LinuxDevCenter.com

oreilly.comSafari Books Online.Conferences.

We've expanded our Linux news coverage and improved our search! Search for all things Linux across O'Reilly!

Search
Search Tips

advertisement

Listen Print Subscribe to Linux Subscribe to Newsletters
O'Reilly Book Excerpts: Linux Security Cookbook

Secure Cooking with Linux, Part 3

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

Table of Contents
Index

Read Online--Safari Search this book on Safari:
 

Code Fragments only
by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

Editor's note: Our previous set of recipes from Linux Security Cookbook covered two intermediate-level Linux security solutions. This week we offer recipes that fall into an advanced category. Learn how to use PAM to restrict authentication on Linux systems and how to use SMTP to accept connections from arbitrary clients securely.

Recipe 4.3, Creating Access Control Lists with PAM

Author's note: PAM (Pluggable Authentication Modules) is a flexible infrastructure for controlling authentication on Linux systems. In this recipe, taken from Chapter 4, "Authentication Techniques and Infrastructures," we show you how to restrict authentication to a given set of users by creating an access control list.

Problem

You would like to apply an access control list (ACL) to an existing service that does not explicitly support ACLs (e.g., telnetd, imapd, etc.).

Solution

Use the listfilePAM module.

First, make sure the server in question uses PAM for authentication, and find out which PAM service name it uses. This may be in the server documentation, or it may be clear from examining the server itself and perusing the contents of /etc/pam.d. For example, suppose you're dealing with the IMAP mail server. First notice that there is a file called /etc/pam.d/imap. Further, the result of:

# locate imapd
...
/usr/sbin/imapd

shows that the IMAP server is in /usr/sbin/imapd, and:

# ldd /usr/sbin/imapd
libpam.so.0 => /lib/libpam.so.0 (0x40027000)
...

shows that the server is dynamically linked against the PAM library (libpam.so), also suggesting that it uses PAM. In fact, the Red Hat 8.0 IMAP server uses PAM via that service name and control file ("imap").

Continuing with this example, create an ACL file for the IMAP service, let's say /etc/imapd.acl, and make sure it is not world-writable:

# chmod o-w /etc/imapd.acl

Edit this file, and place in it the usernames of those accounts authorized to use the IMAP server, one name per line. Then, add the following to /etc/pam.d/imap:

account required /lib/security/pam_listfile.so file=/etc/imapd.acl \
item=user sense=allow onerr=fail

With this configuration, only those users listed in the ACL file will be allowed access to the IMAP service. If the ACL file is missing, PAM will deny access for all accounts.

Discussion

The PAM "listfile" module is actually even more flexible than we've indicated. Entries in your ACL file can be not only usernames (item=user), but also:

  • Terminal lines (item=tty)

  • Remote host (item=rhost)

  • Remote user (item=ruser)

  • Group membership (item=group)

  • Login shell (item=shell)

The sense keyword determines how the ACL file is interpreted. sense=allow means that access will be allowed only if the configured item is in the file, and denied otherwise. sense=deny means the opposite: access will be denied only if the item is in the file, and allowed otherwise.

The onerr keyword indicates what to do if some unexpected error occurs during PAM processing of the listfile module - for instance, if the ACL file does not exist. The values are succeed and fail. fail is a more conservative option from a security standpoint, but can also lock you out of your system because of a configuration mistake!

Another keyword, apply=[user|@group], limits the restriction in question to apply only to particular users or groups. This is intended for use with the tty, rhost, and shell items. For example, using item=rhost and apply=@foo would restrict access to connections from hosts listed in the ACL file, and furthermore only to local accounts in the foo group.

To debug problems with PAM modules, look for PAM-specific error messages in /var/log/messages and /var/log/secure. (If you don't see the expected messages, check your system logger configuration. [Recipe 9.28])

Note that not all module parameters have defaults. Specifically, the file, item, and sense parameters must be supplied; if not, the module will fail with an error message like:

Dec  2 15:49:21 localhost login: PAM-listfile: Unknown sense or sense not specified

You generally do not need to restart servers using PAM: they usually re-initialize the PAM library for every authentication and reread your changed files. However, there might be exceptions.

There is no standard correspondence between a server's name and its associated PAM service. For instance, logins via Telnet are actually mediated by /bin/login, and thus use the login service. The SSH server sshd uses the same-named PAM service (sshd), whereas the IMAP server imapd uses the imap (with no "d") PAM service. And many services in turn depend on other services, notably system-auth.

See Also

See /usr/share/doc/pam-*/txts/README.pam_listfile for a list of parameters to tweak.

Pages: 1, 2

Next Pagearrow




Tagged Articles

Post to del.icio.us

This article has been tagged:

authentication

Articles that share the tag authentication:

ASP.NET Forms Authentication - Part 1 (22 tags)

Atom Authentication (18 tags)

Web FORM-Based Authentication (10 tags)

SAML 2: The Building Blocks of Federated Identity (9 tags)

Demystifying LDAP (8 tags)

View All

howto

Articles that share the tag howto:

Rolling with Ruby on Rails (258 tags)

From Weblog to CMS with WordPress (98 tags)

Top Ten Digital Photography Tips (92 tags)

Top Ten Mac OS X Tips for Unix Geeks (79 tags)

View All

linux

Articles that share the tag linux:

Managing Disk Space with LVM (74 tags)

Use Your Digital Camera with Linux (60 tags)

mdadm: A New Tool For Linux Software RAID Management (59 tags)

Asterisk: A Bare-Bones VoIP Example (43 tags)

View All

security

Articles that share the tag security:

Secure RSS Syndication (169 tags)

Google Your Site For Security Vulnerabilities (74 tags)

Building a Desktop Firewall (64 tags)

The Next 50 Years of Computer Security: An Interview with Alan Cox (42 tags)

Protect Yourself from WiFi Snoops (40 tags)

View All

tutorial

Articles that share the tag tutorial:

Rolling with Ruby on Rails (1417 tags)

A Simpler Ajax Path (135 tags)

Ajax on Rails (88 tags)

Rolling with Ruby on Rails, Part 2 (66 tags)

Very Dynamic Web Interfaces (66 tags)

View All

Sponsored Resources

  • Inside Lightroom
Advertisement

Sponsored by:

O'Reilly Media

©2009, O'Reilly Media, Inc.
(707) 827-7000 / (800) 998-9938
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. 		About O'Reilly
Academic Solutions
Authors
Contacts
Customer Service
Jobs
Newsletters
O'Reilly Labs
Press Room
Privacy Policy
RSS Feeds
Terms of Service
User Groups
Writing for O'Reilly
Content Archive
Business Technology
Computer Technology
Google
Microsoft
Mobile
Network
Operating System
Digital Photography
Programming
Software
Web
Web Design
 More O'Reilly Sites
O'Reilly Radar
Ignite
Tools of Change for Publishing
Digital Media
Inside iPhone
O'Reilly FYI
makezine.com
craftzine.com
hackszine.com
perl.com
xml.com

Partner Sites
InsideRIA
java.net
O'Reilly Insights on Forbes.com