Shadow Suite for Linux 的歷史(暫不翻譯)
History of the Shadow Suite for Linux
DO NOT USE THE PACKAGES IN THIS SECTION
THEY HAVE SECURITY PROBLEMS
The original Shadow Suite was written by John F
Haugh II
There are several versions that have been used on Linux systems:
shadow
is the original
shadow
is Linux specific patch made by Florian La Roche and contains some further enhancements
shadow
mk was specifically packaged for Linux
The shadow
mk package contains the shadow
package distributed by John F
Haugh II with the shadow
patch installed
a few fixes made by Mohan Kokal that make installation a lot easier
a patch by Joseph R
M
Zbiciak for login
c (login
secure) that eliminates the
f
h security holes in /bin/login
and some other miscellaneous patches
The shadow
mk package was the previously recommended package
but should be replaced due to a security problem with the login program
There are security problems with Shadow versions
and shadow
mk involving the login program
This login bug involves not checking the length of a login name
This causes the buffer to overflow causing crashes or worse
It has been rumored that this buffer overflow can allow someone with an account on the system to use this bug and the shared libraries to gain root access
I won
t discuss exactly how this is possible because there are a lot of Linux systems that are affected
but systems with these Shadow Suites installed
and most pre
ELF distributions without the Shadow Suite are vulnerable!
For more information on this and other Linux security issues
see the Linux Security home page (Shared Libraries and login Program Vulnerability)
如何取得 Shadow Suite?
目前建議 Shadow Suite 版本目前還是 BETA 測試版
然後
最近版本在生產環境是安全的且沒有包含易受攻擊的 簽入(login) 程式
該套件(package)使用慣例命名為
shadow
YYMMDD
tar
gz
其中 YYMMDD 是Suite 的發行日期
目前 BETA 測試版本是 Version
且由 Marek Michalkiewicz 維護
還可以從該處得到
shadow
current
tar
gz
下列網站也可以找到相關資訊
ftp://ftp
icm
edu
pl/pub/Linux/shadow/shadow
current
tar
gz
ftp://iguana
hut
fi/pub/linux/shadow/shadow
current
tar
gz
ftp:///usr/ggallag/shadow/shadow
current
tar
gz
ftp:///pub/linux/shadow/shadow
current
tar
gz
你應該可以獲得目前最新的版本
你應該不要是用比 shadow
更舊版本
因為它們有 簽入 的安全問題
於參考資料方面
我用 shadow
檔進行安裝介紹
如果你之前使用 shadow
mk
你應該更信這個版本且重建編譯
Shadow Suite包含什麽?
Shadow Suite 包括對下列功能之替代程式
su
login
passwd
newgrp
chfn
chsh
and id
該套件還包括新程式
chage
newusers
dpasswd
gpasswd
useradd
userdel
usermod
groupadd
groupdel
groupmod
groups
pwck
grpck
lastlog
pwconv
and pwunconv
除此之外
函式庫
libshadow
a 也包括需要存取使用者密碼之寫和編譯程式
程式之操作手冊也包含在其中
也有對簽入程式的 configuration file
它將被安裝在 /etc/login
defs 檔
From:http://tw.wingwit.com/Article/program/Oracle/201311/18514.html
