On Wed Nov 22 2000 at 22:46, Tony Nugent wrote:
> Essentially, this is a question about pam.
... and I really didn't get much of a response last week to the
actual questions I was asking :-(
(Is there a better place to ask questions about pam?)
Background:
> Not long ago I posted a message here asking if it was possible to set
> things up so that besides root, only one other particular user is made
> able to run /usr/sbin/pppd without the use of a password. I did not
> want to make pppd suid or be forced to do it via su (which requires
> root password) or sudo (which requires it be installed and requires
> the user's password unless configured for NOPASS).
After further tinkering with this, here is what I think would be a
"better" solution than the one I originally presented and ask for
comments about...
> 2. ln -s consolehelper /usr/bin/pppd
[ ... ]
> 3. touch /etc/security/console.apps/pppd
[ ... ]
> 4. create /etc/pam.d/pppd
>
> This is where I have found two possible solutions...
>
> PAM solution 1
> ~~~~~~~~~~~~~~
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_rootok.so
> auth sufficient /lib/security/pam_wheel.so trust
> auth required /lib/security/pam_console.so
> # auth required /lib/security/pam_pwdb.so
> # auth required /lib/security/pam_unix_auth.so
> session optional /lib/security/pam_xauth.so
> account required /lib/security/pam_permit.so
>
> Then to finally make this work:
>
> usermod -G root tony
Refine this to:
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_console.so
auth sufficient /lib/security/pam_wheel.so trust
account required /lib/security/pam_permit.so
(I can't recall if I tested pam_wheel with "required" rather than
"sufficient", but "required" might be a better setting).
> PAM solution 2
> ~~~~~~~~~~~~~~
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_rootok.so
> auth required /lib/security/pam_listfile.so item=user sense=allow
>onerr=fail file=/etc/pppdusers
> auth required /lib/security/pam_console.so
> session optional /lib/security/pam_xauth.so
> account required /lib/security/pam_permit.so
>
> To make this work:
>
> echo tony > /etc/pppdusers
And refine this one to:
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_console.so
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/pppdusers
account required /lib/security/pam_permit.so
However, I'm still looking for someone who can confirm that this is
the _real_ way to do all the pam stuff to make it as secure as
possible....
> Questions:
> - is a "session" needed to be specified at all in this case?
Apparently not.
> - is pam_xauth appropriate for being used here for session?
Not really, removed.
> - is "sufficient" enough security for pam_wheel, or should "required"
> be used?
Still not sure.
> - can the order be improved? eg, pam_console BEFORE pam_wheel?
Order _is_ very important, checking pam_console before
pam_listfile or pam_wheel is indeed a much better way to do it.
Thanks for any more ideas and comments.
Oh, btw... either of these approaches will work for other /sbin and
/usr/sbin binaries once it is all set up...
# cd /usr/bin
# ln -s consolehelper tcpdump
^^^^^^^
... or whatever other programs you want to allow to be executed in
this manner.
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator, RHCE
GrowZone OnLine - regional internet services for Southern Qld
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
_______________________________________________
Redhat-devel-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-devel-list
