LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-01-2009, 09:50 AM   #1
MarkFilipak
LQ Newbie
 
Registered: Oct 2009
Location: U.S.A.
Posts: 26

Rep: Reputation: 2
Four security (and related) questions


In etc/imapd.conf I see lines like this:
Quote:
configdirectory: /var/lib/imap
But in /etc/pam.d/sshd I see lines like this:
Quote:
auth required pam_stack.so service=system-auth
While in /etc/pam.d/authconfig I see lines like this:
Quote:
auth sufficient /lib/security/$ISA/pam_rootok.so
Q1: Is there any standard regarding when to use colon vs. no-colon and full path vs. no-path?

Q2: I know what $ISA is all about - what a hack! - but ISA is not an environmental variable, so where does it come from?

Q3: For those people (like me) who do not have source header files, is there a standard, universal argument to get daemons to dump their default settings? And, if not, wouldn't it be a good idea to add such a standard, universal argument?

Q4: In PAM, what is processed first: auth, account, password, or session? (Note: wouldn't it make sense to pam_warn only the one that's processed first?)

Thanks -- Mark
 
Old 10-01-2009, 11:40 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Hi Mark,

A1. There is no standard because the format of these files is different for each application, it is whatever the developer wants it to be.

A2. It's a variable specifically used by the application, variables don't have to exist globally.

A3. No, there isn't. It may be a good idea but I don't think you'll get every possible development group/individual to agree with you. There are GNU coding standards http://www.gnu.org/prep/standards/ as well, but who's going to enforce adherence ? These are guidelines not laws...

A4. None... only the group that applies to the request is processed

good luck on your journey,

kbp
 
Old 10-01-2009, 02:10 PM   #3
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 122Reputation: 122
What kbp said is true, but I'm going to try to expand a bit here:
Quote:
Originally Posted by MarkFilipak View Post
Q1: Is there any standard regarding when to use colon vs. no-colon and full path vs. no-path?
Applications can define their own file formats. Most file formats are very basic and fairly self-documenting. Part of the reason this is done is because the logic required to parse a config file can be large compared to a small application, so a simpler parser helps keep things down. (This is one of the reason why PAM is done the way it is.)
Quote:
Q2: I know what $ISA is all about - what a hack! - but ISA is not an environmental variable, so where does it come from?
Yes, $ISA is a pretty elegant way to address this. It's replaced by the pam library with the "Instruction Set Architecture" family.
Quote:
Q3: For those people (like me) who do not have source header files, is there a standard, universal argument to get daemons to dump their default settings? And, if not, wouldn't it be a good idea to add such a standard, universal argument?
The man pages for most daemons document the default values. And do you really want to start a daemon with default values, even if you're dumping those values in the process?
Quote:
Q4: In PAM, what is processed first: auth, account, password, or session? (Note: wouldn't it make sense to pam_warn only the one that's processed first?)
Processed first? They're processed depending on the situation. "auth" is processed when authenticating as a user. "account" is for changing account settings. "password" is how the password for the account is updated. And finally, "session" is run for each new created session (X session, shell, etc.)
 
Old 10-01-2009, 08:42 PM   #4
MarkFilipak
LQ Newbie
 
Registered: Oct 2009
Location: U.S.A.
Posts: 26

Original Poster
Rep: Reputation: 2
Thank you gentlemen. May I follow up on one point?
Quote:
Originally Posted by Matir View Post
Quote:
Q4: In PAM, what is processed first: auth, account, password, or session? (Note: wouldn't it make sense to pam_warn only the one that's processed first?)
Processed first? They're processed depending on the situation. "auth" is processed when authenticating as a user. "account" is for changing account settings. "password" is how the password for the account is updated. And finally, "session" is run for each new created session (X session, shell, etc.)
Ooops! I should have been more specific. I assume that a unauthorized user (hacker) would first have to log in. Thus, in /etc/pam.d/others, though it would be a good idea to pam_deny all four: auth, account, password, and session, I really only need to pam_warn for auth. Is that sound thinking? Much thanks -- Mark

Last edited by MarkFilipak; 10-01-2009 at 08:50 PM.
 
Old 10-01-2009, 08:51 PM   #5
smeezekitty
Senior Member
 
Registered: Sep 2009
Location: Washington U.S.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,330

Rep: Reputation: 227Reputation: 227Reputation: 227
the chance of getting hacked is very low in linux
and not that high in windows with a decent firewall
as for viruses a big problem alsmost non existant in linux
 
Old 10-01-2009, 09:03 PM   #6
MarkFilipak
LQ Newbie
 
Registered: Oct 2009
Location: U.S.A.
Posts: 26

Original Poster
Rep: Reputation: 2
Regarding paths in directives...

in my system, /etc/pam.d/sshd (in part) shows this:
Quote:
auth required pam_stack.so service=system-auth
while /etc/pam.d/other (in part) shows this:
Quote:
auth required /lib/security/$ISA/pam_deny.so
When should the full path be used and how would I know? Thanks -- Mark
 
Old 10-01-2009, 10:28 PM   #7
MarkFilipak
LQ Newbie
 
Registered: Oct 2009
Location: U.S.A.
Posts: 26

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by smeezekitty View Post
the chance of getting hacked is very low in linux and not that high in windows with a decent firewall as for viruses a big problem alsmost non existant in linux
Ummm... The chance is low if I have my system set up properly. Of course, that's what I'm trying to do. Re: firewalls, I'm utterly convinced that a firewall is not needed (in Windows XP clients) if and only if accounts and permissions are properly set up. I hope to prove that contention in the near future with a system that has three users: Worker, Surfer, and Wizard. Worker has no network and has ordinary user permissions. Surfer has a network, but cannot write anything except email and a download directory and cannot install anything. Wizard has administrator privileges but is intended only to install programs, updates, and patches. A login script automatically virus scans everything new in the download directory whenever Wizard logs in. Comments are welcome. Ciao -- Mark
 
Old 10-01-2009, 10:59 PM   #8
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 122Reputation: 122
Quote:
Originally Posted by MarkFilipak View Post
Thank you gentlemen. May I follow up on one point?Ooops! I should have been more specific. I assume that a unauthorized user (hacker) would first have to log in. Thus, in /etc/pam.d/others, though it would be a good idea to pam_deny all four: auth, account, password, and session, I really only need to pam_warn for auth. Is that sound thinking? Much thanks -- Mark
You really don't need to use pam_deny OR pam_warn if you have your authentication set up properly. IMO, pam_warn is mainly useful for debugging as it shows all the values pam is considering. An unauthorized user would only hit auth, and that should be protected by modules like pam_unix.
 
Old 10-01-2009, 11:03 PM   #9
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 122Reputation: 122
Quote:
Originally Posted by MarkFilipak View Post
Regarding paths in directives...

When should the full path be used and how would I know? Thanks -- Mark
Honestly, it seems to be a distribution thing. On Ubuntu, the paths are /lib64/security and /lib/security, and PAM automatically handles it. RH-based distros seem to prefer /lib/security/$ISA.

Most of the time, you should be fine with the shortname.
 
Old 10-02-2009, 12:53 AM   #10
MarkFilipak
LQ Newbie
 
Registered: Oct 2009
Location: U.S.A.
Posts: 26

Original Poster
Rep: Reputation: 2
I hesitate to press the point as you obviously are a generous person, but I'm honestly mystified.
Quote:
Originally Posted by Matir View Post
Honestly, it seems to be a distribution thing. On Ubuntu, the paths are /lib64/security and /lib/security, and PAM automatically handles it. RH-based distros seem to prefer /lib/security/$ISA.
I understand that the paths will be different in differing distributions, but this is important and I don't understand what's "under the hood".

It seems that /etc/pam.d/sshd somehow knows that, in a directive like "auth required pam_stack.so service=system-auth", pam_stack.so is located at /lib/security/$ISA/pam_stack.so. How does it know that? And if PAM has such a mechanism that somehow knows it, why does /etc/pam.d/other use full paths? Is it that I'm just missing something. Thanks for your time. Ciao -- Mark
 
Old 10-02-2009, 03:02 AM   #11
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
Quote:
module-path is either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the default module location: /lib/security/ or /lib64/security/, depending on the architecture.
http://linux.die.net/man/5/pam.conf
http://osdir.com/ml/linux.pam/2007/msg00401.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
basic questions on hostname and domain name + related postfix questions Moebius Linux - Newbie 7 09-04-2007 12:50 PM
TWO Security Related Questions as400 Solaris / OpenSolaris 15 07-13-2006 01:50 PM
two security related questions krock923 Linux - Security 2 04-28-2006 05:41 PM
Which OS is best for network security related..... phr0stbyt3 Linux - Security 6 03-09-2004 10:42 PM
Security-Related Question gauge73 Linux - Security 3 02-15-2003 06:20 PM


All times are GMT -5. The time now is 01:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration