Difference between revisions of "Resmgr"
(One intermediate revision by one other user not shown) | |||
Line 79: | Line 79: | ||
== PAM Rule == | == PAM Rule == | ||
− | By default most, if not all, of the [[Linux-PAM]] rules include '''system-auth''. By adding '''pam_resmgr.so''' to this file we're ensuring it gets loaded regardless of the service. If you do not want this you can add it to the individual service you wish to grant | + | By default most, if not all, of the [[Linux-PAM]] rules include '''system-auth''. By adding '''pam_resmgr.so''' to this file we're ensuring it gets loaded regardless of the service. If you do not want this you can add it to the individual service you wish to grant privileges, eg. just the display manager. |
echo "session optional pam_resmgr.so" >> /etc/pam.d/system-auth | echo "session optional pam_resmgr.so" >> /etc/pam.d/system-auth | ||
Line 136: | Line 136: | ||
* Installed Libraries: libresmgr.so.{{Resmgr-Version}} pam_resmgr.so | * Installed Libraries: libresmgr.so.{{Resmgr-Version}} pam_resmgr.so | ||
* Installed Directories: | * Installed Directories: | ||
+ | |||
+ | [[Category:Security]] |
Latest revision as of 17:35, 5 July 2008
Download Source: | ftp://ftp.lst.de/pub/people/okir/resmgr/resmgr-1.0.tar.bz2 |
---|
Contents
Introduction to Resmgr
Resmgr will provide unprivileged users access to device files via ACLs.
Project Homepage: http://rechner.lst.de/~okir/resmgr/
Dependencies
Required
Non-Multilib
Compile the package:
sed -i "1i\#include <sys/syslog.h>" pam_resmgr.c && make
Install the package
make install && ln -sfv libresmgr.so.1.0 /lib/libresmgr.so
Multilib
32Bit
Compile the package:
sed -i "1i\#include <sys/syslog.h>" pam_resmgr.c && make CC="gcc ${BUILD32}"
Install the package
make install && ln -sfv libresmgr.so.1.0 /lib/libresmgr.so
N32
Compile the package:
sed -i "1i\#include <sys/syslog.h>" pam_resmgr.c && make CC="gcc ${BUILDN32}"
Install the package
make LIBDIR=/lib32 PAMDIR=/lib32/security install && ln -sfv libresmgr.so.1.0 /lib32/libresmgr.so
64Bit
Compile the package:
sed -i "1i\#include <sys/syslog.h>" pam_resmgr.c && make CC="gcc ${BUILD64}"
Install the package
make LIBDIR=/lib64 PAMDIR=/lib64/security install && ln -sfv libresmgr.so.1.0 /lib64/libresmgr.so
Configuring
A good place to start reading about configuring resmgr would be man resmgr.conf and man pam_resmgr. The resmgr.conf man page has the following in it:
For example, the following statements for the resource class desktop will deny access to users uucp and news, but grant access to everyone in group wheel, and everyone else as long as they're logged in at the console or a local X11 session:
deny desktop user=uucp || user=news allow desktop group=wheel allow desktop tty=/dev/tty[0-9]* || tty=:0
This would be a good time to edit /etc/resmgr.conf and set the rules according to your needs.
PAM Rule
By default most, if not all, of the Linux-PAM rules include system-auth. By adding pam_resmgr.so' to this file we're ensuring it gets loaded regardless of the service. If you do not want this you can add it to the individual service you wish to grant privileges, eg. just the display manager.
echo "session optional pam_resmgr.so" >> /etc/pam.d/system-auth
Bootscript
Create the bootscript:
cat > /etc/rc.d/init.d/resmgrd << "EOF" #!/bin/sh # Begin $rc_base/init.d/resmgrd . /etc/sysconfig/rc . ${rc_functions} case "${1}" in start) boot_mesg "Starting resmgrd..." loadproc /sbin/resmgrd ;; stop) boot_mesg "Stopping resmgrd..." killproc /sbin/resmgrd ;; restart) ${0} stop sleep 1 ${0} start ;; status) statusproc /sbin/resmgrd ;; *) echo "Usage: ${0} {start|stop|restart|status}" exit 1 ;; esac # End $rc_base/init.d/resmgrd EOF chmod -v 754 /etc/rc.d/init.d/resmgrd
Link it into the runlevels:
for link in /etc/rc.d/rc{{0,1,6}.d/K50,{2,3,4,5}.d/S15}resmgrd; do ln -sfv ../init.d/resmgrd $link; done
Contents
- Installed Programs: resmgr resmgrd
- Installed Libraries: libresmgr.so.1.0 pam_resmgr.so
- Installed Directories: