[rsbac] nsswitch and pam configuration for UM

Palon Setin palons at danwin1210.me
Thu Dec 13 12:34:00 CET 2018 

Amon Ott:
> Am 13.12.18 um 10:56 schrieb Palon Setin:
>> As per:
>> https://www.gnu.org/software/libc/
>> and more exactly --if I'm not mistaken-- since:
>> https://sourceware.org/ml/libc-alpha/2017-08/msg00010.html
>> there are no lines:
>>
>>> passwd:         compat
>>> group:          compat
>>> shadow:         compat
> 
> So what lines are there for passwd, group, shadow? Are there any? If
> not, you might just add them for rsbac.
> 
> I suppose there is files instead of compat, so it should be
> 
> passwd:         rsbac files
> group:          rsbac files
> shadow:         rsbac files
> 
> Our systems with glibc 2.27 work fine with
> passwd:         rsbac
> group:          rsbac
> shadow:         rsbac
> 
> 
> Amon.
> 
I prepared everything in the meantime, prior to downloading this email
of yours. It all shows in this below previously, but freshly prepared text.

First, backup and modify nsswitch.

# mkdir Backup/
# cp -iav /etc/nsswitch.conf Backup/
'/etc/nsswitch.conf' -> 'Backup/nsswitch.conf'
# diff /etc/nsswitch.conf Backup/nsswitch.conf
#
# head -9 /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files
group:          files
shadow:         files
# sed -i 's/passwd:         files/passwd:         rsbac files/' \
    /etc/nsswitch.conf
# sed -i 's/group:          files/group:          rsbac files/' \
    /etc/nsswitch.conf
# sed -i 's/shadow:         files/shadow:         rsbac files/' \
        /etc/nsswitch.conf
# diff /etc/nsswitch.conf Backup/nsswitch.conf
7,9c7,9
< passwd:         rsbac files
< group:          rsbac files
< shadow:         rsbac files
---
> passwd:         files
> group:          files
> shadow:         files
#

Next, backup and modify /etc/pam.d/*. First, the
/etc/pam.d/common-auth.

# cat /etc/pam.d/common-auth  | grep -v '^#'

auth    [success=1 default=ignore]   pam_unix.so nullok_secure
auth    requisite                    pam_deny.so
auth    required                     pam_permit.so
auth    optional                     pam_cap.so
# cat /etc/pam.d/common-auth  \
    | grep -B3000 "pam_unix.so nullok_secure" | wc -l
17
# sensible-editor /etc/pam.d/common-auth
# diff /etc/pam.d/common-auth Backup/common-auth
17d16
< auth  sufficient                                 pam_rsbac.so
#
# cat /etc/pam.d/common-auth  | grep -v '^#'

auth    sufficient                                 pam_rsbac.so
auth    [success=1 default=ignore]     pam_unix.so nullok_secure
auth    requisite                      pam_deny.so
auth    required                       pam_permit.so
auth    optional                       pam_cap.so


That was the changes to /etc/pam.d/common-auth. In /etc/pam.d/
there are also /etc/pam.d/common-account,
/etc/pam.d/common-password and
/etc/pam.d/common-session to modify. common-account now.

# cp -iav /etc/pam.d/common-account  Backup/
# diff /etc/pam.d/common-account  Backup/
#
# cat /etc/pam.d/common-account  | grep -v '^#'

account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
# sensible-editor /etc/pam.d/common-account
# diff /etc/pam.d/common-account  Backup/
17d16
< account sufficient                               pam_rsbac.so
#
# cat /etc/pam.d/common-account  | grep -v '^#'

account sufficient                                  pam_rsbac.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
#

Next, /etc/pam.d/common-password.

# cp -iav /etc/pam.d/common-password  Backup/
'/etc/pam.d/common-password' -> 'Backup/common-password'
# diff /etc/pam.d/common-password  Backup/
# cat /etc/pam.d/common-password  | grep -v '^#'

password  [success=1 default=ignore]  pam_unix.so obscure sha512
password  requisite                   pam_deny.so
password  required                    pam_permit.so
#
# sensible-editor /etc/pam.d/common-password
# diff /etc/pam.d/common-password  Backup/
25d24
< password      sufficient                      pam_rsbac.so
#
# cat /etc/pam.d/common-password  | grep -v '^#'

password  sufficient                  pam_rsbac.so
password  [success=1 default=ignore]  pam_unix.so obscure sha512
password  requisite                   pam_deny.so
password  required                    pam_permit.so
#

Last, /etc/pam.d/common-session.

# cp -iav /etc/pam.d/common-session  Backup/
'/etc/pam.d/common-session' -> 'Backup/common-session'
# diff /etc/pam.d/common-session  Backup/
# diff /etc/pam.d/common-session  ^C
# cat /etc/pam.d/common-session  | grep -v '^#'

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required                        pam_unix.so
#
# sensible-editor /etc/pam.d/common-session
# diff /etc/pam.d/common-session  Backup/
16d15
< session       sufficient                      pam_rsbac.so
#
# cat /etc/pam.d/common-session  | grep -v '^#'

session sufficient                      pam_rsbac.so
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required                        pam_unix.so
#

( Where it was possible, I shrank the white space for better fit
for email, for better legibility. )

One final check:

# ls -l Backup/
total 20
-rw-r--r-- 1 root root 1208 2018-08-21 09:22 common-account
-rw-r--r-- 1 root root 1249 2018-08-21 09:22 common-auth
-rw-r--r-- 1 root root 1440 2018-08-21 09:22 common-password
-rw-r--r-- 1 root root 1156 2018-08-21 09:22 common-session
-rw-r--r-- 1 root root  494 2018-07-07 16:34 nsswitch.conf

First see if the loop will work (this can be pasted into
reader's terminal):

# for conf in `ls -1 Backup/`; do \
        if [ -e "/etc/$conf" ]; then \
                ls -l /etc/$conf Backup/$conf ; \
        else ls -l /etc/pam.d/$conf Backup/$conf ; \
        fi ; \
done

It does show all the files correctly.

Now the show of the exact changes one last time, before I reboot and see
if this works.

# for conf in `ls -1 Backup/`; do \
        if [ -e "/etc/$conf" ]; then \
                ls -l /etc/$conf Backup/$conf ; \
                diff /etc/$conf Backup/$conf >> this_text_for_this_email; \
        else ls -l /etc/pam.d/$conf Backup/$conf ; \
                diff /etc/pam.d/$conf Backup/$conf >>
this_text_for_this_email ; \
        fi ; \
done
17d16
< account       sufficient
pam_rsbac.so
17d16
< auth  sufficient                                      pam_rsbac.so
25d24
< password      sufficient                      pam_rsbac.so
16d15
< session       sufficient                      pam_rsbac.so
7,9c7,9
< passwd:         rsbac files
< group:          rsbac files
< shadow:         rsbac files
---
> passwd:         files
> group:          files
> shadow:         files

What's reader's bet? Is this going to work? Just one last
confirmation first, that I did other prep right:

# rsbac_usershow -a | wc -l
580
#
# rsbac_groupshow -a | wc -l
342
#

(just the -v switch I used, as I found it in old doc and
mad-hacking, but it's been removed, see Amon's mail with the
directions I did it with: "rsbac_useradd -v -O" and
"rsbac_groupadd -v -O", the -v is unnecessary but also
innocuous, I think.)

(and I also did: rsbac_passwd -n root)

Sincerely,
Palon Setin

More information about the rsbac mailing list