diff options
author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 16:26:05 -0800 |
---|---|---|
committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 17:26:38 -0800 |
commit | 9c52e721044e7501c3d4567b36d222dc7326224a (patch) | |
tree | 9011790770130c60a712a6f125ad50d60e07cc74 /modules/pam_group/README | |
parent | 9727ff2a3fa0e94a42b34a579027bacf4146d571 (diff) | |
parent | 186ff16e8d12ff15d518000c17f115ccab5275a4 (diff) |
New upstream version 1.0.1
Diffstat (limited to 'modules/pam_group/README')
-rw-r--r-- | modules/pam_group/README | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/modules/pam_group/README b/modules/pam_group/README new file mode 100644 index 00000000..2e1e37a5 --- /dev/null +++ b/modules/pam_group/README @@ -0,0 +1,45 @@ +pam_group — PAM module for group access + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_group PAM module does not authenticate the user, but instead it grants +group memberships (in the credential setting phase of the authentication +module) to the user. Such memberships are based on the service they are +applying for. + +By default rules for group memberships are taken from config file /etc/security +/group.conf. + +This module's usefulness relies on the file-systems accessible to the user. The +point being that once granted the membership of a group, the user may attempt +to create a setgid binary with a restricted group ownership. Later, when the +user is not given membership to this group, they can recover group membership +with the precompiled binary. The reason that the file-systems that the user has +access to are so significant, is the fact that when a system is mounted nosuid +the user is unable to create or execute such a binary file. For this module to +provide any level of security, all file-systems that the user has write access +to should be mounted nosuid. + +The pam_group module fuctions in parallel with the /etc/group file. If the user +is granted any groups based on the behavior of this module, they are granted in +addition to those entries /etc/group (or equivalent). + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +group.conf. + +Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the +floppy (through membership of the floppy group) + +xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to +games (through membership of the floppy group) after work hours. + +xsh; tty* ;sword;!Wk0900-1800;games, sound +xsh; tty* ;*;Al0900-1800;floppy + + |