OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
How to set home directories/shells?

From: Andy Gayton (andythecablelounge.com)
Date: Sat Dec 20 2003 - 18:58:20 CST


Hi All,

I only found out about pam yesterday, so I'm probably just after a good newbie tutorial.

I'm setting up an imap/sftp service which people can sign up for over the web. I can manually set up users and all is working great. I use scponly to restrict clients to sftp access only and to chroot them to their home directory. I'm using qmail/bincimap to receive mail and to offer imap access.

Since this is a web sign up service though, the httpd user really needs to be able to create new users and allow users to change passwords. The idea of having the httpd user able to modify the system password file scares me senseless.

I was hoping to use pam to set up a second password file and to change the sshd and checkpassword-pam (for bincimap) authentication configs to something like:

* authenticate with control-flag sufficient off the second less secure password file - if authenticate is ok hardcode the shell so it can only ever possibly be /usr/local/sbin/scponlyc and the home directory so it can only possibly be /wwwusers/<username>//incoming - the '//' part will cause scponly to chroot the user to /wwwusers/<username>
* authenticate with control-flag required - use the usual sshd and checkpassword-pam configs which work off the system passwd files ..

This way if the httpd account is compromised all someone would be able to do is give themselves an area in /wwwusers with sftp and imap access, and trash other people's /wwwusers directories ..

Something like pam_pwdfile looks perfect to get me started - but in its README it mentions:

------
The /etc/pam.d/imap looks like this (e.g.)
#%PAM-1.0
auth required /lib/security/pam_pwdfile.so pwdfile /etc/imap.passwd
account required /lib/security/pam_pwdb.so
....
Note that we still expect users to have accounts in the usual place, as we
make use of the pam_pwdb.so module for the account service.
-------

Which seems like it still takes shell/home directories/groups from the system password file.

Is there anyway of having the shell/home directories/groups info hardcoded if the user authenticates against the insecure password file and as normal if they authenticate against the system password file?

Is this approach even a good way to go?

Any help is greatly appreciated,
Andy.

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list