diff options
author | Thorsten Kukuk <kukuk@thkukuk.de> | 2008-01-08 12:44:15 +0000 |
---|---|---|
committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2008-01-08 12:44:15 +0000 |
commit | d48c90b14254794fcad9ccc37873a8c663cce02d (patch) | |
tree | 62e42b3fd242091e7fab171d1b816586c09e743c /modules/pam_group/README | |
parent | 1f802e15b36f0ca69dc4127a9332983acfd70117 (diff) |
Relevant BUGIDs:
Purpose of commit: cleanup
Commit summary:
---------------
Remove autogenerated documentation from CVS
Diffstat (limited to 'modules/pam_group/README')
-rw-r--r-- | modules/pam_group/README | 45 |
1 files changed, 0 insertions, 45 deletions
diff --git a/modules/pam_group/README b/modules/pam_group/README deleted file mode 100644 index 2e1e37a5..00000000 --- a/modules/pam_group/README +++ /dev/null @@ -1,45 +0,0 @@ -pam_group — PAM module for group access - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_group PAM module does not authenticate the user, but instead it grants -group memberships (in the credential setting phase of the authentication -module) to the user. Such memberships are based on the service they are -applying for. - -By default rules for group memberships are taken from config file /etc/security -/group.conf. - -This module's usefulness relies on the file-systems accessible to the user. The -point being that once granted the membership of a group, the user may attempt -to create a setgid binary with a restricted group ownership. Later, when the -user is not given membership to this group, they can recover group membership -with the precompiled binary. The reason that the file-systems that the user has -access to are so significant, is the fact that when a system is mounted nosuid -the user is unable to create or execute such a binary file. For this module to -provide any level of security, all file-systems that the user has write access -to should be mounted nosuid. - -The pam_group module fuctions in parallel with the /etc/group file. If the user -is granted any groups based on the behavior of this module, they are granted in -addition to those entries /etc/group (or equivalent). - -EXAMPLES - -These are some example lines which might be specified in /etc/security/ -group.conf. - -Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the -floppy (through membership of the floppy group) - -xsh;tty*&!ttyp*;us;Al0000-2400;floppy - -Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to -games (through membership of the floppy group) after work hours. - -xsh; tty* ;sword;!Wk0900-1800;games, sound -xsh; tty* ;*;Al0900-1800;floppy - - |