Categories

## A /tmp for every user

With the transition towards /run some temporary files will move towards /run/user/, but enough files remain in /tmp. Files that may leak information or be a point of code injection as shown with CVE-2012-3355. A first step is to create a temporary directory for every user when he or she logs in to restrict the exposure of temporary files.

After installing the right module for PAM and enabling it, every user that logs in will get its own directory for temporary files. In this case, based on the user’s ID-number, but still only accessible for the user themself.

$sudo apt-get install libpam-tmpdir$ sudo pam-auth-update --package tmpdir
$ls -l /tmp totaal 0 drwx--x--x 4 root root 80 jun 24 22:01 user$ sudo ls -l /tmp/user
totaal 0
drwx------ 2 root    root     40 jun 24 22:00 0
drwx------ 2 user1   users    40 jun 24 22:06 1000
drwx------ 2 user2   users    40 jun 24 22:03 1001


Files and directories that still remain in /tmp after this may ask for additional attention as the path to /tmp appears to be hardcoded. A small bug report may be in order to just move away from hardcoded paths as in most cases they also indicate a hardcoded file for all users on the system.

Categories

## Create home directory on first login

Creating home directories for new users can be a difficult task and especially in an LDAP-based environment, but most PAM installations have the option to create a new home directory before the user login is completed. Debian also ships the module mpam_mkhomedir, but without a manifest to set it up correctly. Bug 640918 covers this issue, but for now, creating the file /usr/share/pam-configs/mkhomedir with the content below resolves the problem.

Name: Create home directory on first login
Default: no
Priority: 0
Session-Final:
required pam_mkhomedir.so umask=0027

After creating the file, the command below updates the PAM-config to create the home directory when a user’s home directory doesn’t exist. In the example configuration above the default umask is 0027 so only the user and group will have access to the home directory.

\$ sudo pam-auth-update --package mkhomedir

By default, the configuration in /etc/skel is being used to create a new home directory. This is a point of attention when the user needs files and/or directories when the user logs in and an example of this may be a Maildir for receiving mail.

Categories

## Using PAM to allow access

Over the years PAM (Pluggable Authentication Modules) has become the standard on Solaris and Linux, and others like AIX and the known BSD’s are following. But by default, all services that use PAM are allowing all users to use it unless the service itself takes action. So why not bring the authorization part to PAM and make the decision to allow access directly in PAM?

In this example, we want to allow only access to Dovecot for users who are members of POSIX-group ac_mail. For this, we use a module called pam_succeed_if which can verify if a user is in a certain group or not. Based on the standard PAM-file for a service, we create a new file for Dovecot and added the required line to do the authentication.

#%PAM-1.0

@include common-auth
auth required pam_succeed_if.so quiet user ingroup ac_mail
@include common-account
@include common-session

Also changing the Dovecot configuration to tell it to use the dovecot PAM-file.

passdb pam {
args = session=yes dovecot
}

Now only users who are member of the ac_mail group can logon. This allows a system administrator to use LDAP for example so all machines have the same group information and all machines with the modified PAM configuration to use it. This way of allowing users to logon can also be used for other services that depend on PAM like Proftpd, OpenSSH, or PostgreSQL for example.

Categories

## PAM bug hit Debian and others

It has been years since PAM was hit by a serious bug in PAM, but people who upgrade to libpam-systemd version 44-1 can find that sudo stops working. Reading the bugreport on Debian and FreeDesktop.org it doesn’t look promising as it also effects other distributions. For now it may be wise put systemd on hold in case the package transfers from unstable to testing.