Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Oct 2006 11:56:26 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: shadow-utils problem

I was hoping that someone else would respond to this. ;-)

On Thu, Oct 05, 2006 at 11:13:13AM +0200, Radek Michalski wrote:
> I don't know why, but I forgotten that there's an option in login.defs that
> allows to change max. username length. So I took shadow-utils and after
> changing sourcecode I recomplied and installed those utils.

Oh, did you "make install" right over your Owl system?  If so, you made
your system files inconsistent with the RPM database (bad for integrity
checking and for further updates of the system).  Also, we do not use
some of the programs that are a part of the shadow suite.  We use other
implementations, coming from other packages.  In particular, the
passwd(1) command on Owl comes from SimplePAMApps, not from the shadow
suite.  You've essentially overwritten it with the shadow suite
implementation. :-(

> Right now all
> seems to work, but when I execut i.e. passwd there's such output:
> 
> configuration error - unknown item 'CRYPT_PREFIX' (notify administrator)
> configuration error - unknown item 'CRYPT_ROUNDS' (notify administrator)
> configuration error - unknown item 'USE_TCB' (notify administrator)
> configuration error - unknown item 'TCB_AUTH_GROUP' (notify administrator)
> configuration error - unknown item 'TCB_SYMLINKS' (notify administrator)
> configuration error - unknown item 'USERNAME_MAX' (notify administrator)
> configuration error - unknown item 'GROUPNAME_MAX' (notify administrator)

All of the above login.defs settings are Owl extensions.  The above
error messages mean that you also did not apply our patches to the
shadow suite. :-(  If so, you've dropped the tcb support from useradd(8)
and from all other user management commands.  You've also dropped our
security fixes and security "hardening" enhancements, and more.  In
Owl-current, we have a total of 20 patch files to the shadow suite:

owl!build:~/native/Owl/packages/shadow-utils$ wc *.diff
     49     156    1542 shadow-4.0.4.1-alt-configure.diff
     34     179    1347 shadow-4.0.4.1-alt-man.diff
     39     147    1110 shadow-4.0.4.1-cvs-20041008-userdel.diff
     40     191    1202 shadow-4.0.4.1-owl-chage-drop-priv.diff
    153     535    3701 shadow-4.0.4.1-owl-check-reads.diff
     53     186    1283 shadow-4.0.4.1-owl-create-mailbox.diff
    152     552    3824 shadow-4.0.4.1-owl-crypt_gensalt.diff
     19      72     583 shadow-4.0.4.1-owl-malloc-cast.diff
     16      56     577 shadow-4.0.4.1-owl-man.diff
     45     180    1300 shadow-4.0.4.1-owl-newgrp.diff
    477    1750   12527 shadow-4.0.4.1-owl-pam-auth.diff
     14      61     474 shadow-4.0.4.1-owl-pam_chauthtok.diff
    219     820    6917 shadow-4.0.4.1-owl-restrict-locale.diff
   2343    8390   55236 shadow-4.0.4.1-owl-tcb.diff
     15      66     528 shadow-4.0.4.1-owl-tmp.diff
     12      70     507 shadow-4.0.4.1-owl-userdel-path_prefix.diff
    133     607    4195 shadow-4.0.4.1-owl-usergroupname_max.diff
     12      65     533 shadow-4.0.4.1-owl-usermod-unlock.diff
     11      55     405 shadow-4.0.4.1-owl-usermod-update-lstchg.diff
    896    4384   27475 shadow-4.0.4.1-rh-owl-redhat.diff
   4732   18522  125266 total

If my guesses are correct, then what you have now is not quite Owl.  It
is Owl minus our shadow suite and with some of the other programs
overwritten with the shadow suite implementations.  To clean up this
mess, you may "make uninstall" your shadow suite, then "make
installworld" Owl over your system.  If the "make uninstall" doesn't
work or doesn't remove all of the files that were installed, you may
nevertheless proceed with the "make installworld" and then use some
"rpm -qal | sort", "find ... | sort", and "comm ..." commands to
identify the extra non-Owl shadow suite files that you would have left
lying on the system.  You would need to remove those files.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.