Essentially, this is a question about pam.
Not long ago I posted a message here asking if it was possible to set
things up so that besides root, only one other particular user is made
able to run /usr/sbin/pppd without the use of a password. I did not
want to make pppd suid or be forced to do it via su (which requires
root password) or sudo (which requires it be installed and requires
the user's password unless configured for NOPASS).
[BTW, does anyone have a good reference/url for sudo that makes it
easier to understand, with lots of examples? You have to be a
linguistics expert to make any sense of what its man pages are
trying to tell you... :-]
I discovered two solutions, and I'm wanting to pass this by some
"experts" in pam configuration to check that I'm doing this with the
best security possible while still allowing it to work. And if
there are any other useful solutions, I'd also like to know.
This is how I got it working...
1. edit /etc/security/console.perms to change this line:
<console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] ttyS[0-9][0-9]*
^^^^^^^^^^^^^^^^
I need the extra definition for the ttyS* devices because I am using
pam_console as the authentication mechanism and in some cases I need
to do this over a terminal username/passwd login into a box over a
modem, eg, using a "chat" script to do it all. (I am aware that
doing this has some security risks associated with it).
For a local user at the system console/Xterm, this added definition
isn't necessary.
2. ln -s consolehelper /usr/bin/pppd
That symlink creates a user-accessable pppd (in the normal user's
PATH) that really runs consolehelper. Consolehelper will only work
with executables that live in /sbin/ and /usr/sbin/.
3. touch /etc/security/console.apps/pppd
The file simply needs to exist, contents are irrelevant (to pam).
4. create /etc/pam.d/pppd
This is where I have found two possible solutions...
PAM solution 1
~~~~~~~~~~~~~~
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth sufficient /lib/security/pam_wheel.so trust
auth required /lib/security/pam_console.so
# auth required /lib/security/pam_pwdb.so
# auth required /lib/security/pam_unix_auth.so
session optional /lib/security/pam_xauth.so
account required /lib/security/pam_permit.so
Then to finally make this work:
usermod -G root tony
This adds me (my user account) to group "root" in /etc/group and
thanks to pam_wheel I have permission to run /usr/bin/pppd and make
/usr/sbin/pppd run as root just as if it were suid. (Only problem now
is that I don't have permission to "killall pppd" to terminate the
session, heh :-) The "trust" parameter means that no password is
necessary (and as pam.txt points out, beware the risk).
BTW, to do this WITH passwords, use...
auth required /lib/security/pam_pwdb.so
or
auth required /lib/security/pam_unix_auth.so
pam_pwdb will ask for root's password, pam_unix_auth for the user's
password. Neat. In an xterm, a little dialog box pops up, another
cool touch :)
Questions:
- is a "session" needed to be specified at all in this case?
- is pam_xauth appropriate for being used here for session?
- is "sufficient" enough security for pam_wheel, or should "required"
be used?
- can the order be improved? eg, pam_console BEFORE pam_wheel?
PAM solution 2
~~~~~~~~~~~~~~
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/pppdusers
auth required /lib/security/pam_console.so
session optional /lib/security/pam_xauth.so
account required /lib/security/pam_permit.so
This uses a mechanism similar to how a file is used to specify which
local users CANNOT (sense=deny) login to the local ftpd daemon.
To make this work:
echo tony > /etc/pppdusers
And magic - it certainly does work. But similar questions to those
above.
I would appreciate any comments or suggestions on any of this (it is
the first time I've started to actually create and play around with
pam.d files...)
Thanks.
[If this isn't considered an appropriate place for this discussion,
please point me in a better direction.]
BTW, references to some documentation...
- man pages for pam_console, console.apps, userhelper, consolehelper
- /usr/doc/pam-*/pam.txt (/usr/share/doc/pam-*/ on redhat 7.0)
- on the redhat 6.2 or 7.0 documentation CDROM, look at the index page
to "The Official Red Hat Linux Reference Guide" for the references
to "Configuring Console Access". This is a EXCELLENT reference, and
much of what I have done here is based on this.
Cheers
Tony
_______________________________________________
Redhat-devel-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-devel-list
