Using PAM modules to create a restricted group in order to "jail" or "limit" some users (mostly system users).
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Introduction
In the previous article, I gave a few tips to increase users and system accounts security. I will now explain how to create a restricted group in order to "jail" or "limit" some users (mostly system users).
In this article we will create a group that can :
- Prevent some users to log-in via SSH
- Prevent some users to inherit POSIX capabilities
- Prevent some users from using to much resources
I. How do we do that?
DAC is powerful and is often too quickly overlooked, however here we are going to focus on PAM (pluggable authentication modules). Especially the next modules :
- pam_access
- pam_cap
- pam_limits
In this article I will present an example of each module’s use and for that we are going to use a system group called "limited"
To create the group :
groupadd -r limited
To add a user to the group :
usermod -a -G limited < user >
II. The PAM_ACCESS module
This module allows you to control which way a user/group can or cannot log into the system.
2.1 Load the module
By default, most distribs do not use this module.
The files in /etc/pam.d needs to be modified so that this module is required by the authentication system.
In our example, we want to prevent all group members from distant access (ex. SSH). There is a file called /etc/pam.d/sshd for that.
Verify that the module is not already loaded :
grep -E "^[^#]*account.*required.*pam_access.so" /etc/pam.d/sshd
If not, edit the file and uncomment or add the next line :
account required pam_access.so
OK now the authentication system will require the pam_access module for any SSH authentication.
2.2 Restrict access
The configuration file used by the pam_access module is /etc/security/access.conf
That file’s syntax is :
+|- (deny or authorize) : users|groups|ALL : cron|ttyX|IPv4|IPv6|LOCAL|etc
In our example we want to prevent distant access so we edit the file and we add :
- : limited : ALL EXCEPT LOCAL
Now all the members of the limited group will only be able to log-in locally.
man access.conf
II. The PAM_CAP module
This module allows you to control users/groups inheritable POSIX capabilities (read this page and this page for more infos about file capabilities)
2.1 Load the module
If libcap is not already installed, install the libcap2 and libcap2-bin packages.
Next add or uncomment the next line in the file /etc/pam.d/login
auth required pam_cap.so
2.2 Restrict capability use
The file /etc/security/capability.conf is used to manage users and groups inheritable capabilities.
The syntax is :
capability1,capability2,... user|group
In our example, we want to prevent the limited group members to inherit any capability. We have to precise which user/group can inherit capabilities and to default deny capabilities to all the other users using the line :
none *
That line is normally written by default in the capability.conf file.
In fact in this case, the simple fact of loading the pam_cap module is enough to prevent our group members to use inheritable capabilities.
III. The PAM_LIMITS module
This module allows you to limit system resources for users and groups.
3.1 Load the module
The module is enabled by default on most Linux distribs. You can verify it by checking the files /etc/pam.d/login and /etc/pam.d/sshd for the next line :
session required pam_limits.so
3.2 Limit system resource for limited group
The configuration file for the pam_limit module is /etc/security/limits.conf.
The syntax of this file is :
<domain> <type> <item> <value>
In our example, we want to configure limits.conf to prevent local denial of service from a member of the "limited" group.
We edit the file /etc/security/limits.conf and add the next lines :
# Setting max number of processes to 20 for member of 'limited' group
@limited - nproc 20
#Setting max file size for member of 'limited' group to 5Mo
@limited - fsize 5120
#Setting max opened files to 100 for member of 'limited' group
@limited - nofile 100
#Disable Code dump for member of 'limited' group members
@limited hard core 0
#Setting max number of logins to 2 for 'limited' group member
@limited - maxlogins 2
man limits.conf
Conclusion
By changing some values in this article, you could set all sort of limitations for different kind of groups and users. Combined with a good DAC policy (and POSIX file capabilities!), that is a good way to lock down your system without using MAC or other more complex security framework (SELinux for example).