diff options
author | Thorsten Kukuk <kukuk@thkukuk.de> | 2006-06-01 18:51:15 +0000 |
---|---|---|
committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2006-06-01 18:51:15 +0000 |
commit | 2a8b8f8a9322d075d8a991829fbe7f5c4ebbba7d (patch) | |
tree | 466db266d35756bbee1c37300d84b9114fe9279a /modules/pam_group/README | |
parent | d957aff169f145f9c9c85c23266f1ed22ce8e279 (diff) |
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2006-06-01 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_group/Makefile.am: Include Make.xml.rules.
* modules/pam_group/group.conf.5.xml: New.
* modules/pam_group/group.conf.5: New, generated from xml file.
* modules/pam_group/pam_group.8.xml: New.
* modules/pam_group/pam_group.8: New, generated from xml file.
* modules/pam_group/README.xml: New.
* modules/pam_group/README: Regenerated from xml file.
Diffstat (limited to 'modules/pam_group/README')
-rw-r--r-- | modules/pam_group/README | 52 |
1 files changed, 37 insertions, 15 deletions
diff --git a/modules/pam_group/README b/modules/pam_group/README index d579b858..71359bf1 100644 --- a/modules/pam_group/README +++ b/modules/pam_group/README @@ -1,23 +1,45 @@ +pam_group — PAM module for group access -This is a help file for the pam_group module. It explains the need for -pam_group and also the syntax of the /etc/security/group.conf file. +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ -1. Introduction -=============== +DESCRIPTION -It is desirable to give extra privileges to a user running a specific -PAM aware application at various times of the day and on specific days -or over various terminal lines by adding this user to extra groups. +The pam_group PAM module does not authenticate the user, but instead it grants +group memberships (in the credential setting phase of the authentication +module) to the user. Such memberships are based on the service they are +applying for. -The pam_group module is intended to offer a configurable module that -satisfies this purpose, within the context of Linux-PAM. +By default rules for group memberships are taken from config file /etc/security +/group.conf. -2. the /etc/security/group.conf file -=================================== +This module's usefulness relies on the file-systems accessible to the user. The +point being that once granted the membership of a group, the user may attempt +to create a setgid binary with a restricted group ownership. Later, when the +user is not given membership to this group, they can recover group membership +with the precompiled binary. The reason that the file-systems that the user has +access to are so significant, is the fact that when a system is mounted nosuid +the user is unable to create or execute such a binary file. For this module to +provide any level of security, all file-systems that the user has write access +to should be mounted nosuid. -Its syntax is described in the sample group.conf file. +The pam_group module fuctions in parallel with the /etc/group file. If the user +is granted any groups based on the behavior of this module, they are granted in +addition to those entries /etc/group (or equivalent). -unrecognised rules are ignored (but an error is logged to syslog(3)) +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +group.conf. + +Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the +floppy (through membership of the floppy group) + +xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to +games (through membership of the floppy group) after work hours. + +xsh; tty* ;sword;!Wk0900-1800;games, sound + +xsh; tty* ;*;Al0900-1800;floppy --------------------- -Bugs to the list <pam-list@redhat.com> |