* Userverwaltung in Joomla (MySQL)
* Fedora 8
Pakete
* xguest
* libnss-mysql
* pam_mysql
* squid
= xguest =
Gastaccount
/etc/security/sepermit.conf
{{{
xguest
}}}
= SELinux Module =
Suid Zugriff auf MySQL zur Authentifizierung
{{{
module squid 1.1;
require {
type squid_t;
type mysqld_port_t;
class tcp_socket name_connect;
class capability audit_write;
class netlink_audit_socket { nlmsg_relay write create read };
}
#============= squid_t ==============
allow squid_t mysqld_port_t:tcp_socket name_connect;
allow squid_t self:capability audit_write;
allow squid_t self:netlink_audit_socket { nlmsg_relay write create read };
}}}
NSS/Pam mysql
{{{
module nssmysql 1.1;
require {
type mysqld_etc_t;
type sshd_t;
type xdm_t;
type usr_t;
type mysqld_port_t;
type semanage_t;
type local_login_t;
type mysqld_etc_t;
type user_home_dir_t;
type pam_console_t;
type restorecond_t;
type setfiles_t;
type system_dbusd_t;
class tcp_socket { read write name_connect };
class file { read write getattr setattr create };
}
#============= local_login_t ==============
allow local_login_t mysqld_etc_t:file { read getattr };
allow local_login_t mysqld_port_t:tcp_socket name_connect;
allow local_login_t user_home_dir_t:file { write create setattr };
#============= pam_console_t ==============
allow pam_console_t mysqld_etc_t:file getattr;
allow pam_console_t mysqld_port_t:tcp_socket name_connect;
#============= restorecond_t ==============
allow restorecond_t mysqld_port_t:tcp_socket name_connect;
#============= semanage_t ==============
allow semanage_t mysqld_port_t:tcp_socket name_connect;
#============= setfiles_t ==============
allow setfiles_t local_login_t:tcp_socket { read write };
allow setfiles_t sshd_t:tcp_socket { read write };
allow setfiles_t xdm_t:tcp_socket { read write };
#============= sshd_t ==============
allow sshd_t mysqld_etc_t:file { read getattr };
allow sshd_t user_home_dir_t:file { write create setattr };
allow sshd_t usr_t:file { read getattr };
#============= xdm_t ==============
allow xdm_t mysqld_etc_t:file { read getattr };
allow xdm_t user_home_dir_t:file { write create setattr };
allow xdm_t usr_t:file { read getattr };
#============= system_dbusd_t ==============
allow system_dbusd_t mysqld_etc_t:file getattr;
allow system_dbusd_t mysqld_port_t:tcp_socket name_connect;
}}}
xguest rdesktop und nss
{{{
module xguestlsv 1.1;
type rdp_port_t;
require {
attribute port_type;
}
typeattribute rdp_port_t port_type;
require {
type xguest_t;
type system_dbusd_t;
type mysqld_etc_t;
type xguest_dbusd_t;
type mysqld_port_t;
class tcp_socket { read write name_connect };
class file { write getattr entrypoint setattr read create };
}
#============= xguest_dbusd_t ==============
allow xguest_dbusd_t mysqld_etc_t:file getattr;
allow xguest_dbusd_t mysqld_port_t:tcp_socket name_connect;
#============= xguest_t ==============
allow xguest_t mysqld_port_t:tcp_socket name_connect;
allow xguest_t rdp_port_t:tcp_socket { name_connect read write };
}}}
{{{
semanage port -a -t rdp_port_t -p tcp 3389
}}}
= PAM/NSS =
system-auth
{{{
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_mysql.so config_file=/etc/pam_mysql.conf nullok try_first_pas
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account sufficient pam_mysql.so config_file=/etc/pam_mysql.conf
account sufficient pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_mysql.so config_file=/etc/pam_mysql.conf nullok try_first_pass use_authtok
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_mysql.so config_file=/etc/pam_mysql.conf
session required pam_limits.so
session required pam_namespace.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
}}}
sshd - nur lokale User erlauben
{{{
#%PAM-1.0
auth required pam_localuser.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
}}}
/etc/pam_mysql.conf
{{{
...
users.table = joomla_users
users.user_column = username
users.password_column = password
users.password_crypt = md5
users.status_column = '0'
}}}
/etc/libnss-mysql.cfg
{{{
getpwnam SELECT username,'x',id,id,name,'/home/lsv','/bin/bash' \
FROM joomla_users \
WHERE username='%1$s' \
LIMIT 1
getpwuid SELECT username,'x',id,id,name,'/home/lsv','/bin/bash' \
FROM joomla_users \
WHERE id='%1$u' \
LIMIT 1
getspnam SELECT username,password,13868,0,99999,7,'','','' \
FROM joomla_users \
WHERE username='%1$s' \
LIMIT 1
getpwent SELECT username,'x',id,id,name,'/home/lsv','/bin/bash' \
FROM joomla_users
getspent SELECT username,password,13868,0,99999,7,'','','' \
FROM joomla_users
getgrnam SELECT username,'x',id \
FROM joomla_users \
WHERE username='%1$s' \
LIMIT 1
getgrgid SELECT username,'x',id \
FROM joomla_users \
WHERE id='%1$u' \
LIMIT 1
getgrent SELECT username,'x',id \
FROM joomla_users
memsbygid SELECT username \
FROM joomla_users \
WHERE id='%1$u'
gidsbymem SELECT id \
FROM joomla_users \
WHERE username='%1$s'
}}}
/etc/security/namespace.conf
{{{
/tmp tmpfs tmpfs root,vorstand,lsv
/var/tmp tmpfs tmpfs root,vorstand,lsv
$HOME tmpfs tmpfs root,vorstand,lsv
}}}
= Squid =
{{{
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 2
auth_param basic realm EDSH Internet
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
...
acl password proxy_auth REQUIRED
acl freesites dstdomain .edsh.de .flugwetter.de .dwd.de .airports.de .google.com .google.de .wetter.de .wetter-jetzt.de .fl95.de .wetter.com
}}}
= Firefox =
/usr/lib/firefox-*/greprefs/lsv.js
{{{
pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");
}}}