Adding upstream version 1.3.1.upstream/1.3.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

2 files changed, 463 insertions, 0 deletions

diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5
new file mode 100644
index 0000000..8e7ea4c
--- /dev/null
+++ b/modules/pam_access/access.conf.5
@@ -0,0 +1,216 @@
+'\" t
+.\"     Title: access.conf
+.\"    Author: [see the "AUTHORS" section]
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/18/2018
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
+.\"  Language: English
+.\"
+.TH "ACCESS\&.CONF" "5" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+access.conf \- the login access control table file
+.SH "DESCRIPTION"
+.PP
+The
+/etc/security/access\&.conf
+file specifies (\fIuser/group\fR,
+\fIhost\fR), (\fIuser/group\fR,
+\fInetwork/netmask\fR), (\fIuser/group\fR,
+\fItty\fR), (\fIuser/group\fR,
+\fIX\-$DISPLAY\-value\fR), or (\fIuser/group\fR,
+\fIpam\-service\-name\fR) combinations for which a login will be either accepted or refused\&.
+.PP
+When someone logs in, the file
+access\&.conf
+is scanned for the first entry that matches the (\fIuser/group\fR,
+\fIhost\fR) or (\fIuser/group\fR,
+\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR,
+\fItty\fR) combination, or in the case of non\-networked logins without a tty, the first entry that matches the (\fIuser/group\fR,
+\fIX\-$DISPLAY\-value\fR) or (\fIuser/group\fR,
+\fIpam\-service\-name/\fR) combination\&. The permissions field of that table entry determines whether the login will be accepted or refused\&.
+.PP
+Each line of the login access control table has three fields separated by a ":" character (colon):
+.PP
+\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR
+.PP
+The first field, the
+\fIpermission\fR
+field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\&.
+.PP
+The second field, the
+\fIusers\fR/\fIgroup\fR
+field, should be a list of one or more login names, group names, or
+\fIALL\fR
+(which always matches)\&. To differentiate user entries from group entries, group entries should be written with brackets, e\&.g\&.
+\fI(group)\fR\&.
+.PP
+The third field, the
+\fIorigins\fR
+field, should be a list of one or more tty names (for non\-networked logins), X
+\fI$DISPLAY\fR
+values or PAM service names (for non\-networked logins without a tty), host names, domain names (begin with "\&."), host addresses, internet network numbers (end with "\&."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also),
+\fIALL\fR
+(which always matches) or
+\fILOCAL\fR\&. The
+\fILOCAL\fR
+keyword matches if and only if
+\fBpam_get_item\fR(3), when called with an
+\fIitem_type\fR
+of
+\fIPAM_RHOST\fR, returns
+NULL
+or an empty string (and therefore the
+\fIorigins\fR
+field is compared against the return value of
+\fBpam_get_item\fR(3)
+called with an
+\fIitem_type\fR
+of
+\fIPAM_TTY\fR
+or, absent that,
+\fIPAM_SERVICE\fR)\&.
+.PP
+If supported by the system you can use
+\fI@netgroupname\fR
+in host or user patterns\&. The
+\fI@@netgroupname\fR
+syntax is supported in the user pattern only and it makes the local system hostname to be passed to the netgroup match call in addition to the user name\&. This might not work correctly on some libc implementations causing the match to always fail\&.
+.PP
+The
+\fIEXCEPT\fR
+operator makes it possible to write very compact rules\&.
+.PP
+If the
+\fBnodefgroup\fR
+is not set, the group file is searched when a name does not match that of the logged\-in user\&. Only groups are matched in which users are explicitly listed\&. However the PAM module does not look at the primary group id of a user\&.
+.PP
+The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\&.
+.SH "EXAMPLES"
+.PP
+These are some example lines which might be specified in
+/etc/security/access\&.conf\&.
+.PP
+User
+\fIroot\fR
+should be allowed to get access via
+\fIcron\fR, X11 terminal
+\fI:0\fR,
+\fItty1\fR, \&.\&.\&.,
+\fItty5\fR,
+\fItty6\fR\&.
+.PP
++:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+.PP
+User
+\fIroot\fR
+should be allowed to get access from hosts which own the IPv4 addresses\&. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\&.
+.PP
++:root:192\&.168\&.200\&.1 192\&.168\&.200\&.4 192\&.168\&.200\&.9
+.PP
++:root:127\&.0\&.0\&.1
+.PP
+User
+\fIroot\fR
+should get access from network
+192\&.168\&.201\&.
+where the term will be evaluated by string matching\&. But it might be better to use network/netmask instead\&. The same meaning of
+192\&.168\&.201\&.
+is
+\fI192\&.168\&.201\&.0/24\fR
+or
+\fI192\&.168\&.201\&.0/255\&.255\&.255\&.0\fR\&.
+.PP
++:root:192\&.168\&.201\&.
+.PP
+User
+\fIroot\fR
+should be able to have access from hosts
+\fIfoo1\&.bar\&.org\fR
+and
+\fIfoo2\&.bar\&.org\fR
+(uses string matching also)\&.
+.PP
++:root:foo1\&.bar\&.org foo2\&.bar\&.org
+.PP
+User
+\fIroot\fR
+should be able to have access from domain
+\fIfoo\&.bar\&.org\fR
+(uses string matching also)\&.
+.PP
++:root:\&.foo\&.bar\&.org
+.PP
+User
+\fIroot\fR
+should be denied to get access from all other sources\&.
+.PP
+\-:root:ALL
+.PP
+User
+\fIfoo\fR
+and members of netgroup
+\fIadmins\fR
+should be allowed to get access from all sources\&. This will only work if netgroup service is available\&.
+.PP
++:@admins foo:ALL
+.PP
+User
+\fIjohn\fR
+and
+\fIfoo\fR
+should get access from IPv6 host address\&.
+.PP
++:john foo:2001:db8:0:101::1
+.PP
+User
+\fIjohn\fR
+should get access from IPv6 net/mask\&.
+.PP
++:john:2001:db8:0:101::/64
+.PP
+Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\&.
+.PP
+\-:ALL EXCEPT (wheel) shutdown sync:LOCAL
+.PP
+All other users should be denied to get access from all sources\&.
+.PP
+\-:ALL:ALL
+.SH "NOTES"
+.PP
+The default separators of list items in a field are space, \*(Aq,\*(Aq, and tabulator characters\&. Thus conveniently if spaces are put at the beginning and the end of the fields they are ignored\&. However if the list separator is changed with the
+\fIlistsep\fR
+option, the spaces will become part of the actual item and the line will be most probably ignored\&. For this reason, it is not recommended to put spaces around the \*(Aq:\*(Aq characters\&.
+.SH "SEE ALSO"
+.PP
+\fBpam_access\fR(8),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHORS"
+.PP
+Original
+\fBlogin.access\fR(5)
+manual was provided by Guido van Rooij which was renamed to
+\fBaccess.conf\fR(5)
+to reflect relation to default config file\&.
+.PP
+Network address / netmask description and example text was introduced by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&.
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
new file mode 100644
index 0000000..386346b
--- /dev/null
+++ b/modules/pam_access/access.conf.5.xml
@@ -0,0 +1,247 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+
+<refentry id="access.conf">
+
+  <refmeta>
+    <refentrytitle>access.conf</refentrytitle>
+    <manvolnum>5</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>access.conf</refname>
+    <refpurpose>the login access control table file</refpurpose>
+  </refnamediv>
+
+
+  <refsect1 id='access.conf-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <filename>/etc/security/access.conf</filename> file specifies
+      (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
+      (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>),
+      (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>),
+      (<replaceable>user/group</replaceable>,
+      <replaceable>X-$DISPLAY-value</replaceable>), or
+      (<replaceable>user/group</replaceable>,
+      <replaceable>pam-service-name</replaceable>)
+      combinations for which a login will be either accepted or refused.
+    </para>
+    <para>
+      When someone logs in, the file <filename>access.conf</filename> is
+      scanned for the first entry that matches the
+      (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>) or
+      (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>)
+      combination, or, in case of non-networked logins, the first entry
+      that matches the
+      (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
+      combination, or in the case of non-networked logins without a
+      tty, the first entry that matches the
+      (<replaceable>user/group</replaceable>,
+      <replaceable>X-$DISPLAY-value</replaceable>) or
+      (<replaceable>user/group</replaceable>,
+      <replaceable>pam-service-name/</replaceable>)
+      combination.  The permissions field of that table entry
+      determines
+      whether the login will be accepted or refused.
+   </para>
+
+    <para>
+      Each line of the login access control table has three fields separated
+      by a ":" character (colon):
+    </para>
+
+    <para>
+      <replaceable>permission</replaceable>:<replaceable>users/groups</replaceable>:<replaceable>origins</replaceable>
+    </para>
+
+
+    <para>
+      The first field, the <replaceable>permission</replaceable> field, can be either a
+      "<emphasis>+</emphasis>" character (plus) for access granted or a
+      "<emphasis>-</emphasis>" character (minus) for access denied.
+    </para>
+
+    <para>
+      The second field, the
+      <replaceable>users</replaceable>/<replaceable>group</replaceable>
+      field, should be a list of one or more login names, group names, or
+      <emphasis>ALL</emphasis> (which always matches). To differentiate
+      user entries from group entries, group entries should be written
+      with brackets, e.g. <emphasis>(group)</emphasis>.
+    </para>
+
+    <para>
+      The third field, the <replaceable>origins</replaceable>
+      field, should be a list of one or more tty names (for non-networked
+      logins), X <varname>$DISPLAY</varname> values or PAM service
+      names (for non-networked logins without a tty), host names,
+      domain names (begin with "."), host addresses,
+      internet network numbers (end with "."), internet network addresses
+      with network mask (where network mask can be a decimal number or an
+      internet address also), <emphasis>ALL</emphasis> (which always matches)
+      or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
+      keyword matches if and only if
+      <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+      when called with an <parameter>item_type</parameter> of
+      <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code> or an
+      empty string (and therefore the
+      <replaceable>origins</replaceable> field is compared against the
+      return value of
+      <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+      called with an <parameter>item_type</parameter> of
+      <emphasis>PAM_TTY</emphasis> or, absent that,
+      <emphasis>PAM_SERVICE</emphasis>).
+    </para>
+
+    <para>
+      If supported by the system you can use
+      <emphasis>@netgroupname</emphasis> in host or user patterns. The
+      <emphasis>@@netgroupname</emphasis> syntax is supported in the user
+      pattern only and it makes the local system hostname to be passed
+      to the netgroup match call in addition to the user name. This might not
+      work correctly on some libc implementations causing the match to
+      always fail.
+    </para>
+
+    <para>
+      The <replaceable>EXCEPT</replaceable> operator makes it possible to
+      write very compact rules.
+    </para>
+
+    <para>
+       If the <option>nodefgroup</option> is not set, the group file
+       is searched when a name does not match that of the logged-in
+       user. Only groups are matched in which users are explicitly listed.
+       However the PAM module does not look at the primary group id of a user.
+    </para>
+
+
+    <para>
+      The "<emphasis>#</emphasis>" character at start of line (no space
+      at front) can be used to mark this line as a comment line.
+    </para>
+
+  </refsect1>
+
+  <refsect1 id="access.conf-examples">
+    <title>EXAMPLES</title>
+    <para>
+      These are some example lines which might be specified in
+      <filename>/etc/security/access.conf</filename>.
+    </para>
+
+    <para>
+      User <emphasis>root</emphasis> should be allowed to get access via
+      <emphasis>cron</emphasis>, X11 terminal <emphasis remap='I'>:0</emphasis>,
+      <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>,
+      <emphasis>tty6</emphasis>.
+    </para>
+    <para>+:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
+
+    <para>
+      User <emphasis>root</emphasis> should be allowed to get access from
+      hosts which own the IPv4 addresses. This does not mean that the
+      connection have to be a IPv4 one, a IPv6 connection from a host with
+      one of this IPv4 addresses does work, too.
+    </para>
+    <para>+:root:192.168.200.1 192.168.200.4 192.168.200.9</para>
+    <para>+:root:127.0.0.1</para>
+
+    <para>
+      User <emphasis>root</emphasis> should get access from network
+      <literal>192.168.201.</literal> where the term will be evaluated by
+      string matching. But it might be better to use network/netmask instead.
+      The same meaning of <literal>192.168.201.</literal> is
+      <emphasis>192.168.201.0/24</emphasis> or
+      <emphasis>192.168.201.0/255.255.255.0</emphasis>.
+    </para>
+    <para>+:root:192.168.201.</para>
+
+    <para>
+      User <emphasis>root</emphasis> should be able to have access from hosts
+      <emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis>
+      (uses string matching also).
+    </para>
+    <para>+:root:foo1.bar.org foo2.bar.org</para>
+
+    <para>
+      User <emphasis>root</emphasis> should be able to have access from
+      domain <emphasis>foo.bar.org</emphasis> (uses string matching also).
+    </para>
+    <para>+:root:.foo.bar.org</para>
+
+    <para>
+      User <emphasis>root</emphasis> should be denied to get access
+      from all other sources.
+    </para>
+    <para>-:root:ALL</para>
+
+    <para>
+      User <emphasis>foo</emphasis> and members of netgroup
+      <emphasis>admins</emphasis> should be allowed to get access
+      from all sources. This will only work if netgroup service is available.
+    </para>
+    <para>+:@admins foo:ALL</para>
+
+    <para>
+      User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
+      should get access from IPv6 host address.
+    </para>
+    <para>+:john foo:2001:db8:0:101::1</para>
+
+    <para>
+      User <emphasis>john</emphasis> should get access from IPv6 net/mask.
+    </para>
+    <para>+:john:2001:db8:0:101::/64</para>
+
+    <para>
+      Disallow console logins to all but the shutdown, sync and all
+      other accounts, which are a member of the wheel group.
+    </para>
+    <para>-:ALL EXCEPT (wheel) shutdown sync:LOCAL</para>
+
+    <para>
+      All other users should be denied to get access from all sources.
+    </para>
+    <para>-:ALL:ALL</para>
+
+  </refsect1>
+
+  <refsect1 id="access.conf-notes">
+    <title>NOTES</title>
+    <para>
+      The default separators of list items in a field are space, ',', and tabulator
+      characters. Thus conveniently if spaces are put at the beginning and the end of
+      the fields they are ignored. However if the list separator is changed with the
+      <emphasis>listsep</emphasis> option, the spaces will become part of the actual
+      item and the line will be most probably ignored. For this reason, it is not
+      recommended to put spaces around the ':' characters.
+    </para>
+  </refsect1>
+
+  <refsect1 id="access.conf-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id="access.conf-author">
+    <title>AUTHORS</title>
+    <para>
+      Original <citerefentry><refentrytitle>login.access</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      manual was provided by Guido van Rooij which was renamed to
+      <citerefentry><refentrytitle>access.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      to reflect relation to default config file.
+    </para>
+    <para>
+      Network address / netmask description and example text was
+      introduced by Mike Becher &lt;mike.becher@lrz-muenchen.de&gt;.
+    </para>
+  </refsect1>
+</refentry>