summaryrefslogtreecommitdiff
path: root/modules/pam_nologin/pam_nologin.8.xml
blob: e4f637077d3c6c6c91de7df2417d793a7e05de1b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">

<refentry id="pam_nologin">

  <refmeta>
    <refentrytitle>pam_nologin</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
  </refmeta>

  <refnamediv id="pam_nologin-name">
    <refname>pam_nologin</refname>
    <refpurpose>Prevent non-root users from login</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis id="pam_nologin-cmdsynopsis">
      <command>pam_nologin.so</command>
      <arg choice="opt">
        file=<replaceable>/path/nologin</replaceable>
      </arg>
      <arg choice="opt">
        successok
      </arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1 id="pam_nologin-description">

    <title>DESCRIPTION</title>

    <para>
      pam_nologin is a PAM module that prevents users from logging into
      the system when <filename>/var/run/nologin</filename> or
      <filename>/etc/nologin</filename> exists. The contents
      of the file are displayed to the user. The pam_nologin module
      has no effect on the root user's ability to log in.
    </para>
  </refsect1>

  <refsect1 id="pam_nologin-options">

    <title>OPTIONS</title>
    <variablelist>
      <varlistentry>
        <term>
          <option>file=<replaceable>/path/nologin</replaceable></option>
        </term>
        <listitem>
          <para>
            Use this file instead the default
            <filename>/var/run/nologin</filename> or
            <filename>/etc/nologin</filename>.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>
          <option>successok</option>
        </term>
        <listitem>
          <para>
            Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 id="pam_nologin-types">
    <title>MODULE TYPES PROVIDED</title>
    <para>
      The <option>auth</option> and <option>acct</option> module
      types are provided.
    </para>
  </refsect1>

  <refsect1 id='pam_nologin-return_values'>
    <title>RETURN VALUES</title>
    <variablelist>
      <varlistentry>
        <term>PAM_AUTH_ERR</term>
        <listitem>
          <para>
            The user is not root and <filename>/etc/nologin</filename>
            exists, so the user is not permitted to log in.
          </para>
        </listitem>
      </varlistentry>
     <varlistentry>
        <term>PAM_BUF_ERR</term>
        <listitem>
          <para>Memory buffer error.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_IGNORE</term>
        <listitem>
          <para>
            This is the default return value.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_SUCCESS</term>
        <listitem>
          <para>
            Success:  either  the user is root or the
            nologin file does not exist.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_USER_UNKNOWN</term>
        <listitem>
          <para>
            User not known to the underlying authentication module.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 id='pam_nologin-examples'>
    <title>EXAMPLES</title>
    <para>
      The suggested usage for <filename>/etc/pam.d/login</filename> is:
      <programlisting>
auth  required  pam_nologin.so
      </programlisting>
    </para>
  </refsect1>
  <refsect1 id='pam_nologin-note'>
    <title>NOTES</title>
    <para>
      In order to make this module effective, all login methods should be
      secured by it. It should be used as a <emphasis>required</emphasis>
      method listed before any <emphasis>sufficient</emphasis> methods in
      order to get standard Unix nologin semantics. Note, the use of
      <option>successok</option> module argument causes the module to
      return <emphasis>PAM_SUCCESS</emphasis> and as such would break
      such a configuration - failing <emphasis>sufficient</emphasis> modules
      would lead to a successful login because the nologin module
      <emphasis>succeeded</emphasis>.
    </para>
  </refsect1>

  <refsect1 id='pam_nologin-see_also'>
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
	<refentrytitle>nologin</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>
    </para>
  </refsect1>

  <refsect1 id='pam_nologin-author'>
    <title>AUTHOR</title>
      <para>
        pam_nologin was written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;.
      </para>
  </refsect1>

</refentry>