summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2015-03-24 16:57:14 +0100
committerThorsten Kukuk <kukuk@thkukuk.de>2015-03-24 16:57:14 +0100
commit7b39983f3a7b5e7522f1672e49dcbfe579f0228f (patch)
treebdd4b701f05faea4e2109fb9c33623cb90f53f26 /modules
parent89915a23a085d414bce61040364810be3975e261 (diff)
Clarify pam_access docs re PAM service names and X $DISPLAY value testing.
(Ticket #39) * modules/pam_access/access.conf.5.xml * modules/pam_access/pam_access.8.xml Signed-off-by: Karl O. Pinc <kop at meme.com>
Diffstat (limited to 'modules')
-rw-r--r--modules/pam_access/access.conf.5.xml40
-rw-r--r--modules/pam_access/pam_access.8.xml5
2 files changed, 35 insertions, 10 deletions
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index a4d3419b..d686d92b 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -21,8 +21,12 @@
<para>
The <filename>/etc/security/access.conf</filename> file specifies
(<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
- (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or
- (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
+ (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>),
+ (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>),
+ (<replaceable>user/group</replaceable>,
+ <replaceable>X-$DISPLAY-value</replaceable>), or
+ (<replaceable>user/group</replaceable>,
+ <replaceable>pam-service-name</replaceable>)
combinations for which a login will be either accepted or refused.
</para>
<para>
@@ -33,7 +37,14 @@
combination, or, in case of non-networked logins, the first entry
that matches the
(<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
- combination. The permissions field of that table entry determines
+ combination, or in the case of non-networked logins without a
+ tty, the first entry that matches the
+ (<replaceable>user/group</replaceable>,
+ <replaceable>X-$DISPLAY-value</replaceable>) or
+ (<replaceable>user/group</replaceable>,
+ <replaceable>pam-service-name/</replaceable>)
+ combination. The permissions field of that table entry
+ determines
whether the login will be accepted or refused.
</para>
@@ -65,14 +76,27 @@
<para>
The third field, the <replaceable>origins</replaceable>
field, should be a list of one or more tty names (for non-networked
- logins), host names, domain names (begin with "."), host addresses,
+ logins), X <varname>$DISPLAY</varname> values or PAM service
+ names (for non-networked logins without a tty), host names,
+ domain names (begin with "."), host addresses,
internet network numbers (end with "."), internet network addresses
with network mask (where network mask can be a decimal number or an
internet address also), <emphasis>ALL</emphasis> (which always matches)
- or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis>
- keyword matches if and only if the <emphasis>PAM_RHOST</emphasis> is
- not set and &lt;origin&gt; field is thus set from
- <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
+ or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
+ keyword matches if and only if
+ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ when called with an <parameter>item_type</parameter> of
+ <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code> or an
+ empty string (and therefore the
+ <replaceable>origins</replaceable> field is compared against the
+ return value of
+ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ called with an <parameter>item_type</parameter> of
+ <emphasis>PAM_TTY</emphasis> or, absent that,
+ <emphasis>PAM_SERVICE</emphasis>).
+ </para>
+
+ <para>
If supported by the system you can use
<emphasis>@netgroupname</emphasis> in host or user patterns. The
<emphasis>@@netgroupname</emphasis> syntax is supported in the user
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
index 710e2e7b..c629a9f3 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
@@ -50,7 +50,8 @@
The pam_access PAM module is mainly for access management.
It provides logdaemon style login access control based on login
names, host or domain names, internet addresses or network numbers,
- or on terminal line names in case of non-networked logins.
+ or on terminal line names, X <varname>$DISPLAY</varname> values,
+ or PAM service names in case of non-networked logins.
</para>
<para>
By default rules for access management are taken from config file
@@ -59,7 +60,7 @@
</para>
<para>
If Linux PAM is compiled with audit support the module will report
- when it denies access based on origin (host or tty).
+ when it denies access based on origin (host, tty, etc.).
</para>
</refsect1>