#StackBounty: #gnome3 #pam #capabilities Grant Linux Capabilities upon login with GDM using pam_cap

Bounty: 100

I am trying to grant a user the CAP_NET_ADMIN and CAP_NET_RAW capabilities on a Debian 11 system running the GNOME3 desktop environment. The user should receive the ability to use these capabilities upon logging in through the graphical login.

My /etc/security/capabilities.conf:

cap_net_admin,cap_net_raw       myuser
none                            *   

I have added the following to the top of gdm-launch-environment, gdm-password, and to the bottom of common-auth (as directed in man pam_cap) in /etc/pam.d with no luck:

auth    optional    pam_cap.so

The result:

myuser@host$ /sbin/capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Ambient set =

It works, however, if I add the line to the top of the pam su file and su to my user. I have done this setup successfully using LXDE by making a similar change, so I’m sure this is possible here as well.

How can I configure PAM to grant the capabilities when logging in through GDM?

Get this bounty!!!

#StackBounty: #debian #pam Why does this PAM code prevent all logins to a Debian system?

Bounty: 50

Why does adding this line to /etc/pam.d/common-auth:

auth        required      pam_tally2.so deny=4 unlock_time=1200 even_deny_root

and adding this line to /etc/pam.d/common-account:

account     required      pam_tally2.so

prevent all logins to my Debian 10 system? All of my other pam configuration files (login, common-session, and common-password are unchanged from the defaults, but I can post those too if necessary).

I’ve seen a couple of other questions that discuss pam_tally, e.g. this one, this one, and this one, but they either don’t have answers specific to pam_tally or don’t have any answers at all.

(For background, I’m trying to adapt this updated guide for Debian systems)

EDIT: The libpam-modules package is installed.

Get this bounty!!!

#StackBounty: #xorg #ps #pam #limit "Xorg" process does not take limits from /etc/security/limits.conf

Bounty: 500

I have this in my /etc/security/limits.conf:

#<domain>   <type>  <item>         <value>
root        -       memlock     65536
root        -       stack       524288
root        -       nice        -20
root        -       nofile      16384

yet, the process /usr/lib/xorg/Xorg, which does run as root still has only 1024 for RLIMIT_NOFILE:

cat /proc/$(pgrep Xorg)/limits | grep 'open file'
Max open files            1024                 4096                 files   

Why are my settings in /etc/security/limits.conf not reflected in Xorg ?
Where can I increase limits for /usr/lib/xorg/Xorg ?

My system is Debian Buster without systemd (I am using sysvinit). And I am using slim as login manager. So I guess it is slim, that launches Xserver. Below is the pam module used by slim:

cat /etc/pam.d/slim
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale

@include common-auth
@include common-account

session required        pam_limits.so
session required        pam_loginuid.so

@include common-session
@include common-password

Get this bounty!!!

#StackBounty: #ldap #authentication #unix #pam #authorization PAM dynamic LDAP Authorization with groups

Bounty: 50

At the moment my PAM is integrated through LDAP with a custom authentication stack in the /etc/pam.d/systhem-auth:

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.netgroup.allowed
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

As you can see the authorization is made by a lookup on the /etc/login.netgroup.allow file, which contains a list of LDAP groups. So, an user can login or not on this server if he belongs at least to one or more groups.

This check is made statically. I mean, the login.netgroup.allow file is immutable and it contains only a list of groups. Is there a way or any suggestion to made this check dynamically through an LDAP check? I mean, suppose I have an LDAP branch which contains an entry with the hostname of my server and a multivalue attribute containing the list of the groups associated to this server. Is it possible to made the check not to a file but directly on LDAP?

Get this bounty!!!

#StackBounty: #pam #automounting #kerberos #sssd #autofs Alternative to autofs to mount CIFS folders in user home folders in multi-user…

Bounty: 100

My use case seems very simple. I want to automount CIFS folder CIFS1 and CIFS2 which exist for all users on my fileserver in each user home during login on this multi-user 18.04 Ubuntu machine.

So if user1 login, i mount :

  • /home/user1/CIFS1
  • /home/user1/CIFS2.

If user2 login, i mount :

  • /home/user2/CIFS1
  • /home/user2/CIFS2.

I have an already a working mounting command to do this, using Kerberos ticket / SSSD to authenticate :

sudo mount -v -t cifs -o user=${USER},cruid=${USER},sec=krb5,uid=${UID} //isilon.mydataserver/CIFS1/${USER} /home/${USER}/CIFS1

sudo mount -v -t cifs -o user=${USER},cruid=${USER},sec=krb5,uid=${UID} //isilon.mydataserver/CIFS2/${USER} /home/${USER}/CIFS2

Works well, but now i want to automount these folders directly after login, with correct ${USER} information injected into autofs configuration.

And … it seems impossible, i try many things, direct or indirect mapping, executable automap, without success.

The [mountpoint] [option] [location] pattern of autoconf files accept injection of environnement variable (USERS, UID, etc.) only in the option/location part.

In sudo nano /etc/auto.master i have :

/- /etc/auto.cifs --ghost

Following the sun autofs pattern for direct mounting : [mountpoint] [option] [location], my /etc/auto.cifs config contain :

/home/${USER}/CIFS1 -fstype=cifs,user=${USER},cruid=${UID},sec=krb5,uid=${UID} ://isilon.mydataserver/CIFS1/${USER}

/home/${USER}/CIFS2  -fstype=cifs,user=${USER},cruid=${UID},sec=krb5,uid=${UID} ://isilon.mydataserver/CIFS2/${USER}

Reloading configuration :

sudo systemctl reload autofs

During users login, this configuration create litteraly a /home/${USER}/CIFS1 folder and not an /home/user1/CIFS1 or /home/user2/CIFS1 folder …

Is there a way to obtain this behavior (mounting CIFS folder into multi-users environment : /home/$USER with $USER = user1, user2, …) using autofs, or another method compatible with Kerberos / SSSD / CIFS authentification ?

Edit1 : I precise to readers that i cannot modify the Active Directory schema in place to use the automounting function of SSSD/AutoFS 🙁

Edit2 : I also try to run bash program from auto.master with program:/etc/auto.cifs , but it seems that doesn’t answer to this problem because program could only return the [option][location] and not the [mountpoint] part.

Get this bounty!!!