This procedure shows how to add, protect, and test a new PAM module. New modules might be required for site-specific security policies or to support third-party applications. To create a PAM module, see Chapter 3, Writing PAM Applications and Services in Developer’s Guide to Oracle Solaris 11.3 Security.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
Ensure that the ownership and permissions protect the module files with root ownership and 444 permissions.
# cd /opt/pam_modules # ls -lR .: total 4 -r--r--r-- 1 root root 4570 Nov 27 12:34 pam_app1.so.1 drwxrwxrwx 2 root root 3 Nov 27 12:38 sparcv9 ./64: total 1 -r--r--r-- 1 root root 4862 Nov 27 12:38 pam_app1.so.1
The 32-bit module is in the /opt/pam_modules directory and the 64-bit module is in the 64 subdirectory.
In the following example, the module is for a new application, app1. Its service name is the same as the application name. Create an app1 service-name file in the /etc/pam.d directory. The first entry in the file enables the app1 service to be assigned to individual users.
# cd /etc/pam.d # pfedit app1 ... # PAM configuration # # app1 service # auth definitive pam_user_policy.so.1 auth required /opt/pam_modules/$ISA/pam.app1.so.1 debug
The $ISA token in the module path directs the PAM framework to the appropriate 32-bit or 64-bit architecture version of the service module for the calling application. For 32-bit applications, /a/b/$ISA/module.so becomes /a/b/module.so. and for 64-bit applications it becomes /a/b/64/module.so. In this example, you installed the 32-bit pam.app1.so.1 service module in the /opt/pam_modules directory and the 64-bit module in the /opt/pam_modules/64 directory.
To limit the app1 PAM policy to selected users, see Example 3, Adding a New Module to a Per-User PAM Policy File.
Log in directly by using login or ssh. Then, run the commands that are affected by the new module. Test users who are allowed and who are denied use of the affected commands. For troubleshooting assistance, see How to Troubleshoot PAM Configuration Errors.
In this example, the app1 service is not used by all users, so the administrator adds the service as a per-user policy.
# cd /etc/pam.d # cp app1 /opt/local_pam/app1-conf # pfedit /opt/local_pam/app1-conf ## app1 service ## app1 auth definitive pam_user_policy.so.1 app1 auth required /opt/pam_modules/$ISA/pam_app1.so.1 debug
The administrator deletes the app1 file from the pam.d directory.
# rm /etc/pam.d/app1
Then, the administrator adds the app1-conf policy to the system administrator's PAM policy.
# rolemod -K pam_policy=/opt/local_pam/app1-conf sysadminExample 4 Setting Per-User PAM Policy by Using a Rights Profile
This example uses the pam_policy security attribute to enable users from different naming services to be authenticated. The any PAM policy file is provided in the /etc/security/pam_policy directory. The comments in the file describe this policy.
Do not modify files in this directory.
# profiles -p "PAM Per-User Policy of Any" \ 'set desc="Profile which sets pam_policy=any"; set pam_policy=any; exit;'
To assign this rights profile, see How to Assign a Modified PAM Policy.