Re: pam_listfile / pam_supair

To: debian-devel@lists.debian.org
Subject: Re: pam_listfile / pam_supair
From: Stanisław Findeisen <stf@eisenbits.com>
Date: Mon, 27 Jun 2011 17:49:34 +0200
Message-id: <[🔎] 4E08A68E.4070402@eisenbits.com>
In-reply-to: <[🔎] 20110601182407.GB26492@virgil.dodds.net>
References: <[🔎] 4DE617E2.3040706@eisenbits.com> <[🔎] 20110601182407.GB26492@virgil.dodds.net>

On 2011-06-01 20:24, Steve Langasek wrote:
> On Wed, Jun 01, 2011 at 12:43:46PM +0200, Stanisław Findeisen wrote:
> 
>> It looks that pam_listfile only allows to restrict *source* user set and
>> *not* *target* user set.
> 
> That's not true at all.  item=user *is* the target user set.  (Source user
> set would be the seldom-used item=ruser.)
> 
>> Here's the debian-user discussion:
>> http://lists.debian.org/debian-user/2011/05/msg02054.html
> 
>> Is there any way to do what I want?
> 
> As already suggested, sudo does seem to be a better fit for what you're
> trying to achieve.
> 
> pam_listfile isn't going to give you any reasonable mapping for applicant /
> target user *pairs*; you only get "this list of users are allowed access to
> this other list of users".
> 
>> If I write a patch for pam_listfile, will you accept it to Debian?
> 
> No.  It would have to go upstream first; but I'll say that such a patch is
> unlikely to be accepted.
> 
>> Where is the source code?
> 
> I think that's more of a question for debian-user anyway, but:
> 
> $ dpkg -S /lib/security/pam_listfile.so
> libpam-modules: /lib/security/pam_listfile.so
> $ debcheckout libpam-modules
> declared bzr repository at nosmart+http://bzr.debian.org/bzr/pkg-pam/debian/sid/
> bzr branch nosmart+http://bzr.debian.org/bzr/pkg-pam/debian/sid/ libpam-modules ...
> [...]
> 
>> Or maybe that should be a new PAM module?
> 
> It could be.  But I'm skeptical that such a module would be of widespread
> interest.

In case anyone has free time, could you please have a look at my module,
spot bugs or issue any valuable comments? :-)

Here's how to use it:

In /etc/pam.d/su :

auth   sufficient   pam_supair.so sf,u2,u3:root,sf2 sf2:u2

This specifies that users sf, u2 and u3 can each do passwordless su to
users root and sf2. User sf2 can do passwordless su to user u2. You can
also use "debug" (anywhere on the command line) for additional debug
information in auth.log.

Your comments are very welcome.

MD5:
a9f363539105e5cf7424dd1f68a18880  pam_supair.tgz

SHA-512:
8cd49f56567d490e7cedaa847d05d4e2e72dfc34740ff61c324e409a4487f35013440568079e3fda340fbae2dd85a964fae7924bdc7e5338e528677f65d85615
 pam_supair.tgz

-- 
Eisenbits - proven software solutions: http://www.eisenbits.com/
OpenPGP: E3D9 C030 88F5 D254 434C  6683 17DD 22A0 8A3B 5CC0

Attachment: pam_supair.tgz
Description: application/compressed-tar

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: pam_listfile / pam_supair
  - From: Bastian Blank <waldi@debian.org>

References:
- pam_listfile
  - From: Stanisław Findeisen <stf@eisenbits.com>
- Re: pam_listfile
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: Multiarch in Debian unstable
Next by Date: Re: Multiarch in Debian unstable
Previous by thread: Re: pam_listfile
Next by thread: Re: pam_listfile / pam_supair
Index(es):
- Date
- Thread