From owner-freebsd-security@FreeBSD.ORG Mon Sep 22 08:07:10 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 155E6106567D for ; Mon, 22 Sep 2008 08:07:10 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id A06408FC35 for ; Mon, 22 Sep 2008 08:07:09 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id A9282207F; Mon, 22 Sep 2008 09:47:29 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 935C58448F; Mon, 22 Sep 2008 09:47:29 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Ivan Grover" References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> Date: Mon, 22 Sep 2008 09:47:29 +0200 In-Reply-To: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> (Ivan Grover's message of "Wed, 17 Sep 2008 17:23:06 +0530") Message-ID: <86od2gmxke.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Controlling PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 08:07:10 -0000 "Ivan Grover" writes: > Suppose i dont want to enable locking of users, then one solution i > can think of is to share a common database across application and pam > modules. The application sets the flag which indicates, if pam_able > is included or not. Then pam_abl module will look into this database > and then return simply PAM_SUCCESS always or process the user > lockouts. Put pam_able in a separate policy that you include in the others. Whenever you want to disable it, just comment out the contents of that policy. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 07:44:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4594A1065688 for ; Tue, 23 Sep 2008 07:44:08 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id F206A8FC27 for ; Tue, 23 Sep 2008 07:44:07 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by an-out-0708.google.com with SMTP id b33so175932ana.13 for ; Tue, 23 Sep 2008 00:44:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=R/XKtHNBaSclbasFQRDtEWfHxccYeEC/aVozbN+dZEw=; b=ExX5lslvQtPJSjhrkICT+5l81gnvTC+8vsrxGDC6gKdjGrEOmfzsyg+EGZe4g8O6Jt koLuJM8uAGrf48tb0ca7wdc8gXCO+5WoJcAzMkxgBeZATxFvQ00+d4SEr51ipOcA34wd I3lmYzzMlG+QDVSbYHrdZIFB5+Pok3KG+40/c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=NzWShwcQ+I9gzSKmDtif2WmLyU7mzDtxqixx2nd6TZiWsIZiNMcqzhef666I9y7R9E ixx+w+tp9Vt0xJ1m1FlvpVLxPRrK3MCk6BLF+7ZHQZLExsgtdm6Hn4SZ+vXTK3i5mmgm pYR2RJCApT9bxJGssnB+rvXX7z6HlBRBZrTgE= Received: by 10.100.110.16 with SMTP id i16mr4045396anc.40.1222155846983; Tue, 23 Sep 2008 00:44:06 -0700 (PDT) Received: by 10.100.93.16 with HTTP; Tue, 23 Sep 2008 00:44:06 -0700 (PDT) Message-ID: <670f29e20809230044m25792007j6477399cdc4e8fd4@mail.gmail.com> Date: Tue, 23 Sep 2008 13:14:06 +0530 From: "Ivan Grover" To: "=?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?=" In-Reply-To: <86od2gmxke.fsf@ds4.des.no> MIME-Version: 1.0 References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> <86od2gmxke.fsf@ds4.des.no> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Controlling PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2008 07:44:08 -0000 Thanks a lot. Please corrrect if my understanding below is what you have suggested. create a separate service conf file such as lockout-users in /etc/pam.d, then in my service conf file, i write like this auth required pam_stack.so service=3Dlockout-users After that whenever i want to disable the lockout, just edit the /etc/pam.d/lockout-users file and comment as below: #auth required pam_able.so Best Regards, Ivan On Mon, Sep 22, 2008 at 1:17 PM, Dag-Erling Sm=F8rgrav wrote: > "Ivan Grover" writes: > > Suppose i dont want to enable locking of users, then one solution i > > can think of is to share a common database across application and pam > > modules. The application sets the flag which indicates, if pam_able > > is included or not. Then pam_abl module will look into this database > > and then return simply PAM_SUCCESS always or process the user > > lockouts. > > Put pam_able in a separate policy that you include in the others. > Whenever you want to disable it, just comment out the contents of that > policy. > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no > From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 07:50:46 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0BD61065684 for ; Tue, 23 Sep 2008 07:50:45 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.244]) by mx1.freebsd.org (Postfix) with ESMTP id 989A78FC49 for ; Tue, 23 Sep 2008 07:50:45 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by an-out-0708.google.com with SMTP id b33so176007ana.13 for ; Tue, 23 Sep 2008 00:50:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=rNlGwOemNo5b2q1UILjXd5Q05VJjga4pE1mwpuHcaf4=; b=FU9fIxmmzIP1F4CiUcYnBk0njeFRbqQKZ/2/8DuQH0/7vKp/Ln94GL3lO2+ciZ5oem pdDywKkS5MlOF0hW8O7iAHCXJ1cN4D/scburN9+3WYzsbQ7OtKT1gtjIy/L4R90tXumV B0Bmzmt1AcFSGuQXC4w0xq770dha6jGm3hZZM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=psTWLl5KSUiB77FJkD78PhdjyMxurcesly1YozKt6o6GHyax2j0iuqdHykUf5+zFqU 09JNhqslH3aCAgrynDeZCGASeu+RHXUa2thi2Eesz4BWu31nvxfswodKLqCNzbymhlJV LdDj1GNnebiEad4Yx8U7uOXGNyBYJv3UAk2G8= Received: by 10.100.10.11 with SMTP id 11mr4050526anj.53.1222156244805; Tue, 23 Sep 2008 00:50:44 -0700 (PDT) Received: by 10.100.93.16 with HTTP; Tue, 23 Sep 2008 00:50:44 -0700 (PDT) Message-ID: <670f29e20809230050ved14880m1b5524f0f976d12d@mail.gmail.com> Date: Tue, 23 Sep 2008 13:20:44 +0530 From: "Ivan Grover" To: "=?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?=" In-Reply-To: <670f29e20809230044m25792007j6477399cdc4e8fd4@mail.gmail.com> MIME-Version: 1.0 References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> <86od2gmxke.fsf@ds4.des.no> <670f29e20809230044m25792007j6477399cdc4e8fd4@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Controlling PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2008 07:50:46 -0000 I think there is something like auth include lockout-users I feel this would be the right way to do this. Thanks ALL for your suggesti= ons. On Tue, Sep 23, 2008 at 1:14 PM, Ivan Grover wrote: > Thanks a lot. Please corrrect if my understanding below is what you have > suggested. > > > create a separate service conf file such as lockout-users in /etc/pam.d, > then in my service conf file, i write like this > auth required pam_stack.so service=3Dlockout-users > > After that whenever i want to disable the lockout, just edit the > /etc/pam.d/lockout-users file > and comment as below: > > #auth required pam_able.so > > > Best Regards, > Ivan > > > On Mon, Sep 22, 2008 at 1:17 PM, Dag-Erling Sm=F8rgrav wrote= : > >> "Ivan Grover" writes: >> > Suppose i dont want to enable locking of users, then one solution i >> > can think of is to share a common database across application and pam >> > modules. The application sets the flag which indicates, if pam_able >> > is included or not. Then pam_abl module will look into this database >> > and then return simply PAM_SUCCESS always or process the user >> > lockouts. >> >> Put pam_able in a separate policy that you include in the others. >> Whenever you want to disable it, just comment out the contents of that >> policy. >> >> DES >> -- >> Dag-Erling Sm=F8rgrav - des@des.no >> > > From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 12:14:29 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71FCC106568A for ; Thu, 25 Sep 2008 12:14:29 +0000 (UTC) (envelope-from bra@fsn.hu) Received: from people.fsn.hu (people.fsn.hu [195.228.252.137]) by mx1.freebsd.org (Postfix) with ESMTP id 3770C8FC16 for ; Thu, 25 Sep 2008 12:14:28 +0000 (UTC) (envelope-from bra@fsn.hu) Received: from [172.16.129.135] (fw.axelero.hu [195.228.243.120]) by people.fsn.hu (Postfix) with ESMTP id 1CB5A13F83E for ; Thu, 25 Sep 2008 13:57:28 +0200 (CEST) Message-ID: <48DB7CA4.80609@fsn.hu> Date: Thu, 25 Sep 2008 13:57:24 +0200 From: Attila Nagy User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Missing /dev/auditpipe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2008 12:14:29 -0000 Hello, Running RELENG_7 (and HEAD too), and I can't find the auditpipe device. Is there anything which should be set in order to make it useable? auditd runs and logs to /var/audit, which I can read with praudit. Thanks,