maddy-pam-helper

README

maddy-pam-helper

External setuid binary for interaction with shadow passwords database or other privileged objects necessary to run PAM authentication.

Building

It is really easy to build it using any GCC:

gcc pam.c main.c -lpam -o maddy-pam-helper

Yes, it is not a Go binary.

Installation

maddy-pam-helper is kinda dangerous binary and should not be allowed to be executed by everybody but maddy's user. At the same moment it needs to have access to read-protected files. For this reason installation should be done very carefully to make sure to not introduce any security "holes".

First method

chown maddy: /usr/bin/maddy-pam-helper
chmod u+x,g-x,o-x /usr/bin/maddy-pam-helper

Also maddy-pam-helper needs access to /etc/shadow, one of the ways to provide it is to set file capability CAP_DAC_READ_SEARCH:

setcap cap_dac_read_search+ep /usr/bin/maddy-pam-helper

Second method

Another, less restrictive is to make it setuid-root (assuming you have both maddy user and group):

chown root:maddy /usr/bin/maddy-pam-helper
chmod u+xs,g+x,o-x /usr/bin/maddy-pam-helper

Third method

The best way actually is to create shadow group and grant access to /etc/shadow to it and then make maddy-pam-helper setgid-shadow:

groupadd shadow
chown :shadow /etc/shadow
chmod g+r /etc/shadow
chown maddy:shadow /usr/bin/maddy-pam-helper
chmod u+x,g+xs /usr/bin/maddy-pam-helper

Pick what works best for you.

PAM service

maddy-pam-helper uses custom service instead of pretending to be su or sudo. Because of this you should configure PAM to accept it.

Minimal example using local passwd/shadow database for authentication can be found in [maddy.conf][maddy.conf] file. It should be put into /etc/pam.d/maddy.