From 393585017d45cf174384530f57cb8bc5cec1b457 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 9 Jun 2006 16:44:06 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2006-06-09 Thorsten Kukuk * modules/pam_wheel/Makefile.am: Include Make.xml.rules. * modules/pam_wheel/pam_wheel.8.xml: New. * modules/pam_wheel/pam_wheel.8: New, generated from xml file. * modules/pam_wheel/README.xml: New. * modules/pam_wheel/README: Regenerated from xml file. * modules/pam_xauth/Makefile.am: Include Make.xml.rules. * modules/pam_xauth/pam_xauth.8.xml: New. * modules/pam_xauth/pam_xauth.8: Regenerated from xml file. * modules/pam_xauth/README.xml: New. * modules/pam_xauth/README: Regenerated from xml file. * modules/pam_deny/pam_deny.8.xml: Fix syntax errors. * modules/pam_deny/pam_deny.8: Regenerate from xml file. * modules/pam_deny/README: Likewise. * modules/pam_warn/Makefile.am: Include Make.xml.rules. * modules/pam_warn/pam_warn.8.xml: New. * modules/pam_warn/pam_warn.8: New, generated from xml file. * modules/pam_warn/README.xml: New. * modules/pam_warn/README: Regenerated from xml file. * modules/pam_userdb/Makefile.am: Include Make.xml.rules. * modules/pam_userdb/pam_userdb.8.xml: New. * modules/pam_userdb/pam_userdb.8: New, generated from xml file. * modules/pam_userdb/README.xml: New. * modules/pam_userdb/README: Regenerated from xml file. --- modules/pam_xauth/README | 132 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 90 insertions(+), 42 deletions(-) (limited to 'modules/pam_xauth/README') diff --git a/modules/pam_xauth/README b/modules/pam_xauth/README index 97916b8f..1e134d70 100644 --- a/modules/pam_xauth/README +++ b/modules/pam_xauth/README @@ -1,42 +1,90 @@ -pam_xauth: - Forward xauth cookies from user to user, normally used by su, sudo, or - userhelper. - - Primitive access control is provided by ~/.xauth/export in the invoking - user's home directory and ~/.xauth/import in the target user's home - directory. - - If a user has a ~/.xauth/import file, the user will only receive cookies - from users listed in the file. If there is no ~/.xauth/import file, - the user will accept cookies from any other user. - - If a user has a .xauth/export file, the user will only forward cookies - to users listed in the file. If there is no ~/.xauth/export file, and - the invoking user is not "root", the user will forward cookies to - any other user. If there is no ~/.xauth/export file, and the invoking - user is "root", the user will NOT forward cookies to other users. - - Both the import and export files support wildcards (such as "*"). Both - the import and export files can be empty, signifying that no users are - allowed. - -RECOGNIZED ARGUMENTS: - debug write debugging messages to syslog - xauthpath= the path to the xauth program, by default - /usr/X11R6/bin/xauth, /usr/bin/xauth and - /usr/bin/X11/xauth - systemuser= highest user id assigned to system users, defaults - to 499 (pam_xauth will refuse to forward creds to - target users with id equal to or below this number, - except for root and possibly another specified user) - targetuser= a target user id which is excepted from the systemuser - checks - - -MODULE SERVICES PROVIDED: - session open session copies xauth cookie to new user - close session deletes copied xauth cookie - -AUTHOR: - Nalin Dahyabhai , based on original version by - Michael K. Johnson +pam_xauth — PAM module to forward xauth keys between users + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_xauth PAM module is designed to forward xauth keys (sometimes referred +to as "cookies") between users. + +Without pam_xauth, when xauth is enabled and a user uses the su(1) command to +assume another user's priviledges, that user is no longer able to access the +original user's X display because the new user does not have the key needed to +access the display. pam_xauth solves the problem by forwarding the key from the +user running su (the source user) to the user whose identity the source user is +assuming (the target user) when the session is created, and destroying the key +when the session is torn down. + +This means, for example, that when you run su(1) from an xterm sesssion, you +will be able to run X programs without explicitly dealing with the xauth(1) +xauth command or ~/.Xauthority files. + +pam_xauth will only forward keys if xauth can list a key connected to the +$DISPLAY environment variable. + +Primitive access control is provided by ~/.xauth/export in the invoking user's +home directory and ~/.xauth/import in the target user's home directory. + +If a user has a ~/.xauth/import file, the user will only receive cookies from +users listed in the file. If there is no ~/.xauth/import file, the user will +accept cookies from any other user. + +If a user has a .xauth/export file, the user will only forward cookies to users +listed in the file. If there is no ~/.xauth/export file, and the invoking user +is not root, the user will forward cookies to any other user. If there is no ~ +/.xauth/export file, and the invoking user is root, the user will not forward +cookies to other users. + +Both the import and export files support wildcards (such as *). Both the import +and export files can be empty, signifying that no users are allowed. + +OPTIONS + +debug + + Print debug information. + +xauthpath=/path/to/xauth + + Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth, + /usr/bin/xauth, or /usr/bin/X11/xauth by default). + +systemuser=UID + + Specify the highest UID which will be assumed to belong to a "system" user. + pam_xauth will refuse to forward credentials to users with UID less than or + equal to this number, except for root and the "targetuser", if specified. + +targetuser=UID + + Specify a single target UID which is exempt from the systemuser check. + +EXAMPLES + +Add the following line to /etc/pam.d/su to forward xauth keys between users +when calling su: + +session optional pam_xauth.so + + +IMPLEMENTATION DETAILS + +pam_xauth will work only if it is used from a setuid application in which the +getuid() call returns the id of the user running the application, and for which +PAM can supply the name of the account that the user is attempting to assume. +The typical application of this type is su(1). The application must call both +pam_open_session() and pam_close_session() with the ruid set to the uid of the +calling user and the euid set to root, and must have provided as the PAM_USER +item the name of the target user. + +pam_xauth calls xauth(1) the source user to extract the key for $DISPLAY, then +calls xauth as the target user to merge the key into the a temporary database +and later remove the database. + +pam_xauth cannot be told to not remove the keys when the session is closed. + +AUTHOR + +pam_xauth was written by Nalin Dahyabhai , based on original +version by Michael K. Johnson . + -- cgit v1.2.3