- Userverwaltung in Joomla (MySQL)
- Fedora 8
Pakete
- xguest
- libnss-mysql
- pam_mysql
- squid
xguest
Gastaccount
/etc/security/sepermit.conf
xguest
SELinux Module
Suid Zugriff auf MySQL zur Authentifizierung
module squid 1.1;
require {
type squid_t;
type mysqld_port_t;
class tcp_socket name_connect;
class capability audit_write;
class netlink_audit_socket { nlmsg_relay write create read };
}
#============= squid_t ==============
allow squid_t mysqld_port_t:tcp_socket name_connect;
allow squid_t self:capability audit_write;
allow squid_t self:netlink_audit_socket { nlmsg_relay write create read };NSS/Pam mysql
module nssmysql 1.1;
require {
type mysqld_etc_t;
type sshd_t;
type xdm_t;
type usr_t;
type mysqld_port_t;
type semanage_t;
type local_login_t;
type mysqld_etc_t;
type user_home_dir_t;
type pam_console_t;
type restorecond_t;
type setfiles_t;
type system_dbusd_t;
class tcp_socket { read write name_connect };
class file { read write getattr setattr create };
}
#============= local_login_t ==============
allow local_login_t mysqld_etc_t:file { read getattr };
allow local_login_t mysqld_port_t:tcp_socket name_connect;
allow local_login_t user_home_dir_t:file { write create setattr };
#============= pam_console_t ==============
allow pam_console_t mysqld_etc_t:file getattr;
allow pam_console_t mysqld_port_t:tcp_socket name_connect;
#============= restorecond_t ==============
allow restorecond_t mysqld_port_t:tcp_socket name_connect;
#============= semanage_t ==============
allow semanage_t mysqld_port_t:tcp_socket name_connect;
#============= setfiles_t ==============
allow setfiles_t local_login_t:tcp_socket { read write };
allow setfiles_t sshd_t:tcp_socket { read write };
allow setfiles_t xdm_t:tcp_socket { read write };
#============= sshd_t ==============
allow sshd_t mysqld_etc_t:file { read getattr };
allow sshd_t user_home_dir_t:file { write create setattr };
allow sshd_t usr_t:file { read getattr };
#============= xdm_t ==============
allow xdm_t mysqld_etc_t:file { read getattr };
allow xdm_t user_home_dir_t:file { write create setattr };
allow xdm_t usr_t:file { read getattr };
#============= system_dbusd_t ==============
allow system_dbusd_t mysqld_etc_t:file getattr;
allow system_dbusd_t mysqld_port_t:tcp_socket name_connect;xguest rdesktop und nss
module xguestlsv 1.1;
type rdp_port_t;
require {
attribute port_type;
}
typeattribute rdp_port_t port_type;
require {
type xguest_t;
type system_dbusd_t;
type mysqld_etc_t;
type xguest_dbusd_t;
type mysqld_port_t;
class tcp_socket { read write name_connect };
class file { write getattr entrypoint setattr read create };
}
#============= xguest_dbusd_t ==============
allow xguest_dbusd_t mysqld_etc_t:file getattr;
allow xguest_dbusd_t mysqld_port_t:tcp_socket name_connect;
#============= xguest_t ==============
allow xguest_t mysqld_port_t:tcp_socket name_connect;
allow xguest_t rdp_port_t:tcp_socket { name_connect read write };semanage port -a -t rdp_port_t -p tcp 3389
PAM/NSS
system-auth
#%PAM-1.0 auth required pam_env.so auth sufficient pam_mysql.so config_file=/etc/pam_mysql.conf nullok try_first_pas auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account sufficient pam_mysql.so config_file=/etc/pam_mysql.conf account sufficient pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_mysql.so config_file=/etc/pam_mysql.conf nullok try_first_pass use_authtok password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_mysql.so config_file=/etc/pam_mysql.conf session required pam_limits.so session required pam_namespace.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
sshd - nur lokale User erlauben
#%PAM-1.0 auth required pam_localuser.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
/etc/pam_mysql.conf
... users.table = joomla_users users.user_column = username users.password_column = password users.password_crypt = md5 users.status_column = '0'
/etc/libnss-mysql.cfg
getpwnam SELECT username,'x',id,id,name,'/home/lsv','/bin/bash' \
FROM joomla_users \
WHERE username='%1$s' \
LIMIT 1
getpwuid SELECT username,'x',id,id,name,'/home/lsv','/bin/bash' \
FROM joomla_users \
WHERE id='%1$u' \
LIMIT 1
getspnam SELECT username,password,13868,0,99999,7,'','','' \
FROM joomla_users \
WHERE username='%1$s' \
LIMIT 1
getpwent SELECT username,'x',id,id,name,'/home/lsv','/bin/bash' \
FROM joomla_users
getspent SELECT username,password,13868,0,99999,7,'','','' \
FROM joomla_users
getgrnam SELECT username,'x',id \
FROM joomla_users \
WHERE username='%1$s' \
LIMIT 1
getgrgid SELECT username,'x',id \
FROM joomla_users \
WHERE id='%1$u' \
LIMIT 1
getgrent SELECT username,'x',id \
FROM joomla_users
memsbygid SELECT username \
FROM joomla_users \
WHERE id='%1$u'
gidsbymem SELECT id \
FROM joomla_users \
WHERE username='%1$s'/etc/security/namespace.conf
/tmp tmpfs tmpfs root,vorstand,lsv /var/tmp tmpfs tmpfs root,vorstand,lsv $HOME tmpfs tmpfs root,vorstand,lsv
Squid
auth_param basic program /usr/lib/squid/pam_auth auth_param basic children 2 auth_param basic realm EDSH Internet auth_param basic credentialsttl 2 hours auth_param basic casesensitive on ... acl password proxy_auth REQUIRED acl freesites dstdomain .edsh.de .flugwetter.de .dwd.de .airports.de .google.com .google.de .wetter.de .wetter-jetzt.de .fl95.de .wetter.com
Firefox
/usr/lib/firefox-*/greprefs/lsv.js
pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");