Tuesday 25 June 2013

How to Create Access Control List using PAM

Problem: You need to apply an ACL to an existing service that does no explicitly support ACL's.
 

Solution: Use the listfile PAM module

First make ure the server in question uses PAM for

authentication, and find out which PAM service name it uses. This may be in the server documentation, or it may be clear from examining the server itself and perusing the contents of /etc/pam.d.

Suppose you are dealing with the IMAP mail server. First notice that there is a file called /etc/pam.d/imap Furhter the result of:

# locate imapd
.....
.......
/usr/sbin/imapd

shows that the IMAP server is in /usr/sbin/imapd, and:

# ldd /usr/sbin/imapd
libpam.so.0 => /lib/libpam.so.0 (0x40027000)

Shows that the server is dynamically linked against the PAM library(libpam.so).Create an ACL file for the IMAP service, let's say /etc/imapd.acl and make sure it is not world-writable:

# chmod o-w /etc/imapd.acl

Edit thsi file and place in it the usernames of those accounts authorized to use the IMAP server, one name per line. Then add the following to /etc/pam.d/imap

# account required /lib/security/pam_listfile.so file=/etc/imapd.acl item=user sense=allow onerr=fail

With this configuration, only those users listed in the ACL file will be allowed access to the IMAP service. If the ACL file is missing, PAM will deny access for all accounts. Entries in ACL file can be not only usernames, but also:

Terminal lines (item=tty)
Remote host(item=rhost)
Remote user(item=ruser)
Group membership(item=group)
Login shell(item=shell)

The sense keyword determines how the ACL file is interpreted. sense=allow means that access will be allowed only if the configured item is in the file, and denied otherwise. sense=deny means the opposite.

The onerr keyword indicates what to do if some unexpected error occurs during PAM processing of the "listfile" module-for instance if the ACL file does not exist.

NOTE: To debug problems with PAM modules, look for PAM-specific error messages in /var/log/messages and /var/log/secure
.

No comments:

Post a Comment