3.1 Shadow Suite for Linux 的历史(暂不翻译) 3.2 History of the Shadow Suite for Linux DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS
The original Shadow Suite was written by John F. Haugh II.
There are several versions that have been used on Linux systems:
shadow-3.3.1 is the original. shadow-3.3.1-2 is Linux specific patch made by Florian La Roche and contains some further enhancements. shadow-mk was specifically packaged for Linux. The shadow-mk package contains the shadow-3.3.1 package distributed by John F. Haugh II with the shadow-3.3.1-2 patch installed, a few fixes made by Mohan Kokal that make installation a lot easier, a patch by Joseph R.M. Zbiciak for login1.c (login.secure) that eliminates the -f, -h security holes in /bin/login, and some other miscellaneous patches.
The shadow.mk package was the previously recommended package, but should be replaced due to a security problem with the login program.
There are security problems with Shadow versions 3.3.1, 3.3.1-2, and shadow-mk involving the login program. This login bug involves not checking the length of a login name. This causes the buffer to overflow causing crashes or worse. It has been rumored that this buffer overflow can allow someone with an account on the system to use this bug and the shared libraries to gain root access. I won't discuss exactly how this is possible because there are a lot of Linux systems that are affected, but systems with these Shadow Suites installed, and most pre-ELF distributions without the Shadow Suite are vulnerable!
For more information on this and other Linux security issues, see the Linux Security home page (Shared Libraries and login Program Vulnerability)
精品推荐