blob: 9513b0e490e70c7729fe79a4019d3c2c59ddfe53 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<refentry id="pam_loginuid">
<refmeta>
<refentrytitle>pam_loginuid</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv id="pam_loginuid-name">
<refname>pam_loginuid</refname>
<refpurpose>Record user's login uid to the process attribute</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis id="pam_loginuid-cmdsynopsis">
<command>pam_loginuid.so</command>
<arg choice="opt">
require_auditd
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id="pam_loginuid-description">
<title>DESCRIPTION</title>
<para>
The pam_loginuid module sets the loginuid process attribute for the
process that was authenticated. This is necessary for applications
to be correctly audited. This PAM module should only be used for entry
point applications like: login, sshd, gdm, vsftpd, crond and atd.
There are probably other entry point applications besides these.
You should not use it for applications like sudo or su as that
defeats the purpose by changing the loginuid to the account they just
switched to.
</para>
</refsect1>
<refsect1 id="pam_loginuid-options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>
<option>require_auditd</option>
</term>
<listitem>
<para>
This option, when given, will cause this module to query
the audit daemon status and deny logins if it is not running.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="pam_loginuid-types">
<title>MODULE TYPES PROVIDED</title>
<para>
Only the <option>session</option> module type is provided.
</para>
</refsect1>
<refsect1 id='pam_loginuid-return_values'>
<title>RETURN VALUES</title>
<para>
<variablelist>
<varlistentry>
<term>PAM_SUCCESS</term>
<listitem>
<para>
The loginuid value is set and auditd is running if check requested.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_IGNORE</term>
<listitem>
<para>
The /proc/self/loginuid file is not present on the system or the
login process runs inside uid namespace and kernel does not support
overwriting loginuid.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_SESSION_ERR</term>
<listitem>
<para>
Any other error prevented setting loginuid or auditd is not running.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 id='pam_loginuid-examples'>
<title>EXAMPLES</title>
<programlisting>
#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
</programlisting>
</refsect1>
<refsect1 id='pam_loginuid-see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>auditd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 id='pam_loginuid-author'>
<title>AUTHOR</title>
<para>
pam_loginuid was written by Steve Grubb <sgrubb@redhat.com>
</para>
</refsect1>
</refentry>
|