[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM & Shadow

On Wed, Jul 01, 1998 at 04:57:33PM +0800, Francis A. Vidal wrote:
> On Wed, 1 Jul 1998, Graham Leggett wrote:
> > > if i rebuild from scratch (using the current PAM and shadow suite
> > > sources), what are the procedures so as not to damage the system? where
> > > can i get the source for PAM? what about the new cracklib 2.7?
> > 
> > Don't rebuild anything - there is no need.
> i've read that the cracklib that comes with Redhat 5.0 contains a bug
> (buffer overflow) and one has to install the current cracklib (2.7) and
> rebuild also rebuild PAM to use the new cracklib. 

The bug in cracklib isn't exploitable to gain root privileges.
The result of the bug is unpredictable behavior of passwd if
user's gecos field in /etc/passwd is empty.
It's your own decision whether it's necessary to update cracklib.
I updated my a long time ago.
But if you decide to update it you certainly should rebuild PAM.

Cracklib sources are available at
(however, I'm not sure that 2.7 is the latest version; it's
the version which contains the fix).

To rebuild PAM package I suggest you:

 - specify in ~/.rpmrc the location of you own source tree for rpm.
   I use 'topdir: /home/saw/rpmtop'.
   In the directory you should create subdirectories
   SOURCES, BUILD, SRPMS, SPECS, RPMS/your_architecture like
   in /usr/src/redhat.

 - unpack source package from RedHat site:
	rpm -ivh pam-xxx.src.rpm

 - look through pam.spec file in your SPECS directory.
   It may contain dangerous 'rm -rf'...

 - build the package
	rpm -bi --buildroot your_temporary_directory path_to_spec_file
   The process may fail if the spec file is written not so good and disallows
   building from non-root account. In the case you may try to build it
   being root.

 - in your_temporary_directory you can see what the package is going to install
   on your system.

 - finally build the package
	rpm -ba --clean --buildroot your_temporary_directory path_to_spec_file

 - make a backup copy of your /etc/pam.conf and /etc/pam.d/* configuration

 - from root account run
	rpm -Uvh rpm_file_you_have_produced

 - check the result (especially the configuration files).

 - if the results are bad you may install the original
   PAM package (with --force option) and restore your configuration

The procedure above is rather paranoid but it's what you asked:
how to do it safely.

I should also inform you that I don't know what is written in
RedHat's spec file for PAM. But I suppose RedHat people put
source packages corresponded to their binary packages so you have
good chances that all will work.

For reference I put my spec files on

Best wishes
					Andrey V.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []