blob: 1beba983ee45f7d8f30e1f48cebea44c6591ff67 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_loginuid">
<refmeta>
<refentrytitle>pam_loginuid</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="source">Linux-PAM</refmiscinfo>
<refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv xml:id="pam_loginuid-name">
<refname>pam_loginuid</refname>
<refpurpose>Record user's login uid to the process attribute</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis xml:id="pam_loginuid-cmdsynopsis" sepchar=" ">
<command>pam_loginuid.so</command>
<arg choice="opt" rep="norepeat">
require_auditd
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 xml:id="pam_loginuid-description">
<title>DESCRIPTION</title>
<para>
The pam_loginuid module sets the loginuid process attribute for the
process that was authenticated. This is necessary for applications
to be correctly audited. This PAM module should only be used for entry
point applications like: login, sshd, gdm, vsftpd, crond and atd.
There are probably other entry point applications besides these.
You should not use it for applications like sudo or su as that
defeats the purpose by changing the loginuid to the account they just
switched to.
</para>
</refsect1>
<refsect1 xml:id="pam_loginuid-options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>
require_auditd
</term>
<listitem>
<para>
This option, when given, will cause this module to query
the audit daemon status and deny logins if it is not running.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 xml:id="pam_loginuid-types">
<title>MODULE TYPES PROVIDED</title>
<para>
Only the <option>session</option> module type is provided.
</para>
</refsect1>
<refsect1 xml:id="pam_loginuid-return_values">
<title>RETURN VALUES</title>
<para>
<variablelist>
<varlistentry>
<term>PAM_SUCCESS</term>
<listitem>
<para>
The loginuid value is set and auditd is running if check requested.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_IGNORE</term>
<listitem>
<para>
The /proc/self/loginuid file is not present on the system or the
login process runs inside uid namespace and kernel does not support
overwriting loginuid.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_SESSION_ERR</term>
<listitem>
<para>
Any other error prevented setting loginuid or auditd is not running.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 xml:id="pam_loginuid-examples">
<title>EXAMPLES</title>
<programlisting>
#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
</programlisting>
</refsect1>
<refsect1 xml:id="pam_loginuid-see_also">
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>auditd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 xml:id="pam_loginuid-author">
<title>AUTHOR</title>
<para>
pam_loginuid was written by Steve Grubb <sgrubb@redhat.com>
</para>
</refsect1>
</refentry>
|
