FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 06-27-2011, 03:49 PM
Stanisław Findeisen
 
Default pam_listfile / pam_supair

On 2011-06-01 20:24, Steve Langasek wrote:
> On Wed, Jun 01, 2011 at 12:43:46PM +0200, Stanisław Findeisen wrote:
>
>> It looks that pam_listfile only allows to restrict *source* user set and
>> *not* *target* user set.
>
> That's not true at all. item=user *is* the target user set. (Source user
> set would be the seldom-used item=ruser.)
>
>> Here's the debian-user discussion:
>> http://lists.debian.org/debian-user/2011/05/msg02054.html
>
>> Is there any way to do what I want?
>
> As already suggested, sudo does seem to be a better fit for what you're
> trying to achieve.
>
> pam_listfile isn't going to give you any reasonable mapping for applicant /
> target user *pairs*; you only get "this list of users are allowed access to
> this other list of users".
>
>> If I write a patch for pam_listfile, will you accept it to Debian?
>
> No. It would have to go upstream first; but I'll say that such a patch is
> unlikely to be accepted.
>
>> Where is the source code?
>
> I think that's more of a question for debian-user anyway, but:
>
> $ dpkg -S /lib/security/pam_listfile.so
> libpam-modules: /lib/security/pam_listfile.so
> $ debcheckout libpam-modules
> declared bzr repository at nosmart+http://bzr.debian.org/bzr/pkg-pam/debian/sid/
> bzr branch nosmart+http://bzr.debian.org/bzr/pkg-pam/debian/sid/ libpam-modules ...
> [...]
>
>> Or maybe that should be a new PAM module?
>
> It could be. But I'm skeptical that such a module would be of widespread
> interest.

In case anyone has free time, could you please have a look at my module,
spot bugs or issue any valuable comments? :-)

Here's how to use it:

In /etc/pam.d/su :

auth sufficient pam_supair.so sf,u2,u3:root,sf2 sf2:u2

This specifies that users sf, u2 and u3 can each do passwordless su to
users root and sf2. User sf2 can do passwordless su to user u2. You can
also use "debug" (anywhere on the command line) for additional debug
information in auth.log.

Your comments are very welcome.

MD5:
a9f363539105e5cf7424dd1f68a18880 pam_supair.tgz

SHA-512:
8cd49f56567d490e7cedaa847d05d4e2e72dfc34740ff61c32 4e409a4487f35013440568079e3fda340fbae2dd85a964fae7 924bdc7e5338e528677f65d85615
pam_supair.tgz

--
Eisenbits - proven software solutions: http://www.eisenbits.com/
OpenPGP: E3D9 C030 88F5 D254 434C 6683 17DD 22A0 8A3B 5CC0
 

Thread Tools




All times are GMT. The time now is 03:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org