuss exactly
how this is possible because there are a lot of Linux systems that are
affected, but systems with these Shadow Suites installed, and
most pre-ELF distributions without the Shadow Suite
are vulnerable!
For more information on this and other Linux security issues, see the Linux Security home page (Shared Libraries and login Program Vulnerability)
目前建議 Shadow Suite 版本目前還是 BETA 測試版,然後,最近版本在生產環境
是安全的且沒有包含易受攻擊的 簽入(login)
程式。
該套件(package)使用慣例命名為:
shadow-YYMMDD.tar.gz
其中 YYMMDD
是Suite 的發行日期。
目前 BETA 測試版本是 Version 3.3.3 ,且由 Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> 維護。
還可以從該處得到: shadow-current.tar.gz.
下列網站也可以找到相關資訊:
你應該可以獲得目前最新的版本。
你應該不要是用比 shadow-960129
更舊版本,因為它們有 簽入
的安全問題。
於參考資料方面,我用 shadow-960129
檔進行安裝介紹。
如果你之前使用 shadow-mk
,你應該更信這個版本且重建編譯。
Shadow Suite 包括對下列功能之替代程式:
su, login, passwd, newgrp, chfn, chsh, and id
該套件還包括新程式:
chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod, groupadd,
groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv, and pwunconv
除此之外,函式庫: libshadow.a
也包括需要存取使用者密碼之寫和編譯程式。
程式之操作手冊也包含在其中。
也有對簽入程式的 configuration file ,它將被安裝在 /etc/login.defs
檔。