Pluggable Authentication Modules are used in many Linux distributions for authentication tasks. Here are some useful modules and instructions for setting them up under Debian.

pam_tmpdir

This module improves privacy by setting user private user directories in /tmp under /tmp/user, and setting TMP and TMPDIR to point to this.

apt-get install libpam-tmpdir

is all that’s needed.

Note that a more sophisticated solution is to use pam_namespace which results in each login user appearing to have their own separate /tmp, but this has a number of potential side-effects (e.g. on su and sudo), which although manageable add to the complexity of setup. pam_namespace does not rely on applications honouring TMP and TMPDIR.

pam_umask

This module provides a unified way of setting umask for users on login.

apt-get install libpam-umask

Then edit /etc/login.defs:

UMASK 027

for 750 directories, 640 files.

pam_ssh

Allows for ssh agent unlocking on login, without the need to run ssh-add.

apt-get install libpam-ssh

pam_mount

This will mount filesystems on logging in and unmount them on logging out.

apt-get install libpam-mount cifs-utils

Enable per-user setup in /etc/security/pam_mount.conf.xml:

<luserconf name=".pam_mount.conf.xml" />

and allow gid option:


<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,gid" />

In ~/.pam_mount.conf.xml:


<pam_mount>
<volume fstype="cifs" server="helix" path="Admin"      mountpoint="/home/%(USER)/mnt/Admin"      options="nosuid,nodev,gid=admin" />
<volume fstype="cifs" server="helix" path="Data"       mountpoint="/home/%(USER)/mnt/Data"       options="nosuid,nodev,gid=devel" />
<volume fstype="cifs" server="helix" path="%(USER)"    mountpoint="/home/%(USER)/mnt/%(USER)"    options="nosuid,nodev" />
</pam_mount>

Create your mountpoint ~/mnt, and on next login your mounts should appear.

Categories: Linux