Comment 11 for bug 1033899
Revision history for this message
| Marcus Granado (mrc-gran) wrote Re: [Bug 1033899] Re: [Security] Default PAM settings allow execution of remote API commands without password | #11 |
If you put two "require" entries, then the authentication will need to
satisfy both of them, so only users in both the xapi and root groups would
authenticate.
I believe that a way of having a "either one or other" semantics is to have
a "sufficient" entry _before_ a "required" entry, like the example below.
If the "sufficient" entry holds true, then pam returns ok and doesn't
evaluate the "required" entry. Otherwise, it goes on to test the "required"
entry. But this would need testing (I don't have a machine to test this
right now):
#%PAM-1.0
@include common-auth
auth sufficient pam_succeed_if.so user ingroup xapi
auth required pam_succeed_if.so user ingroup root
On Fri, Aug 10, 2012 at 2:24 PM, Francis Pereira <
francispereira@
> Mike I am trying to get users of group root and xapi to authenticate but
> the following config does not work
>
> #%PAM-1.0
> @include common-auth
> auth required pam_succeed_if.so user ingroup root
> # Uncomment below if you want users of group xapi to successfully
> authenticate.
> # The group xapi should be manually created.
> auth required pam_succeed_if.so user ingroup xapi
>
>
> I would like users of group xapi to successfully authenticate so that VM
> admins (members of group xapi ) (administering vm via XenCenter ) don't
> have to be members of group root in dom0. This adds to dom0 security.
>
> Someone from Ubuntu Security team please comment
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> [Security] Default PAM settings allow execution of remote API commands
> without password
>
> To manage notifications about this bug go to:
>
> https:/
>