LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-16-2006, 02:31 AM   #1
pvs
Member
 
Registered: Jan 2005
Location: Lviv, Ukraine
Distribution: Something self-made
Posts: 69

Rep: Reputation: 16
PAM assistance needed


I need to set up PAM to behave in such way: when user id meets some condition it should be chroot'ed to some directory.
I tried this:
Code:
session     required    pam_limits.so
session     required    pam_unix.so
session     requisite   pam_succeed_if.so uid > 50000
session     sufficient  pam_chroot.so debug chroot_dir=/opt/MYHOME
but it simply does not allow to login

when I change requisite to required it chroot's everyone.

Any suggestions.

P.S. (This may help) There is PAM new syntax, but it does something strange for me
 
Old 03-16-2006, 06:54 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Prolly stupid questions, but:
- is your /etc/security/chroot.conf populated properly,
- does the system really contain UIDs over 5K,
- are you sure you can use succeed_if in session directives (instead of auth and account: see the doc), and
- did you try other constructions like "ingroup somegroup"?
 
Old 03-16-2006, 07:28 AM   #3
pvs
Member
 
Registered: Jan 2005
Location: Lviv, Ukraine
Distribution: Something self-made
Posts: 69

Original Poster
Rep: Reputation: 16
- when chroot_dir prameter is specified there is no need in chroot.conf, but I tried using configuration file instead of parameter - the same behaviour.
- yes. I made them for testing this authentication. When I solve this problem there will be more such users.
- problem is not in condition construction. Problem is in PAM:
when specified requisite - it fails for users below 50000 and when specified anything else - it chroots everybody
 
Old 03-16-2006, 10:47 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
problem is not in condition construction.
First things first. I haven't seen if_succeed in session config *anywhere* and the doc doesn't suggest it either. If I set it up as part of session then my logs show "module unknown" and "unable to resolve symbol: pam_sm_{open,close}_session" (sm for Session Management I guess). If I it set up as part of auth however it works OK showing "pam_succeed_if: requirement "uid > 10000" not met by user x".

* If you're convinced it works for you anyway I'd be interested to see the loglines PAM spits out, preferably one time tested with "requisite" and one time with "required".
 
Old 03-16-2006, 11:20 AM   #5
pvs
Member
 
Registered: Jan 2005
Location: Lviv, Ukraine
Distribution: Something self-made
Posts: 69

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by unSpawn
* If you're convinced it works for you anyway
It does not work. That's why I wrote here this question.

You are right. It doesn't work in session section.

Probably i'll simply add that users to some group and configure pam_chroot to chroot only that group.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Nvida Assistance Needed binny959 Programming 5 08-23-2004 06:00 PM
Assistance needed dmerchantdest Linux - Software 2 06-23-2004 05:29 PM
Crypt assistance needed. liguorir Programming 1 05-10-2004 11:00 PM
Assistance needed for creating a disk from an iso. NOWIN Linux - Newbie 14 04-19-2004 08:43 PM
Slackware / Tripwire assistance needed... Hooper Slackware 8 04-06-2004 03:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration