diff options
Diffstat (limited to 'debian/local')
| -rw-r--r-- | debian/local/Debian-PAM-MiniPolicy | 161 | ||||
| -rw-r--r-- | debian/local/common-account | 9 | ||||
| -rw-r--r-- | debian/local/common-auth | 10 | ||||
| -rw-r--r-- | debian/local/common-auth.md5sums | 1 | ||||
| -rw-r--r-- | debian/local/common-password | 34 | ||||
| -rw-r--r-- | debian/local/common-password.md5sums | 2 | ||||
| -rw-r--r-- | debian/local/common-session | 9 | ||||
| -rw-r--r-- | debian/local/other | 16 | ||||
| -rw-r--r-- | debian/local/pam.conf | 15 | ||||
| -rw-r--r-- | debian/local/pam_getenv | 123 |
10 files changed, 380 insertions, 0 deletions
diff --git a/debian/local/Debian-PAM-MiniPolicy b/debian/local/Debian-PAM-MiniPolicy new file mode 100644 index 00000000..cfbfd471 --- /dev/null +++ b/debian/local/Debian-PAM-MiniPolicy @@ -0,0 +1,161 @@ +Author: Ben Collins <bcollins@debian.org> +Modified by: Sam Hartman <hartmans@debian.org> + +Objective: To document a base set of policies regarding PAM (Pluggable +Authentication Modules) usage in Debian packages. + +=========================================================================== + +In order to have a consistent and stable implementation across packages +that use PAM, these guidelines will help to avoid some common mistakes and +be usable as a cross reference for FAQ's. + +This document will not go into the details of how to add PAM usage to +existing code, please read the documentation in the libpam-doc package for +info on this, however it does specify behavior needed to make sure PAM +modules in Debian will work with your application. + +================== + PAM Applications +================== + +Each application that uses PAM also must contain a file in +/etc/pam.d/. This file specifies which PAM modules will be used for +the common PAM functions in that application. There are several notes +concerning what modules to use in this file. Most commonly, this file +should use the @include directive to include common-auth, +common-session, common-account and common-password. Under some +circumstances (such as ftp auth, or auth based on tty) other modules +will be required. + +Here is an example of a PAM configuration file that just includes the common module fragments: + # + # /etc/pam.d/other - specify the PAM fallback behaviour + # + # Note that this file is used for any unspecified service; for example + #if /etc/pam.d/cron specifies no session modules but cron calls + #pam_open_session, the session module out of /etc/pam.d/other is + #used. If you really want nothing to happen then use pam_permit.so or + #pam_deny.so as appropriate. + + # We fall back to the system default in /etc/pam.d/common-* + # + + @include common-auth + @include common-account + @include common-password + @include common-session + + +The name of this file is determined by the call to pam_start() in the +application source code. The first parameter will be a string containing +the "service" name (eg. "login", "httpd", etc..). Please make sure that +the filename coincides with this parameter. + +The file should _not_ reference the full path of the modules. It only needs +to reference the basename (eg. "pam_unix.so"). This will ensure that the +program continues to work even if the module location changes, since +libpam itself will resolve the location. + +Under no circumstances should any program in Debian use the pam_pwdb.so +module by default. Instead the pam_unix.so module should be used. Most +programs with RedHat support/default files will reference pam_pwdb.so in +their example files. Do not use this. There are several problems with +regard to pam_pwdb.so: + + 1) It attempts to reimplement glibc's NSS code. For example, if your + program uses pam_pwdb.so, and the user changes /etc/nsswitch.conf to use + NIS, NIS+, or LDAP, then your program will fail to work unless the user + also knows to edit /etc/pwdb.conf (which is not necessary for + pam_unix.so). In the case of LDAP, the program would become absolutely + useless until the user modifies the pam.d file themselves to use + pam_unix.so. + + 2) It adds to the layer of glibc function calls making it harder to + debug problems. Because libpwdb masks glibc native calls, it requires + being able to debug libpwdb, libpam, libc and the offending program. + +Note that pam_unix.so takes the same module arguments as pam_pwdb.so, so +you can just replace the references. If you are not sure if the pam.d +files is correctly setup, please feel free to email it to me, and I will +glance it over. + +UPDATE: libpwdb and this libpam-pwdb have been removed from Debian as of +Woody. So even if you decided to use pam_pwdb, it will be broken, so HAHA +:) + +You should also not use the pam_stack module in the pam config file. +It's not currently in Debian so it won't work. While I cannot stop +someone from packaging pam_stack for Debian, I will try to convince +them that it is not the direction we want. Pam_stack (among other +faults) uses different pam handles for each step in the process--the +handle used for session management is not the same as the handle used +for authentication. This breaks several modules. We will have an +alternate solution for shared PAM configuration across modules. + + +Currently libpam-modules is in the base setup, so it's dependency is not +needed (since the library depends on the correct version). However, if any +modules other than the base set in libpam-modules are used, that package +must be depended on. + +Applications need to depend on libpam-runtime (>= 0.76-14) to +guarantee that /etc/pam.d/common-* exist. + + +The pam_unix.so module allows programs to verify the authentication of the +uid of the calling process without any set bits (uid or gid). NOTE: this +means the user executing the program, you cannot authenticate against other +users without suid root (root makes sure the NIS and NIS+ works too) or +at least sgid shadow (wont work in the above cases). Most notably this +affects programs like apache from being able to use PAM with much success +since it runs as www-data which has no priviledges and cannot use pam_unix.so +to auth against other users. On the other hand is does allow program like +vlock to auth (but not auth the root password). + +The application needs to follow the following rules to make sure PAM +modules work: + +1) Use the same PAM handle for all operations. This means it is not OK +to call pam_start once for authentication and then later for session +management. Modules need to be able to store pam_data between entry +points. + +2) The pam_open_session and pam_setcred calls must be made in a parent +process of the eventual session. They need to be able to enfluence +the environment of the session. + +3) If you are started as root or have root privs for some other +reason, pam_open_session and pam_setcred should be called while still +root. + +4) Implied by 1, make sure that pam_close_session and pam_end are +called in the same process or a process decended from the execution +context as pam_open_session and pam_setcred. The pam_close_session +call may need state stored in the handle by the open session entry +point to clean up properly. The pam_finish call may need to free data +(thus influencing system state in some cases) allocated in the earlier +calls. + + + +============= + PAM Modules +============= + +Separately packaged pam modules should adhere to a few basic setup rules: + + 1) Packages should use the naming scheme of `libpam-<name>' (eg. + libpam-ldap). + + 2) The modules should be located in the directory of the most recent + libpam-modules (currently /lib/security). + + 3) The module should be named as pam_<name>.so. The module should not + contain a version suffix. + + 4) The module should be linked to libpam (-lpam) when compiled so that + proper version dependencies will work. + + 5) Any config files should be located in /etc/security. The filename + will be in the form of <name>.conf. diff --git a/debian/local/common-account b/debian/local/common-account new file mode 100644 index 00000000..67983019 --- /dev/null +++ b/debian/local/common-account @@ -0,0 +1,9 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +account required pam_unix.so diff --git a/debian/local/common-auth b/debian/local/common-auth new file mode 100644 index 00000000..63d129aa --- /dev/null +++ b/debian/local/common-auth @@ -0,0 +1,10 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +auth required pam_unix.so nullok_secure diff --git a/debian/local/common-auth.md5sums b/debian/local/common-auth.md5sums new file mode 100644 index 00000000..31477ad0 --- /dev/null +++ b/debian/local/common-auth.md5sums @@ -0,0 +1 @@ +933d757dcd5974b00619f68955743be7 /etc/pam.d/common-auth diff --git a/debian/local/common-password b/debian/local/common-password new file mode 100644 index 00000000..45959eb5 --- /dev/null +++ b/debian/local/common-password @@ -0,0 +1,34 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "nullok" option allows users to change an empty password, else +# empty passwords are treated as locked accounts. +# +# The "md5" option enables MD5 passwords. Without this option, the +# default is Unix crypt. +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# You can also use the "min" option to enforce the length of the new +# password. +# +# See the pam_unix manpage for other options. + +password required pam_unix.so nullok obscure md5 + +# Alternate strength checking for password. Note that this +# requires the libpam-cracklib package to be installed. +# You will need to comment out the password line above and +# uncomment the next two in order to use this. +# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH') +# +# password required pam_cracklib.so retry=3 minlen=6 difok=3 +# password required pam_unix.so use_authtok nullok md5 + diff --git a/debian/local/common-password.md5sums b/debian/local/common-password.md5sums new file mode 100644 index 00000000..569ca682 --- /dev/null +++ b/debian/local/common-password.md5sums @@ -0,0 +1,2 @@ +601ecfbc99fd359877552cb5298087ad /etc/pam.d/common-password +e5ae8ba8d00083c922d9d82a0432ef78 /etc/pam.d/common-password diff --git a/debian/local/common-session b/debian/local/common-session new file mode 100644 index 00000000..dc11da6d --- /dev/null +++ b/debian/local/common-session @@ -0,0 +1,9 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). The default is pam_unix. +# +session required pam_unix.so diff --git a/debian/local/other b/debian/local/other new file mode 100644 index 00000000..59d776c9 --- /dev/null +++ b/debian/local/other @@ -0,0 +1,16 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We fall back to the system default in /etc/pam.d/common-* +# + +@include common-auth +@include common-account +@include common-password +@include common-session diff --git a/debian/local/pam.conf b/debian/local/pam.conf new file mode 100644 index 00000000..3eeb72d3 --- /dev/null +++ b/debian/local/pam.conf @@ -0,0 +1,15 @@ +# ---------------------------------------------------------------------------# +# /etc/pam.conf # +# ---------------------------------------------------------------------------# +# +# NOTE +# ---- +# +# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their +# PAM service modules. This file is used only if that directory does not exist. +# ---------------------------------------------------------------------------# + +# Format: +# serv. module ctrl module [path] ...[args..] # +# name type flag # + diff --git a/debian/local/pam_getenv b/debian/local/pam_getenv new file mode 100644 index 00000000..2abddcad --- /dev/null +++ b/debian/local/pam_getenv @@ -0,0 +1,123 @@ +#!/usr/bin/perl -w + +=head1 NAME + +pam_getenv - get environment variables from /etc/environment + +=head1 SYNOPSIS + +pam_getenv B<[-l] [-s]> I<env_var> + +=head1 DESCRIPTION + +This tool will print out the value of I<env_var> from F</etc/environment>. It will attempt to expand environment variable references in the definition of I<env_var> but will fail if PAM items are expanded. + +The B<-l> option indicates the script should return an environment variable related to default locale information. + +The B<-s> option indicates that the script should return an +system default environment variable. + +Currently neither the B<-l> or B<-s> options do anything. They are +included because future versions of Debian may have a separate +repository for the initial environment used by init scripts and for +system locale information. These options will allow this script to be +a stable interface even in that environment. + +=cut + +# Copyright 2004 by Sam Hartman +# This script may be copied under the terms of the GNU GPL +# version 2, or at your option any later version. + +use strict; +use vars qw(*CONFIGFILE *ENVFILE); + +sub read_line($) { + my $fh = shift; + my $line; + local $_; + line: while (<$fh>) { + chomp; + s/^\s+//; +s/\#.*$//; + next if $_ eq ""; + if (s/\\\s*$//) { + $line .= $_; + next line; + } + + $line .= $_; + last; + } + $line; + +} + + +sub parse_line($) { + my $var; + my (%x, @x); + local $_ = shift; + return undef unless defined $_ and s/(\S+)\s//; + $var->{Name} = $1; + s/^\s*//; + @x = split(/=([^"\s]\S*|"[^"]*")\s*/, $_); + unless (scalar(@x)%2 == 0) { + push @x, undef; + } + %x = @x; + @{$var}{"Default", "Override"} = + @x{"DEFAULT", "OVERRIDE"}; + $var; +} + +sub expand_val($) { + my ($val) = @_; +return undef unless $val; + die "Cannot handle PAM items\n" if /(?<!\\)\@/; + $val =~ s/(?<!\\)\${([^}]+)}/$ENV{$1}||""/eg; + return $val; +} + +my $lookup; + +while ($_ = shift) { + next if $_ eq "-s"; + next if $_ eq "-l"; + $lookup = $_; + last; +} +unless (defined $lookup) { + die "Usage: pam_getenv [-l] [-s] env_var\n"; +} + +my %allvars; + +open (CONFIGFILE, "/etc/security/pam_env.conf") + or die "Cannot open environment file: $!\n"; + +while (my $var = parse_line(read_line(\*CONFIGFILE))) { + my $val; + unless ($val = expand_val($var->{Override})) { + $val = expand_val($var->{Default}); + } + $allvars{$var->{Name}} = $val; +} + +if (open (ENVFILE, "/etc/environment")) { + while (my $line = read_line(\*ENVFILE)) { + $line =~ s/^export //; + $line =~ /(.*?)=(.+)/ or next; + my ($var, $val) = ($1, $2); + # This is bizarre logic (" and ' match each other, quotes are only + # significant at the start and end of the string, and the trailing quote + # may be omitted), but it's what pam_env does. + $val =~ s/^["'](.*?)["']?$/$1/; + $allvars{$var} = $val; + } +} + +if (exists $allvars{$lookup}) { + print $allvars{$lookup}, "\n"; + exit(0); +} |