LVE PAM module

Navigation:  Limits > Integration Components >

LVE PAM module

Previous pageReturn to chapter overviewNext page

pam_lve.so is a PAM module that sets up LVE environment. It provides easy way to setup LVE for SSH sessions, as well as other PAM enabled applications, such as crontab, su, etc...

pam_lve.so is installed by default when you convert existing server.

 

Installation:

 

# yum install pam_lve

 

After you install RPM, add following line to PAM config file for the required application:

 

session    required     pam_lve.so 500 1 wheel,other

 

In this line:

500 stands for minimum UID for which LVE will be setup. For any user with UID < 500, LVE will not be setup. If CageFS is installed, use:

cagefsctl --set-min-uid UID to setup minimum UID. The parameter in PAM files will be ignored in that case.

1 stands for CageFS enabled (0 -- cagefs disabled)
3rd optional argument defines group of users that will not be placed into LVE or CageFS. Starting with pam_lve 0.3-7 you can specify multiple groups, coma separated

 

It is crucial to place all users that su or sudo to root into that group. Otherwise, once such user gains root, user will be inside LVE, and all applications restarted by that user will be inside that user LVE as well.

 

For example, to enable LVE for SSH access, add that line to /etc/pam.d/sshd. To enable LVE for SU, add that line to /etc/pam.d/su

By default module will not place users with group wheel into lve. If you want to use different group to define users that will not be placed into LVE by pam_lve - pass it as 3rd argument.

 

Warning: Be careful when you test it, as if you incorrectly add this line to /etc/pam.d/sshd, it will lock you out ssh. Don't log out of your current SSH session, until you sure it works.

 

For preventing cases when user enters under usual user (using ssh) and then tries to enter as super user (via sudo or su) - pam_sulve was created, which tries to enter to LVE=1 and leaves it right away. If action fails, user gets message:

 

!!!!  WARNING: YOU ARE INSIDE LVE !!!!

 

To check if pam_sulve is enabled on the server:

 

grep pam_sulve.so /etc/pam.d/*

 

should not be empty.