summaryrefslogtreecommitdiff
path: root/modules/pam_xauth/README
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2006-06-09 16:44:06 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2006-06-09 16:44:06 +0000
commit393585017d45cf174384530f57cb8bc5cec1b457 (patch)
tree3985421a45d437485de6eee26026beb3cecefbd1 /modules/pam_xauth/README
parentdeda060dfbfb989de28235617fc3a9149aaee1e3 (diff)
Relevant BUGIDs:
Purpose of commit: new feature Commit summary: --------------- 2006-06-09 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_wheel/Makefile.am: Include Make.xml.rules. * modules/pam_wheel/pam_wheel.8.xml: New. * modules/pam_wheel/pam_wheel.8: New, generated from xml file. * modules/pam_wheel/README.xml: New. * modules/pam_wheel/README: Regenerated from xml file. * modules/pam_xauth/Makefile.am: Include Make.xml.rules. * modules/pam_xauth/pam_xauth.8.xml: New. * modules/pam_xauth/pam_xauth.8: Regenerated from xml file. * modules/pam_xauth/README.xml: New. * modules/pam_xauth/README: Regenerated from xml file. * modules/pam_deny/pam_deny.8.xml: Fix syntax errors. * modules/pam_deny/pam_deny.8: Regenerate from xml file. * modules/pam_deny/README: Likewise. * modules/pam_warn/Makefile.am: Include Make.xml.rules. * modules/pam_warn/pam_warn.8.xml: New. * modules/pam_warn/pam_warn.8: New, generated from xml file. * modules/pam_warn/README.xml: New. * modules/pam_warn/README: Regenerated from xml file. * modules/pam_userdb/Makefile.am: Include Make.xml.rules. * modules/pam_userdb/pam_userdb.8.xml: New. * modules/pam_userdb/pam_userdb.8: New, generated from xml file. * modules/pam_userdb/README.xml: New. * modules/pam_userdb/README: Regenerated from xml file.
Diffstat (limited to 'modules/pam_xauth/README')
-rw-r--r--modules/pam_xauth/README132
1 files changed, 90 insertions, 42 deletions
diff --git a/modules/pam_xauth/README b/modules/pam_xauth/README
index 97916b8f..1e134d70 100644
--- a/modules/pam_xauth/README
+++ b/modules/pam_xauth/README
@@ -1,42 +1,90 @@
-pam_xauth:
- Forward xauth cookies from user to user, normally used by su, sudo, or
- userhelper.
-
- Primitive access control is provided by ~/.xauth/export in the invoking
- user's home directory and ~/.xauth/import in the target user's home
- directory.
-
- If a user has a ~/.xauth/import file, the user will only receive cookies
- from users listed in the file. If there is no ~/.xauth/import file,
- the user will accept cookies from any other user.
-
- If a user has a .xauth/export file, the user will only forward cookies
- to users listed in the file. If there is no ~/.xauth/export file, and
- the invoking user is not "root", the user will forward cookies to
- any other user. If there is no ~/.xauth/export file, and the invoking
- user is "root", the user will NOT forward cookies to other users.
-
- Both the import and export files support wildcards (such as "*"). Both
- the import and export files can be empty, signifying that no users are
- allowed.
-
-RECOGNIZED ARGUMENTS:
- debug write debugging messages to syslog
- xauthpath= the path to the xauth program, by default
- /usr/X11R6/bin/xauth, /usr/bin/xauth and
- /usr/bin/X11/xauth
- systemuser= highest user id assigned to system users, defaults
- to 499 (pam_xauth will refuse to forward creds to
- target users with id equal to or below this number,
- except for root and possibly another specified user)
- targetuser= a target user id which is excepted from the systemuser
- checks
-
-
-MODULE SERVICES PROVIDED:
- session open session copies xauth cookie to new user
- close session deletes copied xauth cookie
-
-AUTHOR:
- Nalin Dahyabhai <nalin@redhat.com>, based on original version by
- Michael K. Johnson <johnsonm@redhat.com>
+pam_xauth — PAM module to forward xauth keys between users
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+The pam_xauth PAM module is designed to forward xauth keys (sometimes referred
+to as "cookies") between users.
+
+Without pam_xauth, when xauth is enabled and a user uses the su(1) command to
+assume another user's priviledges, that user is no longer able to access the
+original user's X display because the new user does not have the key needed to
+access the display. pam_xauth solves the problem by forwarding the key from the
+user running su (the source user) to the user whose identity the source user is
+assuming (the target user) when the session is created, and destroying the key
+when the session is torn down.
+
+This means, for example, that when you run su(1) from an xterm sesssion, you
+will be able to run X programs without explicitly dealing with the xauth(1)
+xauth command or ~/.Xauthority files.
+
+pam_xauth will only forward keys if xauth can list a key connected to the
+$DISPLAY environment variable.
+
+Primitive access control is provided by ~/.xauth/export in the invoking user's
+home directory and ~/.xauth/import in the target user's home directory.
+
+If a user has a ~/.xauth/import file, the user will only receive cookies from
+users listed in the file. If there is no ~/.xauth/import file, the user will
+accept cookies from any other user.
+
+If a user has a .xauth/export file, the user will only forward cookies to users
+listed in the file. If there is no ~/.xauth/export file, and the invoking user
+is not root, the user will forward cookies to any other user. If there is no ~
+/.xauth/export file, and the invoking user is root, the user will not forward
+cookies to other users.
+
+Both the import and export files support wildcards (such as *). Both the import
+and export files can be empty, signifying that no users are allowed.
+
+OPTIONS
+
+debug
+
+ Print debug information.
+
+xauthpath=/path/to/xauth
+
+ Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth,
+ /usr/bin/xauth, or /usr/bin/X11/xauth by default).
+
+systemuser=UID
+
+ Specify the highest UID which will be assumed to belong to a "system" user.
+ pam_xauth will refuse to forward credentials to users with UID less than or
+ equal to this number, except for root and the "targetuser", if specified.
+
+targetuser=UID
+
+ Specify a single target UID which is exempt from the systemuser check.
+
+EXAMPLES
+
+Add the following line to /etc/pam.d/su to forward xauth keys between users
+when calling su:
+
+session optional pam_xauth.so
+
+
+IMPLEMENTATION DETAILS
+
+pam_xauth will work only if it is used from a setuid application in which the
+getuid() call returns the id of the user running the application, and for which
+PAM can supply the name of the account that the user is attempting to assume.
+The typical application of this type is su(1). The application must call both
+pam_open_session() and pam_close_session() with the ruid set to the uid of the
+calling user and the euid set to root, and must have provided as the PAM_USER
+item the name of the target user.
+
+pam_xauth calls xauth(1) the source user to extract the key for $DISPLAY, then
+calls xauth as the target user to merge the key into the a temporary database
+and later remove the database.
+
+pam_xauth cannot be told to not remove the keys when the session is closed.
+
+AUTHOR
+
+pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original
+version by Michael K. Johnson <johnsonm@redhat.com>.
+