Difference between revisions of "Pam"

__NOTOC__

= PAM =

== Launch application from Desktop with password protection ==

Assuming the application in question is ''Firefox'', this works using `bin` and `sbin` pair assisted by `consolehelper` that will verify the PAM restrictions. Note that every file created should match the name of the binary to be protected.

# Move binary file

<pre><nowiki>

mv /usr/bin/firefox /usr/sbin/firefox

ln -s /usr/bin/consolehelper /usr/bin/firefox

</nowiki></pre>

# Create a security file `/etc/security/console.apps/firefox` and add the following lines:

<pre><nowiki>

USER=<user>

PROGRAM=/usr/sbin/firefox

SESSION=True

</nowiki></pre>

'''User'''

The line user should literally write as `<user>`, it will ask a password for the current user. If you need to run the application as specific user, for example `foo` then change the literal string `<user>` by `foo`, or in some cases if need to restrict to only root, user `root` instead `<user>`.

# Create a PAM file `/etc/pam.d/firefox`

<pre><nowiki>

#%PAM-1.0

auth sufficient pam_rootok.so

auth sufficient pam_timestamp.so

auth include system-auth

account required pam_permit.so

session required pam_permit.so

session optional pam_xauth.so

session optional pam_timestamp.so

</nowiki></pre>

# Create the Desktop launcher `~/Desktop/firefox.desktop`

<pre><nowiki>

[Desktop Entry]

Encoding=UTF-8

Version=1.0

Type=Application

Terminal=false

Name[en_US]=Firefox

Exec=/usr/bin/firefox

Comment[en_US]=Launch Firefox

Icon[en_US]=/usr/share/pixmaps/firefox.xpm

Name=Firefox

Comment=Launch Firerox

Icon=/usr/share/pixmaps/firefox.xpm

</nowiki></pre>

The `png` icon under `/usr/share/pixmaps` is too big, so you might want to link the small one from firefox installation to the icon folder.

<pre><nowiki>

ln -s /usr/lib/${FIREFOX}/icons/default.xpm /usr/share/pixmaps/firefox.xpm

</nowiki></pre>