summaryrefslogtreecommitdiff
path: root/doc/modules/pam_group.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/modules/pam_group.sgml')
-rw-r--r--doc/modules/pam_group.sgml108
1 files changed, 108 insertions, 0 deletions
diff --git a/doc/modules/pam_group.sgml b/doc/modules/pam_group.sgml
new file mode 100644
index 00000000..8251e3dd
--- /dev/null
+++ b/doc/modules/pam_group.sgml
@@ -0,0 +1,108 @@
+<!--
+ $Id$
+
+ This file was written by Andrew G. Morgan <morgan@parc.power.net>
+-->
+
+<sect1>The group access module
+
+<sect2>Synopsis
+
+<p>
+<descrip>
+
+<tag><bf>Module Name:</bf></tag>
+<tt/pam_group/
+
+<tag><bf>Author:</bf></tag>
+Andrew G. Morgan &lt;morgan@parc.power.net&gt;
+
+<tag><bf>Maintainer:</bf></tag>
+Author.
+
+<tag><bf>Management groups provided:</bf></tag>
+authentication
+
+<tag><bf>Cryptographically sensitive:</bf></tag>
+
+<tag><bf>Security rating:</bf></tag>
+Sensitive to <em/setgid/ status of file-systems accessible to users.
+
+<tag><bf>Clean code base:</bf></tag>
+
+<tag><bf>System dependencies:</bf></tag>
+Requires an <tt>/etc/security/group.conf</tt> file. Can be compiled
+with or without <tt/libpwdb/.
+
+<tag><bf>Network aware:</bf></tag>
+Only through correctly set <tt/PAM_TTY/ item.
+
+</descrip>
+
+<sect2>Overview of module
+
+<p>
+This module provides group-settings based on the user's name and the
+terminal they are requesting a given service from. It takes note of
+the time of day.
+
+<sect2>Authentication component
+
+<p>
+<descrip>
+
+<tag><bf>Recognized arguments:</bf></tag>
+
+<tag><bf>Description:</bf></tag>
+
+This module does not authenticate the user, but instead it grants
+group memberships (in the credential setting phase of the
+authentication module) to the user. Such memberships are based on the
+service they are applying for. The group memberships are listed in
+text form in the <tt>/etc/security/group.conf</tt> file.
+
+<tag><bf>Examples/suggested usage:</bf></tag>
+
+For this module to function correctly there must be a correctly
+formatted <tt>/etc/security/groups.conf</tt> file present. The format
+of this file is as follows. Group memberships are given based on the
+service application satisfying any combination of lines in the
+configuration file. Each line (barring comments which are preceded by
+`<tt/#/' marks) has the following
+syntax:
+<tscreen>
+<verb>
+services ; ttys ; users ; times ; groups
+</verb>
+</tscreen>
+Here the first four fields share the syntax of the <tt>pam_time</tt>
+configuration file; <tt>/etc/security/pam_time.conf</tt>, and the last
+field, the <tt/groups/ field, is a comma (or space) separated list of
+the text-names of a selection of groups. If the users application for
+service satisfies the first four fields, the user is granted membership
+of the listed groups.
+
+<p>
+As stated in above this module's usefulness relies on the file-systems
+accessible to the user. The point being that once granted the
+membership of a group, the user may attempt to create a <em/setgid/
+binary with a restricted group ownership. Later, when the user is not
+given membership to this group, they can recover group membership with
+the precompiled binary. The reason that the file-systems that the user
+has access to are so significant, is the fact that when a system is
+mounted <em/nosuid/ the user is unable to create or execute such a
+binary file. For this module to provide any level of security, all
+file-systems that the user has write access to should be mounted
+<em/nosuid/.
+
+<p>
+The <tt>pam_group</tt> module fuctions in parallel with the
+<tt>/etc/group</tt> file. If the user is granted any groups based on
+the behavior of this module, they are granted <em>in addition</em> to
+those entries <tt>/etc/group</tt> (or equivalent).
+
+</descrip>
+
+<!--
+End of sgml insert for this module.
+-->