[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Patch to pam_rootok to check for superuser by name



On Tue, 29 Feb 2000, Karl O. Pinc wrote:

> I tried pam_listfile.  While it does authenticate based on PAM_USER, there
> is no way to write a pam configuration file that, in and of itself,
> guarentees that root can get in.  The closest you can come is:

> login auth sufficent pam_listfile.so item=tty \
>                                      onerr=succeed sense=deny apply=root \
>                                      file=/etc/emptyfile

> Is this a critical problem?  No.  Is it important to solve.  I think so.
> Without a solution you wind up with just another magic file, a special
> case, and another step toward having to know everything about everything
> before being able (or at least unafraid) to mess with anything.  A pam
> configuration file can at least be commented.  It's much harder to
> associate a comment with the existance (or absence) of a particular file.

I can't say that I've ever understood the cause of your concern.  It is
always possible to lock oneself out of a system by tampering with files one
doesn't understand.  If you run 'rm -f /etc/passwd /etc/shadow' as root,
you're going to have a heck of a time logging in.  Your changes to these PAM
modules certainly guarantee that root will be able to log in in such a
situation... or rather, they guarantee that *anyone* can log in, just by
saying that they're root.  If you're going to do that, you might as well just
stick 'auth sufficient pam_permit.so' at the top of your configuration file
and be done with it, because at that point there's no real security policy
being enforced anyway. 

IMHO, an administrator *should* be afraid of altering files in /etc/ if he/she
doesn't know what they're used for.  I don't think potentially compromising
the security of a system in order to make it harder for an administrator to
cripple the machine is a reasonable trade-off.  PAM, after all, is about
facilitating the *improvement* of security.

> This is the crux of the matter; having to have an empty file lying about
> (/etc/emptyfile, or /etc/pam.d/emptyfile, or whatever) is just plain
> butt-ugly, and subject to confusion and general breakage.  I'm looking for
> a way to get rid of it.  (Ways that don't involve having files laying about
> with just the word "root" in them.)  Do you know of any way around such
> uglyness?

The ugliness of having such empty files around is a subjective question.
Personally, I think letting root into the system without any sort of real
authentication is far uglier.  In any case, do you have an /etc/securetty file
on your system?  This file is commonly used to designate ttys that root is
allowed to log in from.  Pointing pam_listfile at this file would seem to
address the issue.

There is also a directory, /etc/security/, which seems to have become somewhat
of a standard location for configuration files related to PAM modules.

> So, how to solve the problem?

> Would the "special", "writable", patch to pam_listfile be more acceptable?

I can't say whether it would in fact be acceptable, since my voice doesn't
really count for anything as far as the Linux-PAM distribution is concerned.
But I imagine you'd have much better luck arguing your case by adding options
to pam_listfile than by grafting completely unrelated functionality onto
pam_rootok.

Steve Langasek
postmodern programmer



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []