LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-17-2019, 05:31 AM   #1
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,856
Blog Entries: 3

Rep: Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817
nginx auth_pam and groups


I have two questions about using Nginx's auth_pam module to allow HTTPS authorization for a particular group as per their system credentials.

I've added the following to nginx's configuration file:

Code:
        location /pamtest/ {
                auth_pam              "Test Zone";
                auth_pam_service_name "nginx";
                try_files $uri $uri/ =404;
        }
Then in /etc/pam.d/nginx:

Code:
@include common-auth
@include common-account
@include common-password
@include common-session

auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/pam.d/nginx.group.allowed
Then in the file /etc/pam.d/nginx.group.allowed, I have listed the groups allowed to log in via HTTPS. All that works, but leaves me worried:

1) The first question is if there is another way to deal with the groups. PAM does not seem to have any module that directly deals with groups and pam_listfile.so seems to be a little complicated. Is there a simpler way to have PAM authorize per system group?

2) The second question is if there is a way to avoid having the nginx user be a member of the group shadow? It seems necessary because that setup seems to use /etc/shadow. The context is that I was looking at webmin and realised that not only do I only need two of its functions but that whole circus runs as root and I won't run my scripts as root. Maybe if I have the script under FastCGI or CGI then I can use some method to launch the scripts as something other than www-data. Maybe it is easier in Apache2.

Code:
$ ps -p $(pgrep -f webmin) -o 'user,cmd'
USER     CMD
root     /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
 
Old 03-18-2019, 09:20 AM   #2
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 150

Rep: Reputation: Disabled
Maybe you can use pam_wheel? pam_wheel lets you specify the group name with group=.
 
Old 03-18-2019, 09:33 AM   #3
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,856

Original Poster
Blog Entries: 3

Rep: Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817Reputation: 1817
Thanks. However, it does not seem to take. I can use pam_wheel.so to deny specific groups but otherwise it seems to let in everybody.

Maybe the syntax is wrong here?

Code:
auth       required   pam_wheel.so      group=foobar2
That looks like it should let just members of the group "foobar2" in but it lets everybody else in too.
 
Old 04-02-2019, 09:45 AM   #4
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 150

Rep: Reputation: Disabled
I am working on a similar problem on my network. I think I found a solution.

pam_succeed_if

Here is an example that allows me to su to root with no password on my Debian host:

Code:
# FILENAME: /etc/pam.d/su
auth       sufficient pam_succeed_if.so use_uid user ingroup tyler
If you want to make sure the user you are trying to login as is in the group, omit the use_uid flag.

tyler is my regular user's primary group, but the module also works with secondary groups.

Last edited by tyler2016; 04-02-2019 at 09:47 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
nginx + php-fpm and nginx modules fantasygoat Linux - Server 0 06-09-2011 12:21 PM
Nginx experts help me-problem when using Nginx php-fpm !!! HuMan-BiEnG Linux - Server 2 04-17-2011 02:30 PM
NGINX with PHP-FPM vis NGINX with Spawn-FCGI WhisperiN Linux - Server 1 03-15-2011 06:39 PM
SELinux Error on Apache2 with auth_pam DiWi Fedora 1 04-30-2008 04:50 AM
Apache auth_pam / pam winbind deny failed user auth collen Linux - Security 3 04-10-2006 02:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration