Re: pam_chroot and passwd

Ed Schmollinger <schmolli@xxxxxxxxxxxxxx> · Sun, 7 Sep 2003 07:50:07 -0500

On Sun, Sep 07, 2003 at 01:16:53PM +0200, Werner Schalk wrote:
> I have installed and set up pam_chroot. It works pretty good but the downside 
> of it is that I can't get passwd for the chrooted users working (users should 
> change their own system-wide passwords). Is this possible I mean they are 
> chrooted and wich files are needed to get passwd working (I don't mean the 
> libs, I mean like pam*.so files etc.): In general has anyone got a 
> documentation on this or ever tried this before?

Unless the authoritative passwd file you're using lives inside the
chroot, you'll have a somewhat difficult time of it.  In order for a
chrooted process to update /etc/passwd, you'll either have to make
something that breaks out of the chroot, or provide some service (eg, a
web-based passwd changer) which can be used to do the job.

Or, if you're prepared to deal with having the live passwd file inside
the chroot and if you're using a pam_chroot that implements the auth
method, then this particular problem will be more easily solved.  In
that case, you'd just make pam_chroot the first auth module in the
applicable /etc/pam.d/* files.  For example, if your /etc/pam.d/sshd
looks like this:

#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_chroot.so

then you would change it to this:

#%PAM-1.0
auth       required     /lib/security/pam_chroot.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth

It's kind of a high-maintenance approach, but it should work.

-- 
Ed Schmollinger - schmolli@xxxxxxxxxxxxxx
Attachment:
pgp00105.pgp

Description: PGP signature