[rsbac] nsswitch and pam configuration for UM
Palon Setin
palons at danwin1210.me
Thu Dec 13 12:34:00 CET 2018
Amon Ott:
> Am 13.12.18 um 10:56 schrieb Palon Setin:
>> As per:
>> https://www.gnu.org/software/libc/
>> and more exactly --if I'm not mistaken-- since:
>> https://sourceware.org/ml/libc-alpha/2017-08/msg00010.html
>> there are no lines:
>>
>>> passwd: compat
>>> group: compat
>>> shadow: compat
>
> So what lines are there for passwd, group, shadow? Are there any? If
> not, you might just add them for rsbac.
>
> I suppose there is files instead of compat, so it should be
>
> passwd: rsbac files
> group: rsbac files
> shadow: rsbac files
>
> Our systems with glibc 2.27 work fine with
> passwd: rsbac
> group: rsbac
> shadow: rsbac
>
>
> Amon.
>
I prepared everything in the meantime, prior to downloading this email
of yours. It all shows in this below previously, but freshly prepared text.
First, backup and modify nsswitch.
# mkdir Backup/
# cp -iav /etc/nsswitch.conf Backup/
'/etc/nsswitch.conf' -> 'Backup/nsswitch.conf'
# diff /etc/nsswitch.conf Backup/nsswitch.conf
#
# head -9 /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files
group: files
shadow: files
# sed -i 's/passwd: files/passwd: rsbac files/' \
/etc/nsswitch.conf
# sed -i 's/group: files/group: rsbac files/' \
/etc/nsswitch.conf
# sed -i 's/shadow: files/shadow: rsbac files/' \
/etc/nsswitch.conf
# diff /etc/nsswitch.conf Backup/nsswitch.conf
7,9c7,9
< passwd: rsbac files
< group: rsbac files
< shadow: rsbac files
---
> passwd: files
> group: files
> shadow: files
#
Next, backup and modify /etc/pam.d/*. First, the
/etc/pam.d/common-auth.
# cat /etc/pam.d/common-auth | grep -v '^#'
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
# cat /etc/pam.d/common-auth \
| grep -B3000 "pam_unix.so nullok_secure" | wc -l
17
# sensible-editor /etc/pam.d/common-auth
# diff /etc/pam.d/common-auth Backup/common-auth
17d16
< auth sufficient pam_rsbac.so
#
# cat /etc/pam.d/common-auth | grep -v '^#'
auth sufficient pam_rsbac.so
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
That was the changes to /etc/pam.d/common-auth. In /etc/pam.d/
there are also /etc/pam.d/common-account,
/etc/pam.d/common-password and
/etc/pam.d/common-session to modify. common-account now.
# cp -iav /etc/pam.d/common-account Backup/
# diff /etc/pam.d/common-account Backup/
#
# cat /etc/pam.d/common-account | grep -v '^#'
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
# sensible-editor /etc/pam.d/common-account
# diff /etc/pam.d/common-account Backup/
17d16
< account sufficient pam_rsbac.so
#
# cat /etc/pam.d/common-account | grep -v '^#'
account sufficient pam_rsbac.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
#
Next, /etc/pam.d/common-password.
# cp -iav /etc/pam.d/common-password Backup/
'/etc/pam.d/common-password' -> 'Backup/common-password'
# diff /etc/pam.d/common-password Backup/
# cat /etc/pam.d/common-password | grep -v '^#'
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
#
# sensible-editor /etc/pam.d/common-password
# diff /etc/pam.d/common-password Backup/
25d24
< password sufficient pam_rsbac.so
#
# cat /etc/pam.d/common-password | grep -v '^#'
password sufficient pam_rsbac.so
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
#
Last, /etc/pam.d/common-session.
# cp -iav /etc/pam.d/common-session Backup/
'/etc/pam.d/common-session' -> 'Backup/common-session'
# diff /etc/pam.d/common-session Backup/
# diff /etc/pam.d/common-session ^C
# cat /etc/pam.d/common-session | grep -v '^#'
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
#
# sensible-editor /etc/pam.d/common-session
# diff /etc/pam.d/common-session Backup/
16d15
< session sufficient pam_rsbac.so
#
# cat /etc/pam.d/common-session | grep -v '^#'
session sufficient pam_rsbac.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
#
( Where it was possible, I shrank the white space for better fit
for email, for better legibility. )
One final check:
# ls -l Backup/
total 20
-rw-r--r-- 1 root root 1208 2018-08-21 09:22 common-account
-rw-r--r-- 1 root root 1249 2018-08-21 09:22 common-auth
-rw-r--r-- 1 root root 1440 2018-08-21 09:22 common-password
-rw-r--r-- 1 root root 1156 2018-08-21 09:22 common-session
-rw-r--r-- 1 root root 494 2018-07-07 16:34 nsswitch.conf
First see if the loop will work (this can be pasted into
reader's terminal):
# for conf in `ls -1 Backup/`; do \
if [ -e "/etc/$conf" ]; then \
ls -l /etc/$conf Backup/$conf ; \
else ls -l /etc/pam.d/$conf Backup/$conf ; \
fi ; \
done
It does show all the files correctly.
Now the show of the exact changes one last time, before I reboot and see
if this works.
# for conf in `ls -1 Backup/`; do \
if [ -e "/etc/$conf" ]; then \
ls -l /etc/$conf Backup/$conf ; \
diff /etc/$conf Backup/$conf >> this_text_for_this_email; \
else ls -l /etc/pam.d/$conf Backup/$conf ; \
diff /etc/pam.d/$conf Backup/$conf >>
this_text_for_this_email ; \
fi ; \
done
17d16
< account sufficient
pam_rsbac.so
17d16
< auth sufficient pam_rsbac.so
25d24
< password sufficient pam_rsbac.so
16d15
< session sufficient pam_rsbac.so
7,9c7,9
< passwd: rsbac files
< group: rsbac files
< shadow: rsbac files
---
> passwd: files
> group: files
> shadow: files
What's reader's bet? Is this going to work? Just one last
confirmation first, that I did other prep right:
# rsbac_usershow -a | wc -l
580
#
# rsbac_groupshow -a | wc -l
342
#
(just the -v switch I used, as I found it in old doc and
mad-hacking, but it's been removed, see Amon's mail with the
directions I did it with: "rsbac_useradd -v -O" and
"rsbac_groupadd -v -O", the -v is unnecessary but also
innocuous, I think.)
(and I also did: rsbac_passwd -n root)
Sincerely,
Palon Setin
More information about the rsbac
mailing list