From 6c45b51f441daab12166843bc12cbf0a4d480e35 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 16 Dec 2005 17:52:36 +0000 Subject: Relevant BUGIDs: none Purpose of commit: new feature Commit summary: --------------- 2005-12-16 Thorsten Kukuk * modules/pam_group/pam_group.c (check_account): Implement support for netgroups. * modules/pam_group/group.conf: Add all documentation to this example config file and don't reference to outdated configs. * modules/pam_group/README: New. * modules/pam_group/Makefile.am: Add README to EXTRADIST. --- modules/pam_group/group.conf | 69 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 54 insertions(+), 15 deletions(-) (limited to 'modules/pam_group/group.conf') diff --git a/modules/pam_group/group.conf b/modules/pam_group/group.conf index e721b990..d4a10672 100644 --- a/modules/pam_group/group.conf +++ b/modules/pam_group/group.conf @@ -1,10 +1,7 @@ -## -## Note, to get this to work as it is currently typed you need -## -## 1. to run an application as root -## 2. add the following groups to the /etc/group file: -## floppy, games, sound -## +# +# This is the configuration file for the pam_group module. +# + # # *** Please note that giving group membership on a session basis is # *** NOT inherently secure. If a user can create an executable that @@ -16,11 +13,9 @@ # *** "chgrp games toplay; chmod g+s toplay". They are basically able # *** to play games any time... You have been warned. AGM # -# this is an example configuration file for the pam_group module. Its -# syntax is based on that of the pam_time module and (at some point in -# the distant past was inspired by the 'shadow' package) + # -# the syntax of the lines is as follows: +# The syntax of the lines is as follows: # # services;ttys;users;times;groups # @@ -28,15 +23,59 @@ # newlines). From reading these comments, it is clear that # text following a '#' is ignored to the end of the line. # -# the first four fields are described in the pam_time directory. -# The only difference for these is how the time field is interpretted: -# it is used to indicate "when" these groups are to be given to the user. +# the combination of individual users/terminals etc is a logic list +# namely individual tokens that are optionally prefixed with '!' (logical +# not) and separated with '&' (logical and) and '|' (logical or). +# +# services +# is a logic list of PAM service names that the rule applies to. +# +# ttys +# is a logic list of terminal names that this rule applies to. +# +# users +# is a logic list of users or a netgroup of users to whom this +# rule applies. +# +# NB. For these items the simple wildcard '*' may be used only once. +# With netgroups no wildcards or logic operators are allowed. +# +# times +# It is used to indicate "when" these groups are to be given to the +# user. The format here is a logic list of day/time-range +# entries the days are specified by a sequence of two character +# entries, MoTuSa for example is Monday Tuesday and Saturday. Note +# that repeated days are unset MoMo = no day, and MoWk = all weekdays +# bar Monday. The two character combinations accepted are +# +# Mo Tu We Th Fr Sa Su Wk Wd Al +# +# the last two being week-end days and all 7 days of the week +# respectively. As a final example, AlFr means all days except Friday. +# +# Each day/time-range can be prefixed with a '!' to indicate "anything +# but" +# +# The time-range part is two 24-hour times HHMM separated by a hyphen +# indicating the start and finish time (if the finish time is smaller +# than the start time it is deemed to apply on the following day). # # groups -# The (comma or space separated) list of groups that the user +# The (comma or space separated) list of groups that the user # inherits membership of. These groups are added if the previous # fields are satisfied by the user's request # +# For a rule to be active, ALL of service+ttys+users must be satisfied +# by the applying process. +# + +# +# Note, to get this to work as it is currently typed you need +# +# 1. to run an application as root +# 2. add the following groups to the /etc/group file: +# floppy, games, sound +# # # Here is a simple example: running 'xsh' on tty* (any ttyXXX device), -- cgit v1.2.3