blob: 9bf79afee21f31ab737382e84be6bb0a92f41fc2
1 | # |
2 | # For a description of the syntax of this configuration file, |
3 | # see scripts/kbuild/config-language.txt. |
4 | # |
5 | |
6 | menu "Login/Password Management Utilities" |
7 | |
8 | INSERT |
9 | |
10 | config FEATURE_SHADOWPASSWDS |
11 | bool "Support for shadow passwords" |
12 | default y |
13 | help |
14 | Build support for shadow password in /etc/shadow. This file is only |
15 | readable by root and thus the encrypted passwords are no longer |
16 | publicly readable. |
17 | |
18 | config USE_BB_PWD_GRP |
19 | bool "Use internal password and group functions rather than system functions" |
20 | default y |
21 | help |
22 | If you leave this disabled, busybox will use the system's password |
23 | and group functions. And if you are using the GNU C library |
24 | (glibc), you will then need to install the /etc/nsswitch.conf |
25 | configuration file and the required /lib/libnss_* libraries in |
26 | order for the password and group functions to work. This generally |
27 | makes your embedded system quite a bit larger. |
28 | |
29 | Enabling this option will cause busybox to directly access the |
30 | system's /etc/password, /etc/group files (and your system will be |
31 | smaller, and I will get fewer emails asking about how glibc NSS |
32 | works). When this option is enabled, you will not be able to use |
33 | PAM to access remote LDAP password servers and whatnot. And if you |
34 | want hostname resolution to work with glibc, you still need the |
35 | /lib/libnss_* libraries. |
36 | |
37 | If you need to use glibc's nsswitch.conf mechanism |
38 | (e.g. if user/group database is NOT stored in /etc/passwd etc), |
39 | you must NOT use this option. |
40 | |
41 | If you enable this option, it will add about 1.5k. |
42 | |
43 | config USE_BB_SHADOW |
44 | bool "Use internal shadow password functions" |
45 | default y |
46 | depends on USE_BB_PWD_GRP && FEATURE_SHADOWPASSWDS |
47 | help |
48 | If you leave this disabled, busybox will use the system's shadow |
49 | password handling functions. And if you are using the GNU C library |
50 | (glibc), you will then need to install the /etc/nsswitch.conf |
51 | configuration file and the required /lib/libnss_* libraries in |
52 | order for the shadow password functions to work. This generally |
53 | makes your embedded system quite a bit larger. |
54 | |
55 | Enabling this option will cause busybox to directly access the |
56 | system's /etc/shadow file when handling shadow passwords. This |
57 | makes your system smaller (and I will get fewer emails asking about |
58 | how glibc NSS works). When this option is enabled, you will not be |
59 | able to use PAM to access shadow passwords from remote LDAP |
60 | password servers and whatnot. |
61 | |
62 | config USE_BB_CRYPT |
63 | bool "Use internal crypt functions" |
64 | default y |
65 | help |
66 | Busybox has internal DES and MD5 crypt functions. |
67 | They produce results which are identical to corresponding |
68 | standard C library functions. |
69 | |
70 | If you leave this disabled, busybox will use the system's |
71 | crypt functions. Most C libraries use large (~70k) |
72 | static buffers there, and also combine them with more general |
73 | DES encryption/decryption. |
74 | |
75 | For busybox, having large static buffers is undesirable, |
76 | especially on NOMMU machines. Busybox also doesn't need |
77 | DES encryption/decryption and can do with smaller code. |
78 | |
79 | If you enable this option, it will add about 4.8k of code |
80 | if you are building dynamically linked executable. |
81 | In static build, it makes code _smaller_ by about 1.2k, |
82 | and likely many kilobytes less of bss. |
83 | |
84 | config USE_BB_CRYPT_SHA |
85 | bool "Enable SHA256/512 crypt functions" |
86 | default y |
87 | depends on USE_BB_CRYPT |
88 | help |
89 | Enable this if you have passwords starting with "$5$" or "$6$" |
90 | in your /etc/passwd or /etc/shadow files. These passwords |
91 | are hashed using SHA256 and SHA512 algorithms. Support for them |
92 | was added to glibc in 2008. |
93 | With this option off, login will fail password check for any |
94 | user which has password encrypted with these algorithms. |
95 | |
96 | config ADDUSER |
97 | bool "adduser" |
98 | default y |
99 | help |
100 | Utility for creating a new user account. |
101 | |
102 | config FEATURE_ADDUSER_LONG_OPTIONS |
103 | bool "Enable long options" |
104 | default y |
105 | depends on ADDUSER && LONG_OPTS |
106 | help |
107 | Support long options for the adduser applet. |
108 | |
109 | config FEATURE_CHECK_NAMES |
110 | bool "Enable sanity check on user/group names in adduser and addgroup" |
111 | default n |
112 | depends on ADDUSER || ADDGROUP |
113 | help |
114 | Enable sanity check on user and group names in adduser and addgroup. |
115 | To avoid problems, the user or group name should consist only of |
116 | letters, digits, underscores, periods, at signs and dashes, |
117 | and not start with a dash (as defined by IEEE Std 1003.1-2001). |
118 | For compatibility with Samba machine accounts "$" is also supported |
119 | at the end of the user or group name. |
120 | |
121 | config FIRST_SYSTEM_ID |
122 | int "First valid system uid or gid for adduser and addgroup" |
123 | depends on ADDUSER || ADDGROUP |
124 | range 0 64900 |
125 | default 100 |
126 | help |
127 | First valid system uid or gid for adduser and addgroup |
128 | |
129 | config LAST_SYSTEM_ID |
130 | int "Last valid system uid or gid for adduser and addgroup" |
131 | depends on ADDUSER || ADDGROUP |
132 | range 0 64900 |
133 | default 999 |
134 | help |
135 | Last valid system uid or gid for adduser and addgroup |
136 | |
137 | config ADDGROUP |
138 | bool "addgroup" |
139 | default y |
140 | help |
141 | Utility for creating a new group account. |
142 | |
143 | config FEATURE_ADDGROUP_LONG_OPTIONS |
144 | bool "Enable long options" |
145 | default y |
146 | depends on ADDGROUP && LONG_OPTS |
147 | help |
148 | Support long options for the addgroup applet. |
149 | |
150 | config FEATURE_ADDUSER_TO_GROUP |
151 | bool "Support for adding users to groups" |
152 | default y |
153 | depends on ADDGROUP |
154 | help |
155 | If called with two non-option arguments, |
156 | addgroup will add an existing user to an |
157 | existing group. |
158 | |
159 | config DELUSER |
160 | bool "deluser" |
161 | default y |
162 | help |
163 | Utility for deleting a user account. |
164 | |
165 | config DELGROUP |
166 | bool "delgroup" |
167 | default y |
168 | help |
169 | Utility for deleting a group account. |
170 | |
171 | config FEATURE_DEL_USER_FROM_GROUP |
172 | bool "Support for removing users from groups" |
173 | default y |
174 | depends on DELGROUP |
175 | help |
176 | If called with two non-option arguments, deluser |
177 | or delgroup will remove an user from a specified group. |
178 | |
179 | config GETTY |
180 | bool "getty" |
181 | default y |
182 | select FEATURE_SYSLOG |
183 | help |
184 | getty lets you log in on a tty. It is normally invoked by init. |
185 | |
186 | Note that you can save a few bytes by disabling it and |
187 | using login applet directly. |
188 | If you need to reset tty attributes before calling login, |
189 | this script approximates getty: |
190 | |
191 | exec </dev/$1 >/dev/$1 2>&1 || exit 1 |
192 | reset |
193 | stty sane; stty ispeed 38400; stty ospeed 38400 |
194 | printf "%s login: " "`hostname`" |
195 | read -r login |
196 | exec /bin/login "$login" |
197 | |
198 | config LOGIN |
199 | bool "login" |
200 | default y |
201 | select FEATURE_SYSLOG |
202 | help |
203 | login is used when signing onto a system. |
204 | |
205 | Note that Busybox binary must be setuid root for this applet to |
206 | work properly. |
207 | |
208 | config LOGIN_SESSION_AS_CHILD |
209 | bool "Run logged in session in a child process" |
210 | default y if PAM |
211 | depends on LOGIN |
212 | help |
213 | Run the logged in session in a child process. This allows |
214 | login to clean up things such as utmp entries or PAM sessions |
215 | when the login session is complete. If you use PAM, you |
216 | almost always would want this to be set to Y, else PAM session |
217 | will not be cleaned up. |
218 | |
219 | config PAM |
220 | bool "Support for PAM (Pluggable Authentication Modules)" |
221 | default n |
222 | depends on LOGIN |
223 | help |
224 | Use PAM in login(1) instead of direct access to password database. |
225 | |
226 | config LOGIN_SCRIPTS |
227 | bool "Support for login scripts" |
228 | depends on LOGIN |
229 | default y |
230 | help |
231 | Enable this if you want login to execute $LOGIN_PRE_SUID_SCRIPT |
232 | just prior to switching from root to logged-in user. |
233 | |
234 | config FEATURE_NOLOGIN |
235 | bool "Support for /etc/nologin" |
236 | default y |
237 | depends on LOGIN |
238 | help |
239 | The file /etc/nologin is used by (some versions of) login(1). |
240 | If it exists, non-root logins are prohibited. |
241 | |
242 | config FEATURE_SECURETTY |
243 | bool "Support for /etc/securetty" |
244 | default y |
245 | depends on LOGIN |
246 | help |
247 | The file /etc/securetty is used by (some versions of) login(1). |
248 | The file contains the device names of tty lines (one per line, |
249 | without leading /dev/) on which root is allowed to login. |
250 | |
251 | config PASSWD |
252 | bool "passwd" |
253 | default y |
254 | select FEATURE_SYSLOG |
255 | help |
256 | passwd changes passwords for user and group accounts. A normal user |
257 | may only change the password for his/her own account, the super user |
258 | may change the password for any account. The administrator of a group |
259 | may change the password for the group. |
260 | |
261 | Note that Busybox binary must be setuid root for this applet to |
262 | work properly. |
263 | |
264 | config FEATURE_PASSWD_WEAK_CHECK |
265 | bool "Check new passwords for weakness" |
266 | default y |
267 | depends on PASSWD |
268 | help |
269 | With this option passwd will refuse new passwords which are "weak". |
270 | |
271 | config CRYPTPW |
272 | bool "cryptpw" |
273 | default y |
274 | help |
275 | Encrypts the given password with the crypt(3) libc function |
276 | using the given salt. Debian has this utility under mkpasswd |
277 | name. Busybox provides mkpasswd as an alias for cryptpw. |
278 | |
279 | config CHPASSWD |
280 | bool "chpasswd" |
281 | default y |
282 | help |
283 | Reads a file of user name and password pairs from standard input |
284 | and uses this information to update a group of existing users. |
285 | |
286 | config FEATURE_DEFAULT_PASSWD_ALGO |
287 | string "Default password encryption method (passwd -a, cryptpw -m parameter)" |
288 | default "des" |
289 | depends on PASSWD || CRYPTPW |
290 | help |
291 | Possible choices are "d[es]", "m[d5]", "s[ha256]" or "sha512". |
292 | |
293 | config SU |
294 | bool "su" |
295 | default y |
296 | select FEATURE_SYSLOG |
297 | help |
298 | su is used to become another user during a login session. |
299 | Invoked without a username, su defaults to becoming the super user. |
300 | |
301 | Note that Busybox binary must be setuid root for this applet to |
302 | work properly. |
303 | |
304 | config FEATURE_SU_SYSLOG |
305 | bool "Enable su to write to syslog" |
306 | default y |
307 | depends on SU |
308 | |
309 | config FEATURE_SU_CHECKS_SHELLS |
310 | bool "Enable su to check user's shell to be listed in /etc/shells" |
311 | depends on SU |
312 | default y |
313 | |
314 | config SULOGIN |
315 | bool "sulogin" |
316 | default y |
317 | select FEATURE_SYSLOG |
318 | help |
319 | sulogin is invoked when the system goes into single user |
320 | mode (this is done through an entry in inittab). |
321 | |
322 | config VLOCK |
323 | bool "vlock" |
324 | default y |
325 | help |
326 | Build the "vlock" applet which allows you to lock (virtual) terminals. |
327 | |
328 | Note that Busybox binary must be setuid root for this applet to |
329 | work properly. |
330 | |
331 | endmenu |
332 |