mirror of
https://github.com/Zeckmathederg/glfs.git
synced 2025-02-01 04:52:12 +08:00
410e228bb9
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@7431 af4574ff-66df-0310-9fd7-8a98e5e911e0
615 lines
24 KiB
XML
615 lines
24 KiB
XML
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % general-entities SYSTEM "../../general.ent">
|
|
%general-entities;
|
|
|
|
<!-- <!ENTITY shadow-download-http "http://ftp.pld.org.pl/software/shadow/old/shadow-&shadow-version;.tar.bz2"> -->
|
|
<!-- <!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2"> -->
|
|
<!-- <!ENTITY shadow-download-http "http://cross-lfs.org/files/packages/svn/shadow-&shadow-version;.tar.bz2"> -->
|
|
<!ENTITY shadow-download-http "http://anduin.linuxfromscratch.org/sources/LFS/lfs-packages/development/shadow-&shadow-version;.tar.bz2">
|
|
<!ENTITY shadow-download-ftp " ">
|
|
<!ENTITY shadow-md5sum "e7751d46ecf219c07ae0b028ab3335c6">
|
|
<!ENTITY shadow-size "1.5 MB">
|
|
<!ENTITY shadow-buildsize "18 MB">
|
|
<!ENTITY shadow-time "0.3 SBU">
|
|
]>
|
|
|
|
<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
|
<?dbhtml filename="shadow.html"?>
|
|
|
|
<sect1info>
|
|
<othername>$LastChangedBy$</othername>
|
|
<date>$Date$</date>
|
|
</sect1info>
|
|
|
|
<title>Shadow-&shadow-version;</title>
|
|
|
|
<indexterm zone="shadow">
|
|
<primary sortas="a-Shadow">Shadow</primary>
|
|
</indexterm>
|
|
|
|
<sect2 role="package">
|
|
<title>Introduction to Shadow</title>
|
|
|
|
<para><application>Shadow</application> was indeed installed in LFS and
|
|
there is no reason to reinstall it unless you installed
|
|
<application>CrackLib</application> or
|
|
<application>Linux-PAM</application> after your LFS system was completed.
|
|
If you have installed <application>CrackLib</application> after LFS, then
|
|
reinstalling <application>Shadow</application> will enable strong password
|
|
support. If you have installed <application>Linux-PAM</application>,
|
|
reinstalling <application>Shadow</application> will allow programs such as
|
|
<command>login</command> and <command>su</command> to utilize PAM.</para>
|
|
|
|
<bridgehead renderas="sect3">Package Information</bridgehead>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>Download (HTTP): <ulink url="&shadow-download-http;"/></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Download MD5 sum: &shadow-md5sum;</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Download size: &shadow-size;</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Estimated disk space required: &shadow-buildsize;</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Estimated build time: &shadow-time;</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
|
<itemizedlist spacing='compact'>
|
|
<listitem>
|
|
<para>Required patch: <ulink
|
|
url="&patch-root;/shadow-&shadow-version;-useradd_fix-2.patch"/></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
|
|
|
|
<bridgehead renderas="sect4">Required</bridgehead>
|
|
<para role="required"><xref linkend="linux-pam"/> and/or
|
|
<xref linkend="cracklib"/></para>
|
|
|
|
<para condition="html" role="usernotes">User Notes:
|
|
<ulink url="&blfs-wiki;/shadow"/></para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="installation">
|
|
<title>Installation of Shadow</title>
|
|
|
|
<important>
|
|
<para>The installation shown below is for a situation where
|
|
<application>Linux-PAM</application> has been installed (with or
|
|
without a <application>CrackLib</application> installation) and
|
|
<application>Shadow</application> is being reinstalled to support the
|
|
<application>Linux-PAM</application> installation. If you are
|
|
reinstalling <application>Shadow</application> to provide strong
|
|
password support via the <application>CrackLib</application> library
|
|
and you have not installed <application>Linux-PAM</application>, ensure
|
|
you add the <parameter>--with-libcrack</parameter> parameter to the
|
|
<command>configure</command> script below.</para>
|
|
</important>
|
|
|
|
<para>Reinstall <application>Shadow</application> by running the following
|
|
commands:</para>
|
|
|
|
<screen><userinput>patch -Np1 -i ../shadow-&shadow-version;-useradd_fix-2.patch &&
|
|
|
|
./configure --libdir=/lib \
|
|
--sysconfdir=/etc \
|
|
--enable-shared \
|
|
--without-selinux &&
|
|
|
|
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
|
|
find man -name Makefile -exec sed -i 's/groups\.1 / /' {} \; &&
|
|
sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile &&
|
|
|
|
for i in de es fi fr id it pt_BR; do
|
|
convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
|
|
done &&
|
|
|
|
for i in cs hu pl; do
|
|
convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
|
|
done &&
|
|
|
|
convert-mans UTF-8 EUC-JP man/ja/*.? &&
|
|
convert-mans UTF-8 KOI8-R man/ru/*.? &&
|
|
convert-mans UTF-8 ISO-8859-9 man/tr/*.? &&
|
|
|
|
make</userinput></screen>
|
|
|
|
<para>This package does not come with a test suite.</para>
|
|
|
|
<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
|
|
|
<screen role="root"><userinput>make install &&
|
|
mv -v /usr/bin/passwd /bin &&
|
|
mv -v /lib/libshadow.*a /usr/lib &&
|
|
rm -v /lib/libshadow.so &&
|
|
ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="commands">
|
|
<title>Command Explanations</title>
|
|
|
|
<!-- Removed the -with-libpam and -without-libcrack options from the
|
|
default as these are the defaults. Pam will automatically be picked
|
|
up if it is installed, and CrackLib won't be used unless specifically
|
|
requested via -with-libcrack
|
|
<para><parameter>-without-libcrack</parameter>: This switch tells
|
|
<application>Shadow</application> not to use
|
|
<filename class='libraryfile'>libcrack</filename>. This is desired as
|
|
<application>Linux-PAM</application> will provide
|
|
<filename class='libraryfile'>libcrack</filename> functionality.</para>
|
|
-->
|
|
|
|
<para><parameter>--without-selinux</parameter>: Support for selinux is
|
|
enabled by default, but selinux is not built in a base LFS system. The
|
|
<command>configure</command> script will fail if this option is not
|
|
used.</para>
|
|
|
|
<para><command>sed -i 's/groups$(EXEEXT) //' src/Makefile</command>: This
|
|
command is used to suppress the installation of the
|
|
<command>groups</command> program as the version from the
|
|
<application>Coreutils</application> package installed during LFS is
|
|
preferred.</para>
|
|
|
|
<para><command>find man -name Makefile -exec ... {} \;</command>: This
|
|
command is used to suppress the installation of the
|
|
<command>groups</command> man pages so the existing ones installed from
|
|
the <application>Coreutils</application> package are not replaced.</para>
|
|
|
|
<para><command>sed -i -e '...' -e '...' man/Makefile</command>: This
|
|
command disables the installation of Chinese and Korean manual pages, since
|
|
<application>Man-DB</application> cannot format them properly.</para>
|
|
|
|
<para><command>convert-mans ...</command>: These commands are used to
|
|
convert some of the man pages so that <application>Man-DB</application>
|
|
will display them in the expected encodings.</para>
|
|
|
|
<para><command>mv -v /usr/bin/passwd /bin</command>: The
|
|
<command>passwd</command> program may be needed during times when the
|
|
<filename class='directory'>/usr</filename> filesystem is not mounted so
|
|
it is moved into the root partition.</para>
|
|
|
|
<para><command>mv -v ...; rm -v ...; ln -v ...</command>: These commands
|
|
are used to move the <filename class='libraryfile'>libshadow</filename>
|
|
library to the root partition to support the moving of the
|
|
<command>passwd</command> program earlier.</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="configuration">
|
|
<title>Configuring Shadow</title>
|
|
|
|
<para><application>Shadow</application>'s stock configuration for the
|
|
<command>useradd</command> utility is not suitable for LFS systems. Use the
|
|
following commands as the <systemitem class="username">root</systemitem>
|
|
user to change the default home directory for new users and prevent the
|
|
creation of mail spool files:</para>
|
|
|
|
<screen role="root"><userinput>useradd -D -b /home &&
|
|
sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="configuration">
|
|
<title>Configuring Linux-PAM to Work with Shadow</title>
|
|
|
|
<note>
|
|
<para>The rest of this page is devoted to configuring
|
|
<application>Shadow</application> to work properly with
|
|
<application>Linux-PAM</application>. If you do not have
|
|
<application>Linux-PAM</application> installed, and you reinstalled
|
|
<application>Shadow</application> to support strong passwords via
|
|
the <application>CrackLib</application> library, no further configuration
|
|
is required.</para>
|
|
</note>
|
|
|
|
<sect3 id="pam.d">
|
|
<title>Config Files</title>
|
|
|
|
<para><filename>/etc/pam.d/*</filename> or alternatively
|
|
<filename>/etc/pam.conf, /etc/login.defs and
|
|
/etc/security/*</filename></para>
|
|
|
|
<indexterm zone="shadow pam.d">
|
|
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
|
</indexterm>
|
|
|
|
<indexterm zone="shadow pam.d">
|
|
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
|
</indexterm>
|
|
|
|
<indexterm zone="shadow pam.d">
|
|
<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
|
</indexterm>
|
|
|
|
<indexterm zone="shadow pam.d">
|
|
<primary sortas="e-etc-security">/etc/security/*</primary>
|
|
</indexterm>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Configuration Information</title>
|
|
|
|
<para>Configuring your system to use <application>Linux-PAM</application>
|
|
can be a complex task. The information below will provide a basic setup
|
|
so that <application>Shadow</application>'s login and password
|
|
functionality will work effectively with
|
|
<application>Linux-PAM</application>. Review the information and links on
|
|
the <xref linkend="linux-pam"/> page for further configuration
|
|
information. For information specific to integrating
|
|
<application>Shadow</application>, <application>Linux-PAM</application>
|
|
and <application>CrackLib</application>, you can visit the following
|
|
links:</para>
|
|
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para><ulink
|
|
url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3"/></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><ulink
|
|
url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<sect4 id="pam-login-defs">
|
|
<title>Configuring /etc/login.defs</title>
|
|
|
|
<para>The <command>login</command> program currently performs many
|
|
functions which <application>Linux-PAM</application> modules should
|
|
now handle. The following <command>sed</command> command will comment
|
|
out the appropriate lines in <filename>/etc/login.defs</filename>, and
|
|
stop <command>login</command> from performing these functions (a backup
|
|
file named <filename>/etc/login.defs.orig</filename> is also created
|
|
to preserve the original file's contents). Issue the following commands
|
|
as the <systemitem class="username">root</systemitem> user:</para>
|
|
|
|
<indexterm zone="shadow pam-login-defs">
|
|
<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
|
</indexterm>
|
|
|
|
<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
|
|
for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
|
|
PORTTIME_CHECKS_ENAB CONSOLE \
|
|
MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
|
|
SU_WHEEL_ONLY MD5_CRYPT_ENAB \
|
|
CONSOLE_GROUPS ENVIRON_FILE \
|
|
ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
|
|
ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
|
|
CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \
|
|
OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
|
|
PASS_CHANGE_TRIES PASS_ALWAYS_WARN ISSUE_FILE
|
|
do
|
|
sed -i "s/^$FUNCTION/# &/" /etc/login.defs
|
|
done</userinput></screen>
|
|
|
|
<!-- Moved the commenting of these four parameters into the section
|
|
above. If PAM is installed, it complains if these are not commented
|
|
regardless if CrackLib is installed.
|
|
|
|
<para>If you have <application>CrackLib</application> installed,
|
|
also comment out four more lines using the following command as the
|
|
<systemitem class="username">root</systemitem> user:</para>
|
|
|
|
<screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
|
|
PASS_CHANGE_TRIES PASS_ALWAYS_WARN
|
|
do
|
|
sed -i "s/^$FUNCTION/# &/" /etc/login.defs
|
|
done</userinput></screen>
|
|
|
|
-->
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>Configuring the /etc/pam.d/ Files</title>
|
|
|
|
<para>As mentioned previously in the
|
|
<application>Linux-PAM</application> instructions,
|
|
<application>Linux-PAM</application> has two supported methods for
|
|
configuration. The commands below assume that you've chosen to use
|
|
a directory based configuration, where each program has its own
|
|
configuration file. You can optionally use a single
|
|
<filename>/etc/pam.conf</filename> configuration file by using the
|
|
text from the files below, and supplying the program name as an
|
|
additional first field for each line.</para>
|
|
|
|
<para>As the <systemitem class="username">root</systemitem> user,
|
|
create the <filename class="directory">/etc/pam.d</filename>
|
|
directory with the following command:</para>
|
|
|
|
<screen role="root"><userinput>install -v -d -m755 /etc/pam.d</userinput></screen>
|
|
|
|
<para>While still the <systemitem class="username">root</systemitem>
|
|
user, add the following <application>Linux-PAM</application>
|
|
configuration files to the
|
|
<filename class="directory">/etc/pam.d/</filename> directory (or
|
|
add the contents to the <filename>/etc/pam.conf</filename> file) with
|
|
the following commands:</para>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>'login' (with CrackLib)</title>
|
|
|
|
<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
|
<literal># Begin /etc/pam.d/login
|
|
|
|
auth requisite pam_nologin.so
|
|
auth required pam_securetty.so
|
|
auth required pam_unix.so
|
|
account required pam_access.so
|
|
account required pam_unix.so
|
|
session required pam_env.so
|
|
session required pam_motd.so
|
|
session required pam_limits.so
|
|
session optional pam_mail.so dir=/var/mail standard
|
|
session optional pam_lastlog.so
|
|
session required pam_unix.so
|
|
password required pam_cracklib.so retry=3
|
|
password required pam_unix.so md5 shadow use_authtok
|
|
|
|
# End /etc/pam.d/login</literal>
|
|
EOF</userinput></screen>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>'login' (without CrackLib)</title>
|
|
|
|
<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
|
<literal># Begin /etc/pam.d/login
|
|
|
|
auth requisite pam_nologin.so
|
|
auth required pam_securetty.so
|
|
auth required pam_env.so
|
|
auth required pam_unix.so
|
|
account required pam_access.so
|
|
account required pam_unix.so
|
|
session required pam_motd.so
|
|
session required pam_limits.so
|
|
session optional pam_mail.so dir=/var/mail standard
|
|
session optional pam_lastlog.so
|
|
session required pam_unix.so
|
|
password required pam_unix.so md5 shadow
|
|
|
|
# End /etc/pam.d/login</literal>
|
|
EOF</userinput></screen>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>'passwd' (with CrackLib)</title>
|
|
|
|
<screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
|
<literal># Begin /etc/pam.d/passwd
|
|
|
|
password required pam_cracklib.so type=Linux retry=1 \
|
|
difok=5 diffignore=23 minlen=9 \
|
|
dcredit=1 ucredit=1 lcredit=1 \
|
|
ocredit=1 \
|
|
dictpath=/lib/cracklib/pw_dict
|
|
password required pam_unix.so md5 shadow use_authtok
|
|
|
|
# End /etc/pam.d/passwd</literal>
|
|
EOF</userinput></screen>
|
|
|
|
<note><para>In its default configuration, owing to credits,
|
|
pam_cracklib will allow multiple case passwords as short as 6
|
|
characters, even with the <parameter>minlen</parameter> value
|
|
set to 11. You should review the pam_cracklib(8) man page and
|
|
determine if these default values are acceptable for the security
|
|
of your system.</para></note>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>'passwd' (without CrackLib)</title>
|
|
|
|
<screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
|
<literal># Begin /etc/pam.d/passwd
|
|
|
|
password required pam_unix.so md5 shadow
|
|
|
|
# End /etc/pam.d/passwd</literal>
|
|
EOF</userinput></screen>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>'su'</title>
|
|
|
|
<screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
|
|
<literal># Begin /etc/pam.d/su
|
|
|
|
auth sufficient pam_rootok.so
|
|
auth required pam_unix.so
|
|
account required pam_unix.so
|
|
session optional pam_mail.so dir=/var/mail standard
|
|
session optional pam_xauth
|
|
session required pam_env.so
|
|
session required pam_unix.so
|
|
|
|
# End /etc/pam.d/su</literal>
|
|
EOF</userinput></screen>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>'chage'</title>
|
|
|
|
<screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
|
|
<literal># Begin /etc/pam.d/chage
|
|
|
|
auth sufficient pam_rootok.so
|
|
auth required pam_unix.so
|
|
account required pam_unix.so
|
|
session required pam_unix.so
|
|
password required pam_permit.so
|
|
|
|
# End /etc/pam.d/chage</literal>
|
|
EOF</userinput></screen>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>'chpasswd', 'chgpasswd', 'groupadd', 'groupdel', 'groupmems',
|
|
'groupmod', 'newusers', 'useradd', 'userdel', and 'usermod'</title>
|
|
|
|
<screen role="root"><userinput>for PROGRAM in chpasswd chgpasswd groupadd groupdel groupmems \
|
|
groupmod newusers useradd userdel usermod
|
|
do
|
|
install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
|
|
sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
|
|
done</userinput></screen>
|
|
|
|
<warning>
|
|
<para>At this point, you should do a simple test to see if
|
|
<application>Shadow</application> is working as expected. Open
|
|
another terminal and log in as a user, then <command>su</command> to
|
|
<systemitem class="username">root</systemitem>. If you do not see any
|
|
errors, then all is well and you should proceed with the rest of the
|
|
configuration. If you did receive errors, stop now and double check
|
|
the above configuration files manually. You can also run the test
|
|
suite from the <application>Linux-PAM</application> package to assist
|
|
you in determining the problem. If you cannot find and
|
|
fix the error, you should recompile <application>Shadow</application>
|
|
replacing <option>--with-libpam</option> with
|
|
<option>--without-libpam</option> in the above instructions (also move
|
|
the <filename>/etc/login.defs.orig</filename> backup file to
|
|
<filename>/etc/login.defs</filename>). If you
|
|
fail to do this and the errors remain, you will be unable to log into
|
|
your system.</para>
|
|
</warning>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>Other</title>
|
|
|
|
<para>Currently, <filename>/etc/pam.d/other</filename> is configured
|
|
to allow anyone with an account on the machine to use PAM-aware
|
|
programs without a configuration file for that program. After testing
|
|
<application>Linux-PAM</application> for proper configuration, install
|
|
a more restrictive <filename>other</filename> file so that
|
|
program-specific configuration files are required:</para>
|
|
|
|
<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
|
|
<literal># Begin /etc/pam.d/other
|
|
|
|
auth required pam_deny.so
|
|
auth required pam_warn.so
|
|
account required pam_deny.so
|
|
session required pam_deny.so
|
|
password required pam_deny.so
|
|
password required pam_warn.so
|
|
|
|
# End /etc/pam.d/other</literal>
|
|
EOF</userinput></screen>
|
|
|
|
<para>If you preserved the source tree from the
|
|
<application>Linux-PAM</application> package (or you feel like unpacking
|
|
that tarball, then running <command>configure</command> and
|
|
<command>make</command>), now would be a good time to run the test
|
|
suite from this package. This test suite will use the configuration you
|
|
just finished during the tests. All the tests should pass.</para>
|
|
|
|
</sect4>
|
|
|
|
<sect4 id="pam-access">
|
|
<title>Configuring Login Access</title>
|
|
|
|
<para>Instead of using the <filename>/etc/login.access</filename>
|
|
file for controlling access to the system,
|
|
<application>Linux-PAM</application> uses the
|
|
<filename class='libraryfile'>pam_access.so</filename> module along
|
|
with the <filename>/etc/security/access.conf</filename> file. Rename
|
|
the <filename>/etc/login.access</filename> file using the following
|
|
command:</para>
|
|
|
|
<indexterm zone="shadow pam-access">
|
|
<primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
|
</indexterm>
|
|
|
|
<screen role="root"><userinput>if [ -f /etc/login.access ]; then
|
|
mv -v /etc/login.access /etc/login.access.NOUSE
|
|
fi</userinput></screen>
|
|
|
|
</sect4>
|
|
|
|
<sect4 id="pam-limits">
|
|
<title>Configuring Resource Limits</title>
|
|
|
|
<para>Instead of using the <filename>/etc/limits</filename> file
|
|
for limiting usage of system resources,
|
|
<application>Linux-PAM</application> uses the
|
|
<filename class='libraryfile'>pam_limits.so</filename> module along
|
|
with the <filename>/etc/security/limits.conf</filename> file. Rename
|
|
the <filename>/etc/limits</filename> file using the following
|
|
command:</para>
|
|
|
|
<indexterm zone="shadow pam-limits">
|
|
<primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
|
</indexterm>
|
|
|
|
<screen role="root"><userinput>if [ -f /etc/limits ]; then
|
|
mv -v /etc/limits /etc/limits.NOUSE
|
|
fi</userinput></screen>
|
|
|
|
</sect4>
|
|
|
|
<sect4 id="pam-env">
|
|
<title>Configuring Default Environment</title>
|
|
|
|
<para>During previous configuration, several items were removed from
|
|
<filename>/etc/login.defs</filename>. Some of these items are now
|
|
controlled by the <filename class='libraryfile'>pam_env.so</filename>
|
|
module and the <filename>/etc/security/pam_env.conf</filename>
|
|
configuration file. In particular, the default path has been
|
|
changed. To recover your default path, execute the following
|
|
commands:</para>
|
|
|
|
<screen role="root"><userinput>ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
|
|
awk '{ print $2 }' | sed 's/PATH=//'` &&
|
|
echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\
|
|
' OVERRIDE=${PATH}' \
|
|
>> /etc/security/pam_env.conf &&
|
|
unset ENV_PATH</userinput></screen>
|
|
|
|
<note>
|
|
<para>ENV_SUPATH is no longer supported. You must create
|
|
a valid <filename>/root/.bashrc</filename> file to provide a
|
|
modified path for the super-user.</para>
|
|
</note>
|
|
|
|
</sect4>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="content">
|
|
<title>Contents</title>
|
|
|
|
<para>A list of the installed files, along with their short descriptions
|
|
can be found at
|
|
<ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|