LVE PAM module

Navigation:  Limits > Integration Components >

LVE PAM module

Previous pageReturn to chapter overviewNext page is a PAM module that sets up LVE environment. It provides easy way to setup LVE for SSH sessions, as well as other PAM enabled applications, such as crontab, su, etc... is installed by default when you convert existing server.




# yum install pam_lve


After you install RPM, add following line to PAM config file for the required application:


session    required 500 1 wheel,other


In this line:

500 stands for minimum UID for which LVE will be setup. For any user with UID < 500, LVE will not be setup. If CageFS is installed, use:

cagefsctl --set-min-uid UID to setup minimum UID. The parameter in PAM files will be ignored in that case.

1 stands for CageFS enabled (0 -- cagefs disabled)
3rd optional argument defines group of users that will not be placed into LVE or CageFS. Starting with pam_lve 0.3-7 you can specify multiple groups, coma separated


It is crucial to place all users that su or sudo to root into that group. Otherwise, once such user gains root, user will be inside LVE, and all applications restarted by that user will be inside that user LVE as well.


For example, to enable LVE for SSH access, add that line to /etc/pam.d/sshd. To enable LVE for SU, add that line to /etc/pam.d/su

By default module will not place users with group wheel into lve. If you want to use different group to define users that will not be placed into LVE by pam_lve - pass it as 3rd argument.


Warning: Be careful when you test it, as if you incorrectly add this line to /etc/pam.d/sshd, it will lock you out ssh. Don't log out of your current SSH session, until you sure it works.


For preventing cases when user enters under usual user (using ssh) and then tries to enter as super user (via sudo or su) - pam_sulve was created, which tries to enter to LVE=1 and leaves it right away. If action fails, user gets message:




To check if pam_sulve is enabled on the server:


grep /etc/pam.d/*


should not be empty.