pam_lve.so is a PAM module that sets up LVE environment. It provides easy way to setup LVE for SSH sessions, as well as other PAM enabled applications, such as crontab, su, etc...
pam_lve.so is installed by default when you convert existing server.
After you install RPM, add following line to PAM config file for the required application:
In this line:
|•||500 stands for minimum UID for which LVE will be setup. For any user with UID < 500, LVE will not be setup. If CageFS is installed, use:|
cagefsctl --set-min-uid UID to setup minimum UID. The parameter in PAM files will be ignored in that case.
|•||1 stands for CageFS enabled (0 -- cagefs disabled)|
|•||3rd optional argument defines group of users that will not be placed into LVE or CageFS. Starting with pam_lve 0.3-7 you can specify multiple groups, coma separated|
For example, to enable LVE for SSH access, add that line to /etc/pam.d/sshd. To enable LVE for SU, add that line to /etc/pam.d/su
By default module will not place users with group wheel into lve. If you want to use different group to define users that will not be placed into LVE by pam_lve - pass it as 3rd argument.
For preventing cases when user enters under usual user (using ssh) and then tries to enter as super user (via sudo or su) - pam_sulve was created, which tries to enter to LVE=1 and leaves it right away. If action fails, user gets message:
!!!! WARNING: YOU ARE INSIDE LVE !!!!
To check if pam_sulve is enabled on the server:
grep pam_sulve.so /etc/pam.d/*
should not be empty.