[rsbac] nsswitch and pam configuration for UM

Palon Setin palons at danwin1210.me
Thu Dec 13 10:56:00 CET 2018 

Amon Ott:
> Am 13.12.18 um 03:46 schrieb Palon Setin:
>> I have no issue compiling and installing. I'm running the latest
>> 4.19.8-rsbac.
>> But I can't find any help with configuring /etc/nsswitch.conf and
>> /etc/pam.d/*.
>> The closest I found is 7 yrs old:
>> https://www.rsbac.org/pipermail/rsbac/2011-January/002565.html
>> The tips in the rsbac-admin package don't help either, they too appear
>> to be old.
> After you imported your existing groups and users into RSBAC UM with
> rsbac_groupadd -O
> rsbac_useradd -O
> and set new passwords, which cannot be imported, with rsbac_passwd,
> you can change the nsswitch lines
> 
As per:
https://www.gnu.org/software/libc/
and more exactly --if I'm not mistaken-- since:
https://sourceware.org/ml/libc-alpha/2017-08/msg00010.html
there are no lines:

> passwd:         compat
> group:          compat
> shadow:         compat

to be changed to either of the below:

> 
> to
> 
> passwd:         rsbac
> group:          rsbac
> shadow:         rsbac
> 
> to let RSBAC translate between user names and uids. If you want to use
> both, try
> 
> passwd:         rsbac compat
> group:          rsbac compat
> shadow:         rsbac compat
> 
That apparently remains to be solved. More below.

Thanks for these:
> In /etc/pam.d/common-auth you can replace
> 
> auth    [success=1 default=ignore]      pam_unix.so nullok_secure
> 
> or similar with
I do have :
# cat /etc/pam.d/common-auth  | grep ^auth
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

> ... with
> 
> auth    required        pam_rsbac.so

So that applies!

> to use RSBAC for authentication. common-account, common-password and
> common-session are similar. If you want to fallback to passwd/shadow, try
I do want fallback to the common, buggy current state, the learning
curve is steep :(
> 
> auth    sufficient      pam_rsbac.so
> auth    [success=1 default=ignore]      pam_unix.so nullok_secure

so I'll probably opt for that in first period, and after I learn, the
full rsbac login only, as per your suggestion further above.

> 
> Amon.
> 
The nsswitch is a little worry to me though. The change that obsoletes
the "--enable-obsolete-nsl" option has been completely implemented in
Debian testing, let alone Debian unstable, and my system is
testing/unstable.

Unless I'm mistaken, and if I am, I'm sorry upfront. But my nsswitch
looks like:

# head -9 /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files
group:          files
shadow:         files

I was thinking though... And I will try and change the last 3 lines of
the above to what you suggest:

passwd:         rsbac
group:          rsbac
shadow:         rsbac

and report if that works.

Sincerely,
Palon Setin

More information about the rsbac mailing list