Pam checking UID => 1000, How to disable

Support for security such as Firewalls and securing linux
lightman47
Posts: 403
Joined: 2014/05/21 20:16:00
Location: Central New York

Re: Pam checking UID => 1000, How to disable

Postby lightman47 » 2017/03/10 23:03:48

The proper solution for me is to have the users change uids.
Until that can happen I'll just have the limit set lower.


Having done this a couple times when I switched from Fedora 18 to CentOS 7, it isn't as hard as it sounds. It involved (one at a time) changing the user and group IDs in /etc/group and /etc/passwd , then running a FIND command for each user, then group to change file ownership/group IDs. Time consuming = YES - it has to hit every file, ESPECIALLY shares on shared drives; Difficult = not at all. It was 'sweet'. By the way, the Users don't even know about it (well, unless one is logged in while your changes are taking place).

If interested, I can give you the two FIND commands (I got from another forum user, but perhaps not this forum - don't remember).

azzid
Posts: 12
Joined: 2010/03/26 13:52:57

Re: Pam checking UID => 1000, How to disable

Postby azzid » 2017/03/11 10:28:14

lightman47 wrote:it isn't as hard as it sounds. It involved (one at a time) changing the user and group IDs in /etc/group and /etc/passwd , then running a FIND command for each user, then group to change file ownership/group IDs


Thanks for the kind offer to help with the find. Unfortunately that won't help me. The reason I'm not going down your described route is twofold:

  1. My users/groups are not in local files, but ldap. I'm not in control of the ldap data.
  2. My users files are not local, they're on network storage. I can't chmod their networked data.

Hence the delay making the workaround feasible.

pickabout
Posts: 1
Joined: 2017/03/20 01:28:54

Re: Pam checking UID => 1000, How to disable

Postby pickabout » 2017/03/20 01:37:32

Look at the files in /etc/pam.d and do a search for 1000 in all of those files.

Code: Select all

/etc/pam.d/ # grep 1000 *ac
fingerprint-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
password-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
password-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
smartcard-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
system-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
system-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet


Edit those files and change the 1000 to a number smaller than the smallest UID that you have.

-Mary

azzid
Posts: 12
Joined: 2010/03/26 13:52:57

Re: Pam checking UID => 1000, How to disable

Postby azzid » 2017/03/20 16:53:21

pickabout wrote:Look at the files in /etc/pam.d and do a search for 1000 in all of those files.

Code: Select all

/etc/pam.d/ # grep 1000 *ac
fingerprint-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
password-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
password-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
smartcard-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
system-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
system-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet


Edit those files and change the 1000 to a number smaller than the smallest UID that you have.

-Mary


No Mary, that's not true. As I stated before:

azzid wrote:It should be noted however, that as OP suspected, authconfig does read login.defs:

Code: Select all

[root@yolow ~]# grep UID_MIN /etc/login.defs
UID_MIN                  1000
SYS_UID_MIN               201
[root@yolow ~]# authconfig --updateall
[root@yolow ~]# grep uid /etc/pam.d/password-auth
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
account     sufficient    pam_succeed_if.so uid < 1000 quiet
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
[root@yolow ~]# vim /etc/login.defs
[root@yolow ~]# grep UID_MIN /etc/login.defs
UID_MIN                  500
SYS_UID_MIN               201
[root@yolow ~]# authconfig --updateall
[root@yolow ~]# grep uid /etc/pam.d/password-auth
auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
account     sufficient    pam_succeed_if.so uid < 500 quiet
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid


Changing /etc/login.defs and running authconfig --updateall changes the limit in a way that won't get overwritten.


Return to “CentOS 7 - Security Support”

Who is online

Users browsing this forum: No registered users and 2 guests