diff options
| -rw-r--r-- | ChangeLog | 11 | ||||
| -rw-r--r-- | modules/pam_succeed_if/Makefile.am | 11 | ||||
| -rw-r--r-- | modules/pam_succeed_if/README | 182 | ||||
| -rw-r--r-- | modules/pam_succeed_if/README.xml | 41 | ||||
| -rw-r--r-- | modules/pam_succeed_if/pam_succeed_if.8 | 147 | ||||
| -rw-r--r-- | modules/pam_succeed_if/pam_succeed_if.8.xml | 265 | ||||
| -rw-r--r-- | modules/pam_succeed_if/pam_succeed_if.c | 2 |
7 files changed, 551 insertions, 108 deletions
@@ -1,3 +1,14 @@ +2006-02-24 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_succeed_if/pam_succeed_if.8.xml: New, based on + version from #1425487. + * modules/pam_succeed_if/pam_succeed_if.8: Regenerated from xml. + * modules/pam_succeed_if/Makefile.am: Include XML rules. + * modules/pam_succeed_if/README.xml: New. + * modules/pam_succeed_if/README: Regenerated from xml. + * modules/pam_succeed_if/pam_succeed_if.c: Fix comment about + return values. + 2006-02-22 Thorsten Kukuk <kukuk@thkukuk.de> * configure.in: Fix check for incomplete libaudit installations diff --git a/modules/pam_succeed_if/Makefile.am b/modules/pam_succeed_if/Makefile.am index a13e5c66..57e5abb2 100644 --- a/modules/pam_succeed_if/Makefile.am +++ b/modules/pam_succeed_if/Makefile.am @@ -4,10 +4,12 @@ CLEANFILES = *~ -EXTRA_DIST = README ${MANS} +EXTRA_DIST = README ${MANS} ${XMLS} man_MANS = pam_succeed_if.8 +XMLS = README.xml pam_succeed_if.8.xml + securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) @@ -19,3 +21,10 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_succeed_if.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_succeed_if.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README index e6e4f2aa..e2ef2edf 100644 --- a/modules/pam_succeed_if/README +++ b/modules/pam_succeed_if/README @@ -1,74 +1,108 @@ -pam_succeed_if: - Succeed or fail based on account characteristics. - - pam_succeed_if.so is designed to succeed or fail authentication based - on characteristics of the account belonging to the user being - authenticated. - - The module can be given one or more conditions as module arguments, and - authentication will succeed only if all of the conditions are met. - - Conditions are expressed in the form - - ATTRIBUTE OPERATOR VALUE - - Recognized attributes: - - LOGIN - The user's login name. - UID - The user's UID. - GID - The user's primary GID. - SHELL - The user's shell. - HOME - The user's home directory. - - Recognized operators: - - < - Arithmetic less-than. - <= - Arithmetic less-than-or-equal-to. - > - Arithmetic greater-than. - >= - Arithmetic greater-than-or-equal-to. - eq - Arithmetic equality. - = - String equality. - ne - Arithmetic inequality. - != - String inequality. - =~ - Wildcard match. - !~ - Wildcard mismatch. - ingroup - Group membership check. [*] - notingroup - Group non-membership check. [*] - innetgr - Netgroup membership check. [*][+] - notinnetgr - Netgroup non-membership check. [*][+] - - * The "ingroup", "notingroup", "innetgr" and "notinnetgr" - operators should only be used with the USER attribute. - - + The "innetgr" and "notinnetgr" operators always match - both remote host and USER against the netgroup. If a remote - host is not set by the application it will be matched - against any host in the netgroup triplet. - Examples: - - Deny authentication to all users except those in the wheel - group, before even asking for a password: - auth requisite pam_succeed_if.so user ingroup wheel - - Assume all users with UID less than 500 ("system users") have - valid accounts. - account sufficient pam_succeed_if.so uid < 500 - - Deny login to all nologin users. - auth requisite pam_succeed_if.so shell !~ nologin - -RECOGNIZED ARGUMENTS: - debug write debugging messages to syslog - use_uid perform checks on the account of the user under whose - UID the application is running instead of the user - being authenticated - quiet don't log failure or success to syslog - quiet_fail don't log failure to syslog - quiet_success don't log success to syslog - - -MODULE SERVICES PROVIDED: - authentication, account management - -AUTHOR: - Nalin Dahyabhai <nalin@redhat.com> +pam_succeed_if — test account characteristics + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +pam_succeed_if.so is designed to succeed or fail authentication based on +characteristics of the account belonging to the user being authenticated. One +use is to select whether to load other modules based on this test. + +The module should be given one or more conditions as module arguments, and +authentication will succeed only if all of the conditions are met. + +OPTIONS + +The following flags are supported: + +debug + + Turns on debugging messages sent to syslog. + +use_uid + + Evaluate conditions using the account of the user whose UID the application + is running under instead of the user being authenticated. + +quiet + + Don't log failure or success to the system log. + +quiet_fail + + Don't log failure to the system log. + +quiet_success + + Don't log success to the system log. + +Conditions are three words: a field, a test, and a value to test for. + +Available fields are user, uid, gid, shell and home: + +field < number + + Field has a value numerically less than number. + +field <= number + + Field has a value numerically less than or equal to number. + +field eq number + + Field has a value numerically less equal to number. + +field >= number + + Field has a value numerically greater than or equal to number. + +field > number + + Field has a value numerically greater than number. + +field ne number + + Field has a value numerically different from number. + +field = string + + Field exactly matches the given string. + +field != string + + Field does not match the given string. + +field =~ glob + + Field matches the given glob. + +field !~ glob + + Field does not match the given glob. + +user ingroup group + + User is in given group. + +user notingroup group + + User is not in given group. + +EXAMPLES + +To emulate the behaviour of pam_wheel, except there is no fallback to group 0: + + auth required pam_succeed_if.so quiet user ingroup wheel + + +Given that the type matches, only loads the othermodule rule if the UID is over +500. Adjust the number after default to skip several rules. + + type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 + type required othermodule.so arguments... + + +AUTHOR + +Nalin Dahyabhai <nalin@redhat.com> + diff --git a/modules/pam_succeed_if/README.xml b/modules/pam_succeed_if/README.xml new file mode 100644 index 00000000..c52f00a0 --- /dev/null +++ b/modules/pam_succeed_if/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_succeed_if.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_succeed_if-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-author"]/*)'/> + </section> + +</article> diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8 index da95a033..70c4f8d2 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8 +++ b/modules/pam_succeed_if/pam_succeed_if.8 @@ -1,37 +1,120 @@ -.\" Copyright 2003, 2004 Red Hat, Inc. -.\" Written by Nalin Dahyabhai <nalin@redhat.com> -.TH pam_succeed_if 8 2004/12/27 "Linux-PAM" "System Administrator's Manual" - -.SH NAME -pam_succeed_if \- succeed or fail based on account characteristics - -.SH SYNOPSIS -.B account sufficient pam_succeed_if.so uid < 500 - -.SH DESCRIPTION -pam_succeed_if.so is designed to succeed or fail authentication based on -characteristics of the account belonging to the user being authenticated. - -The module can be given one or more conditions as module arguments, and -authentication will succeed only if all of the conditions are met. - -.SH ARGUMENTS -.IP debug +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "PAM_SUCCEED_IF" "8" "02/24/2006" "Linux\-PAM" "Linux\-PAM" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_succeed_if \- test account characteristics +.SH "SYNOPSIS" +.HP 18 +\fBpam_succeed_if.so\fR [\fIflag\fR...] [\fIcondition\fR...] +.SH "DESCRIPTION" +.PP +pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated. One use is to select whether to load other modules based on this test. +.PP +The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met. +.SH "OPTIONS" +.PP +The following +\fIflag\fRs are supported: +.TP +\fBdebug\fR Turns on debugging messages sent to syslog. -.IP use_uid -Evaluate conditions using the account of the user whose UID the application -is running under instead of the user being authenticated. -.IP quiet +.TP +\fBuse_uid\fR +Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated. +.TP +\fBquiet\fR Don't log failure or success to the system log. -.IP quiet_fail +.TP +\fBquiet_fail\fR Don't log failure to the system log. -.IP quiet_success +.TP +\fBquiet_success\fR Don't log success to the system log. - - -.SH BUGS -Let's hope not, but if you find any, please report them via the "Bug Track" -link at http://bugzilla.redhat.com/bugzilla/ - -.SH AUTHOR +.PP +\fICondition\fRs are three words: a field, a test, and a value to test for. +.PP +Available fields are +\fIuser\fR, +\fIuid\fR, +\fIgid\fR, +\fIshell\fR +and +\fIhome\fR: +.TP +\fBfield < number\fR +Field has a value numerically less than number. +.TP +\fBfield <= number\fR +Field has a value numerically less than or equal to number. +.TP +\fBfield eq number\fR +Field has a value numerically less equal to number. +.TP +\fBfield >= number\fR +Field has a value numerically greater than or equal to number. +.TP +\fBfield > number\fR +Field has a value numerically greater than number. +.TP +\fBfield ne number\fR +Field has a value numerically different from number. +.TP +\fBfield = string\fR +Field exactly matches the given string. +.TP +\fBfield != string\fR +Field does not match the given string. +.TP +\fBfield =~ glob\fR +Field matches the given glob. +.TP +\fBfield !~ glob\fR +Field does not match the given glob. +.TP +\fBuser ingroup group\fR +User is in given group. +.TP +\fBuser notingroup group\fR +User is not in given group. +.SH "RETURN VALUES" +.TP +PAM_SUCCESS +The condition was true. +.TP +PAM_AUTH_ERR +The condition was false. +.TP +PAM_SERVICE_ERR +A service error occured or the arguments can't be parsed as numbers. +.SH "EXAMPLES" +.PP +To emulate the behaviour of +\fIpam_wheel\fR, except there is no fallback to group 0: +.sp +.nf + auth required pam_succeed_if.so quiet user ingroup wheel + +.fi +.sp +.PP +Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules. +.sp +.nf + type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 + type required othermodule.so arguments... + +.fi +.sp +.SH "SEE ALSO" +.PP +\fBglob\fR(7), +\fBpam\fR(8) +.SH "AUTHOR" +.PP Nalin Dahyabhai <nalin@redhat.com> diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml new file mode 100644 index 00000000..d6f26ce9 --- /dev/null +++ b/modules/pam_succeed_if/pam_succeed_if.8.xml @@ -0,0 +1,265 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + + +<refentry id='pam_succeed_if'> +<!-- Copyright 2003, 2004 Red Hat, Inc. --> +<!-- Written by Nalin Dahyabhai <nalin@redhat.com> --> + + <refmeta> + <refentrytitle>pam_succeed_if</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='sectdesc'>Linux-PAM</refmiscinfo> + </refmeta> + + <refnamediv id='pam_succeed_if-name'> + <refname>pam_succeed_if</refname> + <refpurpose>test account characteristics</refpurpose> + </refnamediv> + + + <refsynopsisdiv> + <cmdsynopsis id='pam_succeed_if-cmdsynopsis'> + <command>pam_succeed_if.so</command> + <arg choice='opt' rep='repeat'><replaceable>flag</replaceable></arg> + <arg choice='opt' rep='repeat'><replaceable>condition</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_succeed_if-description'> + <title>DESCRIPTION</title> + <para> + pam_succeed_if.so is designed to succeed or fail authentication + based on characteristics of the account belonging to the user being + authenticated. One use is to select whether to load other modules based + on this test. + </para> + + <para> + The module should be given one or more conditions as module arguments, + and authentication will succeed only if all of the conditions are met. + </para> + </refsect1> + + <refsect1 id="pam_succeed_if-options"> + <title>OPTIONS</title> + <para> + The following <emphasis>flag</emphasis>s are supported: + </para> + + <variablelist> + <varlistentry> + <term><option>debug</option></term> + <listitem> + <para>Turns on debugging messages sent to syslog.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>use_uid</option></term> + <listitem> + <para> + Evaluate conditions using the account of the user whose UID + the application is running under instead of the user being + authenticated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>quiet</option></term> + <listitem> + <para>Don't log failure or success to the system log.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>quiet_fail</option></term> + <listitem> + <para> + Don't log failure to the system log. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>quiet_success</option></term> + <listitem> + <para> + Don't log success to the system log. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + <emphasis>Condition</emphasis>s are three words: a field, a test, + and a value to test for. + </para> + <para> + Available fields are <emphasis>user</emphasis>, + <emphasis>uid</emphasis>, <emphasis>gid</emphasis>, + <emphasis>shell</emphasis> and <emphasis>home</emphasis>: + </para> + + <variablelist> + <varlistentry> + <term><option>field < number</option></term> + <listitem> + <para>Field has a value numerically less than number.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field <= number</option></term> + <listitem> + <para> + Field has a value numerically less than or equal to number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field eq number</option></term> + <listitem> + <para> + Field has a value numerically less equal to number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field >= number</option></term> + <listitem> + <para> + Field has a value numerically greater than or equal to number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field > number</option></term> + <listitem> + <para> + Field has a value numerically greater than number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field ne number</option></term> + <listitem> + <para> + Field has a value numerically different from number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field = string</option></term> + <listitem> + <para> + Field exactly matches the given string. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field != string</option></term> + <listitem> + <para> + Field does not match the given string. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field =~ glob</option></term> + <listitem> + <para>Field matches the given glob.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field !~ glob</option></term> + <listitem> + <para>Field does not match the given glob.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user ingroup group</option></term> + <listitem> + <para>User is in given group.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user notingroup group</option></term> + <listitem> + <para>User is not in given group.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_exec-return_values'> + <title>RETURN VALUES</title> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The condition was true. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The condition was false. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + A service error occured or the arguments can't be + parsed as numbers. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + + <refsect1 id='pam_succeed_if-examples'> + <title>EXAMPLES</title> + <para> + To emulate the behaviour of <emphasis>pam_wheel</emphasis>, except + there is no fallback to group 0: + <programlisting> + auth required pam_succeed_if.so quiet user ingroup wheel + </programlisting> + </para> + + <para> + Given that the type matches, only loads the othermodule rule if + the UID is over 500. Adjust the number after default to skip + several rules. + <programlisting> + type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 + type required othermodule.so arguments... + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_succeed_if-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_succeed_if-author'> + <title>AUTHOR</title> + <para>Nalin Dahyabhai <nalin@redhat.com></para> + </refsect1> +</refentry> diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index d343cae8..f7e8ed2c 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -63,7 +63,7 @@ /* Basically, run cmp(atol(left), atol(right)), returning PAM_SUCCESS if * the function returns non-zero, PAM_AUTH_ERR if it returns zero, and - * PAM_SYSTEM_ERR if the arguments can't be parsed as numbers. */ + * PAM_SERVICE_ERR if the arguments can't be parsed as numbers. */ static int evaluate_num(const pam_handle_t *pamh, const char *left, const char *right, int (*cmp)(int, int)) |