Shadow Suite for Linux 的历史(暂不翻译)
History of the Shadow Suite for Linux
DO NOT USE THE PACKAGES IN THIS SECTION THEY HAVE SECURITY PROBLEMS
The original Shadow Suite was written by John F Haugh II
There are several versions that have been used on Linux systems:
shadow is the original
shadow is Linux specific patch made by Florian La Roche and contains some further enhancements
shadowmk was specifically packaged for Linux
The shadowmk package contains the shadow package distributed by John F Haugh II with the shadow patch installed a few fixes made by Mohan Kokal that make installation a lot easier a patch by Joseph RM Zbiciak for loginc (loginsecure) that eliminates the f h security holes in /bin/login and some other miscellaneous patches
The shadowmk package was the previously recommended package but should be replaced due to a security problem with the login program
There are security problems with Shadow versions and shadowmk involving the login program This login bug involves not checking the length of a login name This causes the buffer to overflow causing crashes or worse It has been rumored that this buffer overflow can allow someone with an account on the system to use this bug and the shared libraries to gain root access I wont discuss exactly how this is possible because there are a lot of Linux systems that are affected but systems with these Shadow Suites installed and most preELF distributions without the Shadow Suite are vulnerable!
For more information on this and other Linux security issues see the Linux Security home page (Shared Libraries and login Program Vulnerability)
如何取得 Shadow Suite?
目前建议 Shadow Suite 版本目前还是 BETA 测试版然后最近版本在生产环境是安全的且没有包含易受攻击的 签入(login) 程式
该套件(package)使用惯例命名为
shadowYYMMDDtargz
其中 YYMMDD 是Suite 的发行日期
目前 BETA 测试版本是 Version 且由 Marek Michalkiewicz 维护
还可以从该处得到 shadowcurrenttargz
下列网站也可以找到相关资讯
ftp://ftpicmedupl/pub/Linux/shadow/shadowcurrenttargz
ftp://iguanahutfi/pub/linux/shadow/shadowcurrenttargz
ftp:///usr/ggallag/shadow/shadowcurrenttargz
ftp:///pub/linux/shadow/shadowcurrenttargz
你应该可以获得目前最新的版本
你应该不要是用比 shadow 更旧版本因为它们有 签入 的安全问题
于参考资料方面我用 shadow 档进行安装介绍
如果你之前使用 shadowmk 你应该更信这个版本且重建编译
Shadow Suite包含什麽?
Shadow Suite 包括对下列功能之替代程式
su login passwd newgrp chfn chsh and id
该套件还包括新程式
chage newusers dpasswd gpasswd useradd userdel usermod groupadd groupdel groupmod groups pwck grpck lastlog pwconv and pwunconv
除此之外函式库 libshadowa 也包括需要存取使用者密码之写和编译程式
程式之操作手册也包含在其中
也有对签入程式的 configuration file 它将被安装在 /etc/logindefs 档
