summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/pam_nologin/Makefile.am10
-rw-r--r--modules/pam_nologin/README46
-rw-r--r--modules/pam_nologin/README.xml46
-rw-r--r--modules/pam_nologin/pam_nologin.8158
-rw-r--r--modules/pam_nologin/pam_nologin.8.xml174
5 files changed, 345 insertions, 89 deletions
diff --git a/modules/pam_nologin/Makefile.am b/modules/pam_nologin/Makefile.am
index f65fb5e1..dc5fe58f 100644
--- a/modules/pam_nologin/Makefile.am
+++ b/modules/pam_nologin/Makefile.am
@@ -4,11 +4,12 @@
CLEANFILES = *~
-EXTRA_DIST = README $(MANS) tst-pam_nologin
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_nologin
TESTS = tst-pam_nologin
man_MANS = pam_nologin.8
+XMLS = README.xml pam_nologin.8.xml
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
@@ -21,3 +22,10 @@ if HAVE_VERSIONING
endif
securelib_LTLIBRARIES = pam_nologin.la
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_nologin.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
diff --git a/modules/pam_nologin/README b/modules/pam_nologin/README
index 11dc7635..3ffa591d 100644
--- a/modules/pam_nologin/README
+++ b/modules/pam_nologin/README
@@ -1,23 +1,41 @@
-# $Id$
-#
+pam_nologin — Prevent non-root users from login
-This module always lets root in; it lets other users in only if the file
-/etc/nologin doesn't exist. In any case, if /etc/nologin exists, it's
-contents are displayed to the user.
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-The default return value for this module is PAM_IGNORE, you can
-override this with the successok module argument.
+DESCRIPTION
-module services provided:
+pam_nologin is a PAM module that prevents users from logging into the system
+when /etc/nologin exists. The contents of the /etc/nologin file are displayed
+to the user. The pam_nologin module has no effect on the root user's ability to
+log in.
- auth _authenticate and _setcred
- account _acct_mgmt
+OPTIONS
-optional arguments:
+file=/path/nologin
- file=<alternative-nologin-pathname> - choose a different file
- successok - return PAM_SUCCESS if no file
+ Use this file instead the default /etc/nologin.
-[Original README by Michael K. Johnson]
+successok
+ Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
+
+EXAMPLES
+
+The suggested usage for /etc/pam.d/login is:
+
+auth required pam_nologin.so
+
+
+NOTES
+
+In order to make this module effective, all login methods should be secured by
+it. It should be used as a required method listed before any sufficient methods
+in order to get standard Unix nologin semantics. Note, the use of successok
+module argument causes the module to return PAM_SUCCESS and as such would break
+such a configuration - failing sufficient modules would lead to a successful
+login because the nologin module succeeded.
+
+AUTHOR
+
+pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>.
diff --git a/modules/pam_nologin/README.xml b/modules/pam_nologin/README.xml
new file mode 100644
index 00000000..bc0808e7
--- /dev/null
+++ b/modules/pam_nologin/README.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_nologin.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_nologin.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_nologin-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-note"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-author"]/*)'/>
+ </section>
+
+</article>
diff --git a/modules/pam_nologin/pam_nologin.8 b/modules/pam_nologin/pam_nologin.8
index e68a6a15..5e502266 100644
--- a/modules/pam_nologin/pam_nologin.8
+++ b/modules/pam_nologin/pam_nologin.8
@@ -1,86 +1,96 @@
-.\" Copyright (C) 2003 International Business Machines Corp.
-.\" This file is distributed according to the GNU General Public License.
-.\" See the file COPYING in the top level source directory for details.
-.\"
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "PAM_NOLOGIN" 8 "2003-03-21" "Linux 2.4" "System Administrator's Manual"
-.SH NAME
-pam_nologin \- Disables login for all except root when
-\fI/etc/nologin\fR exists
-.SH "SYNOPSIS"
+.\" Title: pam_nologin
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Date: 06/04/2006
+.\" Manual: Linux\-PAM Manual
+.\" Source: Linux\-PAM Manual
+.\"
+.TH "PAM_NOLOGIN" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
.ad l
-.hy 0
-
-/lib/security/pam_nologin
-.sp
-.ad
-.hy
-
+.SH "NAME"
+pam_nologin \- Prevent non\-root users from login
+.SH "SYNOPSIS"
+.HP 15
+\fBpam_nologin.so\fR [file=\fI/path/nologin\fR] [successok]
.SH "DESCRIPTION"
-
.PP
-\fBpam_nologin\fR is a PAM module that prevents users from logging
-into the system when \fI/etc/nologin\fR exists.
-The contents of the \fI/etc/nologin\fR file are displayed to the user.
-The \fBpam_nologin\fR module has no effect on the root user's ability to log in.
-
+pam_nologin is a PAM module that prevents users from logging into the system when
+\fI/etc/nologin\fR
+exists. The contents of the
+\fI/etc/nologin\fR
+file are displayed to the user. The pam_nologin module has no effect on the root user's ability to log in.
.SH "OPTIONS"
-
-.PP
-\fBpam_login\fR has no options.
-
+.TP 3n
+\fBfile=\fR\fB\fI/path/nologin\fR\fR
+Use this file instead the default
+\fI/etc/nologin\fR.
+.TP 3n
+\fBsuccessok\fR
+Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
.SH "MODULE SERVICES PROVIDED"
-
-.TP
-auth
-_authentication and _setcred (blank)
-
-.SH "RETURN CODES"
.PP
-\fBpam_nologin\fR has the following return codes:
-.TP
+The
+\fBauth\fR
+and
+\fBacct\fR
+services are supported.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTH_ERR
+The user is not root and
+\fI/etc/nologin\fR
+exists, so the user is not permitted to log in.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_IGNORE
+This is the default return value.
+.TP 3n
PAM_SUCCESS
-Success: either the user is root or the \fI/etc/nologin\fR file does not exist.
-
-.TP
-PAM_SERVICE_ERR
-The module was unable to get the user name.
-
-.TP
+Success: either the user is root or the
+\fI/etc/nologin\fR
+file does not exist.
+.TP 3n
PAM_USER_UNKNOWN
-The module cannot get the UID associated with this user.
-
-.TP
-PAM_AUTH_ERR
-The user is not root and \fI/etc/nologin\fR exists, so the user is
-not permitted to log in.
-
-.SH "HISTORY"
-
+User not known to the underlying authentication module.
+.SH "EXAMPLES"
.PP
-\fBpam_nologin\fR was written by Michael K. Johnson.
-
+The suggested usage for
+\fI/etc/pam.d/login\fR
+is:
+.sp
+.RS 3n
+.nf
+auth required pam_nologin.so
+
+.fi
+.RE
+.sp
+.SH "NOTES"
+.PP
+In order to make this module effective, all login methods should be secured by it. It should be used as a
+\fIrequired\fR
+method listed before any
+\fIsufficient\fR
+methods in order to get standard Unix nologin semantics. Note, the use of
+\fBsuccessok\fR
+module argument causes the module to return
+\fIPAM_SUCCESS\fR
+and as such would break such a configuration \- failing
+\fIsufficient\fR
+modules would lead to a successful login because the nologin module
+\fIsucceeded\fR.
.SH "SEE ALSO"
-
.PP
-\fBpam.conf\fR(8), \fBpam.d\fR(8), \fBpam\fR(8), \fBnologin\fR(8).
-.SH AUTHOR
-Emily Ratliff.
+\fBnologin\fR(5),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>.
diff --git a/modules/pam_nologin/pam_nologin.8.xml b/modules/pam_nologin/pam_nologin.8.xml
new file mode 100644
index 00000000..9710df9d
--- /dev/null
+++ b/modules/pam_nologin/pam_nologin.8.xml
@@ -0,0 +1,174 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_nologin">
+
+ <refmeta>
+ <refentrytitle>pam_nologin</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_nologin-name">
+ <refname>pam_nologin</refname>
+ <refpurpose>Prevent non-root users from login</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_nologin-cmdsynopsis">
+ <command>pam_nologin.so</command>
+ <arg choice="opt">
+ file=<replaceable>/path/nologin</replaceable>
+ </arg>
+ <arg choice="opt">
+ successok
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_nologin-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ pam_nologin is a PAM module that prevents users from logging into
+ the system when <filename>/etc/nologin</filename> exists. The contents
+ of the <filename>/etc/nologin</filename> file are displayed to the
+ user. The pam_nologin module has no effect on the root user's ability
+ to log in.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_nologin-options">
+
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>file=<replaceable>/path/nologin</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Use this file instead the default
+ <filename>/etc/nologin</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>successok</option>
+ </term>
+ <listitem>
+ <para>
+ Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_nologin-services">
+ <title>MODULE SERVICES PROVIDED</title>
+ <para>
+ The <option>auth</option> and <option>acct</option> services are
+ supported.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_nologin-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ The user is not root and <filename>/etc/nologin</filename>
+ exists, so the user is not permitted to log in.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_BUF_ERR</term>
+ <listitem>
+ <para>Memory buffer error.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_IGNORE</term>
+ <listitem>
+ <para>
+ This is the default return value.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ Success: either the user is root or the
+ <filename>/etc/nologin</filename> file does not exist.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_USER_UNKNOWN</term>
+ <listitem>
+ <para>
+ User not known to the underlying authentication module.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_nologin-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ The suggested usage for <filename>/etc/pam.d/login</filename> is:
+ <programlisting>
+auth required pam_nologin.so
+ </programlisting>
+ </para>
+ </refsect1>
+ <refsect1 id='pam_nologin-note'>
+ <title>NOTES</title>
+ <para>
+ In order to make this module effective, all login methods should be
+ secured by it. It should be used as a <emphasis>required</emphasis>
+ method listed before any <emphasis>sufficient</emphasis> methods in
+ order to get standard Unix nologin semantics. Note, the use of
+ <option>successok</option> module argument causes the module to
+ return <emphasis>PAM_SUCCESS</emphasis> and as such would break
+ such a configuration - failing <emphasis>sufficient</emphasis> modules
+ would lead to a successful login because the nologin module
+ <emphasis>succeeded</emphasis>.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_nologin-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>nologin</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_nologin-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_nologin was written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;.
+ </para>
+ </refsect1>
+
+</refentry>