8.10. Shadow 4.19.4

Licenses:

• BSD 3-Clause

Dependencies:

• musl (libc)
• make

Shadow provides the core user and group account management programs and supporting files. we need it in chapter 8 to create and manage system accounts in the final target environment.

Extract and Enter the Source Tree

cd /sources
tar -xf shadow-4.19.4.tar.xz
cd shadow-4.19.4

Configure Shadow

lbi_configure \
    --disable-static \
    --with-bcrypt \
    --with-yescrypt \
    --without-su \
    --without-libbsd \
    --disable-logind \
    --with-group-name-max-length=32

Set BSD-only install lists

LBI_SHADOW_USBINS="\
chgpasswd \
chpasswd \
groupadd \
groupdel \
groupmems \
groupmod \
grpck \
grpconv \
grpunconv \
logoutd \
newusers \
pwck \
pwconv \
pwunconv \
useradd \
userdel \
usermod"

LBI_SHADOW_MANS="\
man1/chage.1 \
man1/chfn.1 \
man8/chgpasswd.8 \
man8/chpasswd.8 \
man1/chsh.1 \
man1/expiry.1 \
man5/faillog.5 \
man8/faillog.8 \
man3/getspnam.3 \
man1/gpasswd.1 \
man8/groupadd.8 \
man8/groupdel.8 \
man8/groupmems.8 \
man8/groupmod.8 \
man8/grpck.8 \
man8/grpconv.8 \
man8/grpunconv.8 \
man5/gshadow.5 \
man1/login.1 \
man5/login.defs.5 \
man8/logoutd.8 \
man1/newgrp.1 \
man8/newusers.8 \
man8/nologin.8 \
man1/passwd.1 \
man5/passwd.5 \
man8/pwck.8 \
man8/pwconv.8 \
man8/pwunconv.8 \
man1/sg.1 \
man3/shadow.3 \
man5/shadow.5 \
man8/useradd.8 \
man8/userdel.8 \
man8/usermod.8 \
man1/getsubids.1 \
man1/newgidmap.1 \
man1/newuidmap.1 \
man5/subgid.5 \
man5/subuid.5"

export LBI_SHADOW_USBINS LBI_SHADOW_MANS

Post-Configure Adjustments

sed -i '' -E \
    -e 's@^[[:space:]]*#?[[:space:]]*ENCRYPT_METHOD[[:space:]]+.*@ENCRYPT_METHOD SHA512@' \
    -e 's@/var/spool/mail@/var/mail@g' \
    -e '/^[[:space:]]*(ENV_SUPATH|ENV_PATH|ENV_ROOTPATH|PATH)=/ {
        s@/system/systembinaries:@@g
        s@:/system/systembinaries@@g
        s@/system/binaries:@@g
        s@:/system/binaries@@g
    }' \
    etc/login.defs

Build Shadow

make $LWI_MAKE_FLAGS \
    bin_PROGRAMS=login \
    usbin_PROGRAMS="$LBI_SHADOW_USBINS"

Install Shadow

make install \
    bindir=/system/binaries \
    ubindir=/system/binaries \
    sbindir=/system/systembinaries \
    usbindir=/system/systembinaries \
    bin_PROGRAMS=login \
    usbin_PROGRAMS="$LBI_SHADOW_USBINS"

make -C man install-man \
    man_MANS="$LBI_SHADOW_MANS"

Post-Install Setup

pwconv
grpconv
mkdir -p /etc/default
useradd -D --gid 999
passwd root

Command Explanations

• cd /sources, tar -xf, and cd shadow-...: Enter the staged Shadow source tree.
• lbi_configure: Applies the book's /system install layout.
• --with-bcrypt and --with-yescrypt: Enable modern password hashing methods.
• --without-su: Prevents Shadow from building or installing su, whose source contains GNU su ancestry.
• --without-libbsd and --disable-logind: Avoid optional dependencies not required here.
• LBI_SHADOW_USBINS: Defines the installed system-binary allow-list without vipw.
• LBI_SHADOW_MANS: Defines the installed man-page allow-list without vipw.8, vigr.8, or su.1.
• sed -i ... etc/login.defs: Sets YESCRYPT as the default hash, adjusts mail paths, and removes non-book binary directories from default PATH settings.
• make $LWI_MAKE_FLAGS bin_PROGRAMS=login usbin_PROGRAMS=...: Builds Shadow with shared make parallelism while keeping su and vipw out of the program list.
• make exec_prefix=/system install ... and make -C man install-man ...: Install only the allowed commands and manual pages into the target layout.
• mv /system/sbin/* /system/systembinaries/: Moves administrative binaries into the book's system-binary directory.
• pwconv and grpconv: Create shadow password and group databases from the existing passwd/group files.
• useradd -D --gid 999 and passwd root: Set default useradd policy and assign the root password.