cf94882052
conv_func may be called multiple times and should return a unique pam_response each time. Closes #272. |
||
|---|---|---|
| .. | ||
| maddy.conf | ||
| main.c | ||
| main.go | ||
| pam.c | ||
| pam.h | ||
| README.md | ||
maddy-pam-helper
External setuid binary for interaction with shadow passwords database or other privileged objects necessary to run PAM authentication.
Building
It is really easy to build it using any GCC:
gcc pam.c main.c -lpam -o maddy-pam-helper
Yes, it is not a Go binary.
Installation
maddy-pam-helper is kinda dangerous binary and should not be allowed to be executed by everybody but maddy's user. At the same moment it needs to have access to read-protected files. For this reason installation should be done very carefully to make sure to not introduce any security "holes".
First method
chown maddy: /usr/bin/maddy-pam-helper
chmod u+x,g-x,o-x /usr/bin/maddy-pam-helper
Also maddy-pam-helper needs access to /etc/shadow, one of the ways to provide it is to set file capability CAP_DAC_READ_SEARCH:
setcap cap_dac_read_search+ep /usr/bin/maddy-pam-helper
Second method
Another, less restrictive is to make it setuid-root (assuming you have both maddy user and group):
chown root:maddy /usr/bin/maddy-pam-helper
chmod u+xs,g+x,o-x /usr/bin/maddy-pam-helper
Third method
The best way actually is to create shadow group and grant access to
/etc/shadow to it and then make maddy-pam-helper setgid-shadow:
groupadd shadow
chown :shadow /etc/shadow
chmod g+r /etc/shadow
chown maddy:shadow /usr/bin/maddy-pam-helper
chmod u+x,g+xs /usr/bin/maddy-pam-helper
Pick what works best for you.
PAM service
maddy-pam-helper uses custom service instead of pretending to be su or sudo. Because of this you should configure PAM to accept it.
Minimal example using local passwd/shadow database for authentication can be found in [maddy.conf][maddy.conf] file. It should be put into /etc/pam.d/maddy.