1 | # |
2 | # For a description of the syntax of this configuration file, |
3 | # see scripts/kbuild/config-language.txt. |
4 | # |
5 | |
6 | menu "Login/Password Management Utilities" |
7 | |
8 | config BUSYBOX_CONFIG_FEATURE_SHADOWPASSWDS |
9 | bool "Support for shadow passwords" |
10 | default n |
11 | help |
12 | Build support for shadow password in /etc/shadow. This file is only |
13 | readable by root and thus the encrypted passwords are no longer |
14 | publicly readable. |
15 | |
16 | config BUSYBOX_CONFIG_USE_BB_PWD_GRP |
17 | bool "Use internal password and group functions rather than system functions" |
18 | default n |
19 | help |
20 | If you leave this disabled, busybox will use the system's password |
21 | and group functions. And if you are using the GNU C library |
22 | (glibc), you will then need to install the /etc/nsswitch.conf |
23 | configuration file and the required /lib/libnss_* libraries in |
24 | order for the password and group functions to work. This generally |
25 | makes your embedded system quite a bit larger. |
26 | |
27 | Enabling this option will cause busybox to directly access the |
28 | system's /etc/password, /etc/group files (and your system will be |
29 | smaller, and I will get fewer emails asking about how glibc NSS |
30 | works). When this option is enabled, you will not be able to use |
31 | PAM to access remote LDAP password servers and whatnot. And if you |
32 | want hostname resolution to work with glibc, you still need the |
33 | /lib/libnss_* libraries. |
34 | |
35 | If you need to use glibc's nsswitch.conf mechanism |
36 | (e.g. if user/group database is NOT stored in /etc/passwd etc), |
37 | you must NOT use this option. |
38 | |
39 | If you enable this option, it will add about 1.5k. |
40 | |
41 | config BUSYBOX_CONFIG_USE_BB_SHADOW |
42 | bool "Use internal shadow password functions" |
43 | default n |
44 | depends on BUSYBOX_CONFIG_USE_BB_PWD_GRP && BUSYBOX_CONFIG_FEATURE_SHADOWPASSWDS |
45 | help |
46 | If you leave this disabled, busybox will use the system's shadow |
47 | password handling functions. And if you are using the GNU C library |
48 | (glibc), you will then need to install the /etc/nsswitch.conf |
49 | configuration file and the required /lib/libnss_* libraries in |
50 | order for the shadow password functions to work. This generally |
51 | makes your embedded system quite a bit larger. |
52 | |
53 | Enabling this option will cause busybox to directly access the |
54 | system's /etc/shadow file when handling shadow passwords. This |
55 | makes your system smaller (and I will get fewer emails asking about |
56 | how glibc NSS works). When this option is enabled, you will not be |
57 | able to use PAM to access shadow passwords from remote LDAP |
58 | password servers and whatnot. |
59 | |
60 | config BUSYBOX_CONFIG_USE_BB_CRYPT |
61 | bool "Use internal crypt functions" |
62 | default n |
63 | help |
64 | Busybox has internal DES and MD5 crypt functions. |
65 | They produce results which are identical to corresponding |
66 | standard C library functions. |
67 | |
68 | If you leave this disabled, busybox will use the system's |
69 | crypt functions. Most C libraries use large (~70k) |
70 | static buffers there, and also combine them with more general |
71 | DES encryption/decryption. |
72 | |
73 | For busybox, having large static buffers is undesirable, |
74 | especially on NOMMU machines. Busybox also doesn't need |
75 | DES encryption/decryption and can do with smaller code. |
76 | |
77 | If you enable this option, it will add about 4.8k of code |
78 | if you are building dynamically linked executable. |
79 | In static build, it makes code _smaller_ by about 1.2k, |
80 | and likely many kilobytes less of bss. |
81 | |
82 | config BUSYBOX_CONFIG_USE_BB_CRYPT_SHA |
83 | bool "Enable SHA256/512 crypt functions" |
84 | default n |
85 | depends on BUSYBOX_CONFIG_USE_BB_CRYPT |
86 | help |
87 | Enable this if you have passwords starting with "$5$" or "$6$" |
88 | in your /etc/passwd or /etc/shadow files. These passwords |
89 | are hashed using SHA256 and SHA512 algorithms. Support for them |
90 | was added to glibc in 2008. |
91 | With this option off, login will fail password check for any |
92 | user which has password encrypted with these algorithms. |
93 | |
94 | config BUSYBOX_CONFIG_ADDGROUP |
95 | bool "addgroup" |
96 | default n |
97 | help |
98 | Utility for creating a new group account. |
99 | |
100 | config BUSYBOX_CONFIG_FEATURE_ADDGROUP_LONG_OPTIONS |
101 | bool "Enable long options" |
102 | default n |
103 | depends on BUSYBOX_CONFIG_ADDGROUP && BUSYBOX_CONFIG_LONG_OPTS |
104 | help |
105 | Support long options for the addgroup applet. |
106 | |
107 | config BUSYBOX_CONFIG_FEATURE_ADDUSER_TO_GROUP |
108 | bool "Support for adding users to groups" |
109 | default n |
110 | depends on BUSYBOX_CONFIG_ADDGROUP |
111 | help |
112 | If called with two non-option arguments, |
113 | addgroup will add an existing user to an |
114 | existing group. |
115 | |
116 | config BUSYBOX_CONFIG_DELGROUP |
117 | bool "delgroup" |
118 | default n |
119 | help |
120 | Utility for deleting a group account. |
121 | |
122 | config BUSYBOX_CONFIG_FEATURE_DEL_USER_FROM_GROUP |
123 | bool "Support for removing users from groups" |
124 | default n |
125 | depends on BUSYBOX_CONFIG_DELGROUP |
126 | help |
127 | If called with two non-option arguments, deluser |
128 | or delgroup will remove an user from a specified group. |
129 | |
130 | config BUSYBOX_CONFIG_FEATURE_CHECK_NAMES |
131 | bool "Enable sanity check on user/group names in adduser and addgroup" |
132 | default n |
133 | depends on BUSYBOX_CONFIG_ADDUSER || BUSYBOX_CONFIG_ADDGROUP |
134 | help |
135 | Enable sanity check on user and group names in adduser and addgroup. |
136 | To avoid problems, the user or group name should consist only of |
137 | letters, digits, underscores, periods, at signs and dashes, |
138 | and not start with a dash (as defined by IEEE Std 1003.1-2001). |
139 | For compatibility with Samba machine accounts "$" is also supported |
140 | at the end of the user or group name. |
141 | |
142 | config BUSYBOX_CONFIG_ADDUSER |
143 | bool "adduser" |
144 | default n |
145 | help |
146 | Utility for creating a new user account. |
147 | |
148 | config BUSYBOX_CONFIG_FEATURE_ADDUSER_LONG_OPTIONS |
149 | bool "Enable long options" |
150 | default n |
151 | depends on BUSYBOX_CONFIG_ADDUSER && BUSYBOX_CONFIG_LONG_OPTS |
152 | help |
153 | Support long options for the adduser applet. |
154 | |
155 | config BUSYBOX_CONFIG_FIRST_SYSTEM_ID |
156 | int "First valid system uid or gid for adduser and addgroup" |
157 | depends on BUSYBOX_CONFIG_ADDUSER || BUSYBOX_CONFIG_ADDGROUP |
158 | range 0 64900 |
159 | default 100 |
160 | help |
161 | First valid system uid or gid for adduser and addgroup |
162 | |
163 | config BUSYBOX_CONFIG_LAST_SYSTEM_ID |
164 | int "Last valid system uid or gid for adduser and addgroup" |
165 | depends on BUSYBOX_CONFIG_ADDUSER || BUSYBOX_CONFIG_ADDGROUP |
166 | range 0 64900 |
167 | default 999 |
168 | help |
169 | Last valid system uid or gid for adduser and addgroup |
170 | |
171 | config BUSYBOX_CONFIG_DELUSER |
172 | bool "deluser" |
173 | default n |
174 | help |
175 | Utility for deleting a user account. |
176 | |
177 | config BUSYBOX_CONFIG_GETTY |
178 | bool "getty" |
179 | default n |
180 | select BUSYBOX_CONFIG_FEATURE_SYSLOG |
181 | help |
182 | getty lets you log in on a tty, it is normally invoked by init. |
183 | |
184 | config BUSYBOX_CONFIG_FEATURE_UTMP |
185 | bool "Support utmp file" |
186 | depends on BUSYBOX_CONFIG_GETTY || BUSYBOX_CONFIG_LOGIN || BUSYBOX_CONFIG_SU || BUSYBOX_CONFIG_WHO |
187 | default n |
188 | help |
189 | The file /var/run/utmp is used to track who is currently logged in. |
190 | |
191 | config BUSYBOX_CONFIG_FEATURE_WTMP |
192 | bool "Support wtmp file" |
193 | depends on BUSYBOX_CONFIG_GETTY || BUSYBOX_CONFIG_LOGIN || BUSYBOX_CONFIG_SU || BUSYBOX_CONFIG_LAST |
194 | default n |
195 | select BUSYBOX_CONFIG_FEATURE_UTMP |
196 | help |
197 | The file /var/run/wtmp is used to track when user's have logged into |
198 | and logged out of the system. |
199 | |
200 | config BUSYBOX_CONFIG_LOGIN |
201 | bool "login" |
202 | default n |
203 | select BUSYBOX_CONFIG_FEATURE_SUID |
204 | select BUSYBOX_CONFIG_FEATURE_SYSLOG |
205 | help |
206 | login is used when signing onto a system. |
207 | |
208 | Note that Busybox binary must be setuid root for this applet to |
209 | work properly. |
210 | |
211 | config BUSYBOX_CONFIG_PAM |
212 | bool "Support for PAM (Pluggable Authentication Modules)" |
213 | default n |
214 | depends on BUSYBOX_CONFIG_LOGIN |
215 | help |
216 | Use PAM in login(1) instead of direct access to password database. |
217 | |
218 | config BUSYBOX_CONFIG_LOGIN_SCRIPTS |
219 | bool "Support for login scripts" |
220 | depends on BUSYBOX_CONFIG_LOGIN |
221 | default n |
222 | help |
223 | Enable this if you want login to execute $LOGIN_PRE_SUID_SCRIPT |
224 | just prior to switching from root to logged-in user. |
225 | |
226 | config BUSYBOX_CONFIG_FEATURE_NOLOGIN |
227 | bool "Support for /etc/nologin" |
228 | default n |
229 | depends on BUSYBOX_CONFIG_LOGIN |
230 | help |
231 | The file /etc/nologin is used by (some versions of) login(1). |
232 | If it exists, non-root logins are prohibited. |
233 | |
234 | config BUSYBOX_CONFIG_FEATURE_SECURETTY |
235 | bool "Support for /etc/securetty" |
236 | default n |
237 | depends on BUSYBOX_CONFIG_LOGIN |
238 | help |
239 | The file /etc/securetty is used by (some versions of) login(1). |
240 | The file contains the device names of tty lines (one per line, |
241 | without leading /dev/) on which root is allowed to login. |
242 | |
243 | config BUSYBOX_CONFIG_PASSWD |
244 | bool "passwd" |
245 | default y |
246 | select BUSYBOX_CONFIG_FEATURE_SUID |
247 | select BUSYBOX_CONFIG_FEATURE_SYSLOG |
248 | help |
249 | passwd changes passwords for user and group accounts. A normal user |
250 | may only change the password for his/her own account, the super user |
251 | may change the password for any account. The administrator of a group |
252 | may change the password for the group. |
253 | |
254 | Note that Busybox binary must be setuid root for this applet to |
255 | work properly. |
256 | |
257 | config BUSYBOX_CONFIG_FEATURE_PASSWD_WEAK_CHECK |
258 | bool "Check new passwords for weakness" |
259 | default y |
260 | depends on BUSYBOX_CONFIG_PASSWD |
261 | help |
262 | With this option passwd will refuse new passwords which are "weak". |
263 | |
264 | config BUSYBOX_CONFIG_CRYPTPW |
265 | bool "cryptpw" |
266 | default n |
267 | help |
268 | Encrypts the given password with the crypt(3) libc function |
269 | using the given salt. Debian has this utility under mkpasswd |
270 | name. Busybox provides mkpasswd as an alias for cryptpw. |
271 | |
272 | config BUSYBOX_CONFIG_CHPASSWD |
273 | bool "chpasswd" |
274 | default n |
275 | help |
276 | Reads a file of user name and password pairs from standard input |
277 | and uses this information to update a group of existing users. |
278 | |
279 | config BUSYBOX_CONFIG_SU |
280 | bool "su" |
281 | default n |
282 | select BUSYBOX_CONFIG_FEATURE_SUID |
283 | select BUSYBOX_CONFIG_FEATURE_SYSLOG |
284 | help |
285 | su is used to become another user during a login session. |
286 | Invoked without a username, su defaults to becoming the super user. |
287 | |
288 | Note that Busybox binary must be setuid root for this applet to |
289 | work properly. |
290 | |
291 | config BUSYBOX_CONFIG_FEATURE_SU_SYSLOG |
292 | bool "Enable su to write to syslog" |
293 | default n |
294 | depends on BUSYBOX_CONFIG_SU |
295 | |
296 | config BUSYBOX_CONFIG_FEATURE_SU_CHECKS_SHELLS |
297 | bool "Enable su to check user's shell to be listed in /etc/shells" |
298 | depends on BUSYBOX_CONFIG_SU |
299 | default n |
300 | |
301 | config BUSYBOX_CONFIG_SULOGIN |
302 | bool "sulogin" |
303 | default n |
304 | select BUSYBOX_CONFIG_FEATURE_SYSLOG |
305 | help |
306 | sulogin is invoked when the system goes into single user |
307 | mode (this is done through an entry in inittab). |
308 | |
309 | config BUSYBOX_CONFIG_VLOCK |
310 | bool "vlock" |
311 | default n |
312 | select BUSYBOX_CONFIG_FEATURE_SUID |
313 | help |
314 | Build the "vlock" applet which allows you to lock (virtual) terminals. |
315 | |
316 | Note that Busybox binary must be setuid root for this applet to |
317 | work properly. |
318 | |
319 | endmenu |
320 | |