diff options
Diffstat (limited to 'modules/pam_group/group.conf.5')
| -rw-r--r-- | modules/pam_group/group.conf.5 | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/modules/pam_group/group.conf.5 b/modules/pam_group/group.conf.5 new file mode 100644 index 00000000..933a22ec --- /dev/null +++ b/modules/pam_group/group.conf.5 @@ -0,0 +1,119 @@ +'\" t +.\" Title: group.conf +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 05/18/2017 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "GROUP\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +group.conf \- configuration file for the pam_group module +.SH "DESCRIPTION" +.PP +The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\&. Such memberships are based on the service they are applying for\&. +.PP +For this module to function correctly there must be a correctly formatted +/etc/security/group\&.conf +file present\&. White spaces are ignored and lines maybe extended with \*(Aq\e\*(Aq (escaped newlines)\&. Text following a \*(Aq#\*(Aq is ignored to the end of the line\&. +.PP +The syntax of the lines is as follows: +.PP +\fIservices\fR;\fIttys\fR;\fIusers\fR;\fItimes\fR;\fIgroups\fR +.PP +The first field, the +\fIservices\fR +field, is a logic list of PAM service names that the rule applies to\&. +.PP +The second field, the +\fItty\fR +field, is a logic list of terminal names that this rule applies to\&. +.PP +The third field, the +\fIusers\fR +field, is a logic list of users, or a UNIX group, or a netgroup of users to whom this rule applies\&. Group names are preceded by a \*(Aq%\*(Aq symbol, while netgroup names are preceded by a \*(Aq@\*(Aq symbol\&. +.PP +For these items the simple wildcard \*(Aq*\*(Aq may be used only once\&. With UNIX groups or netgroups no wildcards or logic operators are allowed\&. +.PP +The +\fItimes\fR +field is used to indicate "when" these groups are to be given to the user\&. The format here is a logic list of day/time\-range entries\&. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday\&. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday\&. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively\&. As a final example, AlFr means all days except Friday\&. +.PP +Each day/time\-range can be prefixed with a \*(Aq!\*(Aq to indicate "anything but"\&. The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day)\&. +.PP +The +\fIgroups\fR +field is a comma or space separated list of groups that the user inherits membership of\&. These groups are added if the previous fields are satisfied by the user\*(Aqs request\&. +.PP +For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process\&. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +/etc/security/group\&.conf\&. +.PP +Running \*(Aqxsh\*(Aq on tty* (any ttyXXX device), the user \*(Aqus\*(Aq is given access to the floppy (through membership of the floppy group) +.sp +.if n \{\ +.RS 4 +.\} +.nf +xsh;tty*&!ttyp*;us;Al0000\-2400;floppy +.fi +.if n \{\ +.RE +.\} +.PP +Running \*(Aqxsh\*(Aq on tty* (any ttyXXX device), the users \*(Aqsword\*(Aq, \*(Aqpike\*(Aq and \*(Aqshield\*(Aq are given access to games (through membership of the floppy group) after work hours\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +xsh; tty* ;sword|pike|shield;!Wk0900\-1800;games, sound +xsh; tty* ;*;Al0900\-1800;floppy + +.fi +.if n \{\ +.RE +.\} +.PP +Any member of the group \*(Aqadmin\*(Aq running \*(Aqxsh\*(Aq on tty*, is granted access (at any time) to the group \*(Aqplugdev\*(Aq +.sp +.if n \{\ +.RS 4 +.\} +.nf +xsh; tty* ;%admin;Al0000\-2400;plugdev + +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +\fBpam_group\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. |