Difference between revisions of "PAM Permissions Module"

From Secure Computing Wiki
Jump to: navigation, search
m (New page: At my job, we use PAM to authentication and build home directories based on records in our LDAP directory. For this functionality, we use [http://www.padl.com/pam_ldap.html PADL Software'...)
 
(Undo revision 1606 by Esubiguxoc (talk))
 
(One intermediate revision by one other user not shown)
(No difference)

Latest revision as of 20:58, 24 November 2010

At my job, we use PAM to authentication and build home directories based on records in our LDAP directory. For this functionality, we use PADL Software's pam_ldap module, and the pam_mkhomedir module. On 32 of our 35 systems, this setup works without issue. What we're missing on the other three systems in custom group ownership for user home directories.

Background

The other three servers, mentioned above, are our client-side file servers. These machines have special directory permissions for our client accounts, which put group ownership onto a company staff group for rwx permissions. These special permissions are to allow staff members full access to client files (without the need for root), and preventing access from other clients who may break out of the chroot/jail.

  • Staff home directories, in /usr/home, should have standard permissions. (rwxr-xr-x, owner user/user-group)
  • Client home directories, in /usr/home/users, should have a non-standard permission scheme. (rwxrwx---, owner user/company-staff)

Solution

My solution is to utilize the existing PAM stack to perform this function. To accomplish this, we're going to write our own PAM session module to check and update the home directory permissions for users we specify. In our case, we're using the home directory base for comparison. To begin, I followed a three part guide on Linux Dev Center. I've included the links here: