PAM (Linux)

From DailyWiki

Contents 1 PAM modules 1.1 Create new home directories 1.2 Per user a different $TMPDIR 1.3 Cracklib 1.4 LDAP 1.5 Allow service to only certain users in a Posix-group 2 Service using PAM 2.1 Dovecot 2.2 PHP 2.3 PostgreSQL 2.4 OpenSSHD 3 Documentation

PAM modules

Create new home directories

See bug #640918

Per user a different $TMPDIR

Install Debian package libpam-tmpdir:

$ sudo apt-get install libpam-tmpdir

After installing the PAM-module needs to be enabled with the following command so all the right modifications are made:

$ sudo pam-auth-update --package tmpdir

After enabling new user sessions will get there private tmp-directory in /tmp/user:

$ ls -l /tmp
totaal 0
drwx--x--x 4 root       root       80 jan 24 22:01 user
$ sudo ls -l /tmp/user
totaal 0
drwx------ 2 root    root     40 jan 24 22:00 0
drwx------ 2 user1   users    40 jan 24 22:06 1000
drwx------ 2 user2   users    40 jan 24 22:03 1001

Disabling the PAM-module:

$ sudo pam-auth-update --package --remove tmpdir

Cracklib

$ sudo apt-get install libpam-cracklib
$ sudo pam-auth-update --package cracklib

LDAP

$ sudo apt-get install libpam-ldapd
$ sudo pam-auth-update --package ldap

See also LDAP

Allow service to only certain users in a Posix-group

auth required pam_succeed_if.so quiet user ingroup ac_mail

Service using PAM

Dovecot

PHP

As PHP needs root-privileges to access /etc/shadow or needs read access to that file. This means the webserver needs to be able to read /etc/shadow at all times and giving all webapplications access to /etc/shadow. This is NOT a good idea.

PostgreSQL

OpenSSHD

Documentation

• Linux PAM System Administrators Guide