Linux security using a limited group (PAM modules)

Using PAM modules to create a restricted group in order to "jail" or "limit" some users (mostly system users).

Article published on 27 August 2010
last modification on 29 May 2016

by Emeric Nasi


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

Introduction

In the previous article, I gave a few tips to increase users and system accounts security. I will now explain how to create a restricted group in order to "jail" or "limit" some users (mostly system users).
In this article we will create a group that can :
- Prevent some users to log-in via SSH
- Prevent some users to inherit POSIX capabilities
- Prevent some users from using to much resources

Warning : A wrong configuration of PAM can lead to big problems. You may even not be able to log in as root again (if it happens you can send me a message at emeric.nasi[at]sevagas.com)!

I. How do we do that?

DAC is powerful and is often too quickly overlooked, however here we are going to focus on PAM (pluggable authentication modules). Especially the next modules :

  • pam_access
  • pam_cap
  • pam_limits

In this article I will present an example of each module’s use and for that we are going to use a system group called "limited"
To create the group :
groupadd -r limited
To add a user to the group :
usermod -a -G limited < user >

II. The PAM_ACCESS module

This module allows you to control which way a user/group can or cannot log into the system.

2.1 Load the module

By default, most distribs do not use this module.
The files in /etc/pam.d needs to be modified so that this module is required by the authentication system.
In our example, we want to prevent all group members from distant access (ex. SSH). There is a file called /etc/pam.d/sshd for that.

Verify that the module is not already loaded :
grep -E "^[^#]*account.*required.*pam_access.so" /etc/pam.d/sshd
If not, edit the file and uncomment or add the next line :
account  required     pam_access.so
OK now the authentication system will require the pam_access module for any SSH authentication.

2.2 Restrict access

The configuration file used by the pam_access module is /etc/security/access.conf
That file’s syntax is :
+|- (deny or authorize) : users|groups|ALL : cron|ttyX|IPv4|IPv6|LOCAL|etc
In our example we want to prevent distant access so we edit the file and we add :
- : limited : ALL EXCEPT LOCAL
Now all the members of the limited group will only be able to log-in locally.

Note : More informations with man access.conf

II. The PAM_CAP module

This module allows you to control users/groups inheritable POSIX capabilities (read this page and this page for more infos about file capabilities)

Note : You need to have a Linux kernel >= 2.6.25 and the presence of the line CONFIG_SECURITY_FILE_CAPABILITIES=y in the file /boot/config

2.1 Load the module

If libcap is not already installed, install the libcap2 and libcap2-bin packages.
Next add or uncomment the next line in the file /etc/pam.d/login
auth        required    pam_cap.so

2.2 Restrict capability use

The file /etc/security/capability.conf is used to manage users and groups inheritable capabilities.
The syntax is :
capability1,capability2,... user|group
In our example, we want to prevent the limited group members to inherit any capability. We have to precise which user/group can inherit capabilities and to default deny capabilities to all the other users using the line :
none  *

That line is normally written by default in the capability.conf file.
In fact in this case, the simple fact of loading the pam_cap module is enough to prevent our group members to use inheritable capabilities.

III. The PAM_LIMITS module

This module allows you to limit system resources for users and groups.

3.1 Load the module

The module is enabled by default on most Linux distribs. You can verify it by checking the files /etc/pam.d/login and /etc/pam.d/sshd for the next line :
session    required   pam_limits.so

3.2 Limit system resource for limited group

The configuration file for the pam_limit module is /etc/security/limits.conf.
The syntax of this file is :
<domain> <type> <item> <value>

In our example, we want to configure limits.conf to prevent local denial of service from a member of the "limited" group.
We edit the file /etc/security/limits.conf and add the next lines :


 # Setting max number of processes to 20 for member of 'limited' group
@limited  -  nproc  20
#Setting max file size for member of  'limited' group to 5Mo
@limited  -  fsize  5120
#Setting max opened files to 100 for member of  'limited' group
@limited  -  nofile  100
#Disable Code dump for member of 'limited' group members
@limited  hard  core  0
#Setting max number of logins to 2 for 'limited' group member
@limited  -  maxlogins  2
Note : More informations with man limits.conf

Conclusion

By changing some values in this article, you could set all sort of limitations for different kind of groups and users. Combined with a good DAC policy (and POSIX file capabilities!), that is a good way to lock down your system without using MAC or other more complex security framework (SELinux for example).

Note : I didn’t talked about the PAM_TIME module because these module restrictions are not group based. However you might want to have a look at /etc/security/time.conf