[wplug] pam_group.so (was samba "machines" group)
Chester R. Hosey
Chester.Hosey at gianteagle.com
Thu Jun 30 09:12:46 EDT 2005
On Wed, 2005-06-29 at 22:32 -0400, Dane Miller wrote:
> On Wed, 2005-06-29 at 17:04 -0400, Chester R. Hosey wrote:
> > Edit /etc/pam.d/login, enabling the the pam_group.so module (there
> > should be a commented entry by default), and
> > edit /etc/security/group.conf to add anyone logging in on tty* to the
> > proper group at login time. This makes users members of given groups
> > based on the terminal from which they're logging in, and doesn't depend
> > on GID at all, only group name. This is probably closest to what you're
> > trying to accomplish, and is easier than remapping IDs on either system.
>
> This is a great tip :) After some fussing with group.conf, I have this
> up and running. In my case I'm using pam_group.so in /etc/pam.d/gdm in
> addition to /etc/pam.d/login... that stumped me for several minutes
> while I banged on Gnome to let me hear sound.
Glad to help, although I should have mentioned that certain other
services (such as gdm) might have to be updated as well.
> My /etc/security/group.conf line (with initial comment) is:
> # services;ttys;users;times;groups
> *;*;*;Al0000-2400;floppy, cdrom, audio, video, dialout, dip, plugdev,
> scanner
>
> I'm not sure about the security implications of all those *'s. But I'm
> really happy not having to fight with NIS and system GIDs.
I'd probably try to trim that down somewhat -- try "tty*" in place of
the second *. Basically you're allowing anyone authenticated using PAM
facility "login" or "gdm" to access certain groups intended to be local.
You should be *mostly* safe, except that gdm may or may not be listening
on the network. Without tty restriction malicious users could connect to
gdm remotely to start a session and connect as if they were local.
However, the pam_group is more a convenience than a full security
feature, as a user could log in locally and get access to a local group,
create a setgid binary in their home directory, and later log in
remotely and execute the binary to promote themselves to members of the
group. You could detect this and punish the users involved, however, if
they were savvy enough to even pull it off.
> Thanks for the help,
> Dane
Glad to help.
More information about the wplug
mailing list