From 7b39983f3a7b5e7522f1672e49dcbfe579f0228f Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 24 Mar 2015 16:57:14 +0100 Subject: Clarify pam_access docs re PAM service names and X $DISPLAY value testing. (Ticket #39) * modules/pam_access/access.conf.5.xml * modules/pam_access/pam_access.8.xml Signed-off-by: Karl O. Pinc --- modules/pam_access/access.conf.5.xml | 40 ++++++++++++++++++++++++++++-------- modules/pam_access/pam_access.8.xml | 5 +++-- 2 files changed, 35 insertions(+), 10 deletions(-) (limited to 'modules') diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index a4d3419b..d686d92b 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -21,8 +21,12 @@ The /etc/security/access.conf file specifies (user/group, host), - (user/group, network/netmask) or - (user/group, tty) + (user/group, network/netmask), + (user/group, tty), + (user/group, + X-$DISPLAY-value), or + (user/group, + pam-service-name) combinations for which a login will be either accepted or refused. @@ -33,7 +37,14 @@ combination, or, in case of non-networked logins, the first entry that matches the (user/group, tty) - combination. The permissions field of that table entry determines + combination, or in the case of non-networked logins without a + tty, the first entry that matches the + (user/group, + X-$DISPLAY-value) or + (user/group, + pam-service-name/) + combination. The permissions field of that table entry + determines whether the login will be accepted or refused. @@ -65,14 +76,27 @@ The third field, the origins field, should be a list of one or more tty names (for non-networked - logins), host names, domain names (begin with "."), host addresses, + logins), X $DISPLAY values or PAM service + names (for non-networked logins without a tty), host names, + domain names (begin with "."), host addresses, internet network numbers (end with "."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), ALL (which always matches) - or LOCAL. LOCAL - keyword matches if and only if the PAM_RHOST is - not set and <origin> field is thus set from - PAM_TTY or PAM_SERVICE". + or LOCAL. The LOCAL + keyword matches if and only if + pam_get_item3, + when called with an item_type of + PAM_RHOST, returns NULL or an + empty string (and therefore the + origins field is compared against the + return value of + pam_get_item3 + called with an item_type of + PAM_TTY or, absent that, + PAM_SERVICE). + + + If supported by the system you can use @netgroupname in host or user patterns. The @@netgroupname syntax is supported in the user diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml index 710e2e7b..c629a9f3 100644 --- a/modules/pam_access/pam_access.8.xml +++ b/modules/pam_access/pam_access.8.xml @@ -50,7 +50,8 @@ The pam_access PAM module is mainly for access management. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, - or on terminal line names in case of non-networked logins. + or on terminal line names, X $DISPLAY values, + or PAM service names in case of non-networked logins. By default rules for access management are taken from config file @@ -59,7 +60,7 @@ If Linux PAM is compiled with audit support the module will report - when it denies access based on origin (host or tty). + when it denies access based on origin (host, tty, etc.). -- cgit v1.2.3