From 2a8b8f8a9322d075d8a991829fbe7f5c4ebbba7d Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Thu, 1 Jun 2006 18:51:15 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------

2006-06-01  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_group/Makefile.am: Include Make.xml.rules.
        * modules/pam_group/group.conf.5.xml: New.
        * modules/pam_group/group.conf.5: New, generated from xml file.
        * modules/pam_group/pam_group.8.xml: New.
        * modules/pam_group/pam_group.8: New, generated from xml file.
        * modules/pam_group/README.xml: New.
        * modules/pam_group/README: Regenerated from xml file.
---
 modules/pam_group/pam_group.8.xml | 157 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 157 insertions(+)
 create mode 100644 modules/pam_group/pam_group.8.xml

(limited to 'modules/pam_group/pam_group.8.xml')

diff --git a/modules/pam_group/pam_group.8.xml b/modules/pam_group/pam_group.8.xml
new file mode 100644
index 00000000..6e6c0498
--- /dev/null
+++ b/modules/pam_group/pam_group.8.xml
@@ -0,0 +1,157 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+
+<refentry id='pam_group'>
+
+  <refmeta>
+    <refentrytitle>pam_group</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id='pam_group-name'>
+    <refname>pam_group</refname>
+    <refpurpose>
+      PAM module for group access
+    </refpurpose>
+  </refnamediv>
+
+<!-- body begins here -->
+
+  <refsynopsisdiv>
+    <cmdsynopsis id="pam_group-cmdsynopsis">
+      <command>pam_group.so</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+
+  <refsect1 id="pam_group-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The pam_group PAM module does not authenticate the user, but instead
+      it grants group memberships (in the credential setting phase of the
+      authentication module) to the user. Such memberships are based on the
+      service they are applying for.
+    </para>
+    <para>
+      By default rules for group memberships are taken from config file
+      <filename>/etc/security/group.conf</filename>.
+    </para>
+    <para>
+      This module's usefulness relies on the file-systems
+      accessible to the user. The point being that once granted the
+      membership of a group, the user may attempt to create a
+      <function>setgid</function> binary with a restricted group ownership.
+      Later, when the user is not given membership to this group, they can
+      recover group membership with the precompiled binary. The reason that
+      the file-systems that the user has access to are so significant, is the
+      fact that when a system is mounted <emphasis>nosuid</emphasis> the user
+      is unable to create or execute such a binary file. For this module to
+      provide any level of security, all file-systems that the user has write
+      access to should be mounted <emphasis>nosuid</emphasis>.
+    </para>
+    <para>
+      The pam_group module fuctions in parallel with the
+      <filename>/etc/group</filename> file. If the user is granted any groups
+      based on the behavior of this module, they are granted
+      <emphasis>in addition</emphasis> to those entries
+      <filename>/etc/group</filename> (or equivalent).
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_group-services">
+    <title>MODULE SERVICES PROVIDED</title>
+    <para>
+      Only the <option>auth</option> service is supported.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_group-return_values">
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+           <para>
+             group membership was granted.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_ABORT</term>
+        <listitem>
+           <para>
+             Not all relevant data could be gotten.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+          <para>
+            Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CRED_ERR</term>
+        <listitem>
+          <para>
+            Group membership was not granted.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_IGNORE</term>
+        <listitem>
+           <para>
+             <function>pam_sm_authenticate</function> was called which does nothing.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+           <para>
+             The user is not known to the system.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_group-files">
+    <title>FILES</title>
+    <variablelist>
+      <varlistentry>
+        <term><filename>/etc/security/group.conf</filename></term>
+        <listitem>
+          <para>Default configuration file</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_group-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>group.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_group-authors">
+    <title>AUTHORS</title>
+    <para>
+      pam_group was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
+    </para>
+  </refsect1>
+</refentry>
-- 
cgit v1.2.3