diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/pam_group/README | 52 | ||||
| -rw-r--r-- | modules/pam_group/README.xml | 34 |
2 files changed, 86 insertions, 0 deletions
diff --git a/modules/pam_group/README b/modules/pam_group/README new file mode 100644 index 0000000..9d6d097 --- /dev/null +++ b/modules/pam_group/README @@ -0,0 +1,52 @@ +pam_group — PAM module for group access + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_group PAM module does not authenticate the user, but instead it grants +group memberships (in the credential setting phase of the authentication +module) to the user. Such memberships are based on the service they are +applying for. + +By default rules for group memberships are taken from config file /etc/security +/group.conf. + +This module's usefulness relies on the file-systems accessible to the user. The +point being that once granted the membership of a group, the user may attempt +to create a setgid binary with a restricted group ownership. Later, when the +user is not given membership to this group, they can recover group membership +with the precompiled binary. The reason that the file-systems that the user has +access to are so significant, is the fact that when a system is mounted nosuid +the user is unable to create or execute such a binary file. For this module to +provide any level of security, all file-systems that the user has write access +to should be mounted nosuid. + +The pam_group module functions in parallel with the /etc/group file. If the +user is granted any groups based on the behavior of this module, they are +granted in addition to those entries /etc/group (or equivalent). + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +group.conf. + +Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the +floppy (through membership of the floppy group) + +xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and +'shield' are given access to games (through membership of the floppy group) +after work hours. + +xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound +xsh; tty* ;*;Al0900-1800;floppy + + +Any member of the group 'admin' running 'xsh' on tty*, is granted access (at +any time) to the group 'plugdev' + +xsh; tty* ;%admin;Al0000-2400;plugdev + + diff --git a/modules/pam_group/README.xml b/modules/pam_group/README.xml new file mode 100644 index 0000000..387d698 --- /dev/null +++ b/modules/pam_group/README.xml @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamgroup SYSTEM "pam_group.8.xml"> +--> +<!-- +<!ENTITY groupconf SYSTEM "group.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_group.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_group-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/> + </section> + +</article> |