summaryrefslogtreecommitdiffstats
path: root/modules/pam_succeed_if/README
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_succeed_if/README')
-rw-r--r--modules/pam_succeed_if/README131
1 files changed, 131 insertions, 0 deletions
diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README
new file mode 100644
index 0000000..3d2f3d5
--- /dev/null
+++ b/modules/pam_succeed_if/README
@@ -0,0 +1,131 @@
+pam_succeed_if — test account characteristics
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+pam_succeed_if.so is designed to succeed or fail authentication based on
+characteristics of the account belonging to the user being authenticated or
+values of other PAM items. One use is to select whether to load other modules
+based on this test.
+
+The module should be given one or more conditions as module arguments, and
+authentication will succeed only if all of the conditions are met.
+
+OPTIONS
+
+The following flags are supported:
+
+debug
+
+ Turns on debugging messages sent to syslog.
+
+use_uid
+
+ Evaluate conditions using the account of the user whose UID the application
+ is running under instead of the user being authenticated.
+
+quiet
+
+ Don't log failure or success to the system log.
+
+quiet_fail
+
+ Don't log failure to the system log.
+
+quiet_success
+
+ Don't log success to the system log.
+
+audit
+
+ Log unknown users to the system log.
+
+Conditions are three words: a field, a test, and a value to test for.
+
+Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service
+:
+
+field < number
+
+ Field has a value numerically less than number.
+
+field <= number
+
+ Field has a value numerically less than or equal to number.
+
+field eq number
+
+ Field has a value numerically equal to number.
+
+field >= number
+
+ Field has a value numerically greater than or equal to number.
+
+field > number
+
+ Field has a value numerically greater than number.
+
+field ne number
+
+ Field has a value numerically different from number.
+
+field = string
+
+ Field exactly matches the given string.
+
+field != string
+
+ Field does not match the given string.
+
+field =~ glob
+
+ Field matches the given glob.
+
+field !~ glob
+
+ Field does not match the given glob.
+
+field in item:item:...
+
+ Field is contained in the list of items separated by colons.
+
+field notin item:item:...
+
+ Field is not contained in the list of items separated by colons.
+
+user ingroup group[:group:....]
+
+ User is in given group(s).
+
+user notingroup group[:group:....]
+
+ User is not in given group(s).
+
+user innetgr netgroup
+
+ (user,host) is in given netgroup.
+
+user notinnetgr group
+
+ (user,host) is not in given netgroup.
+
+EXAMPLES
+
+To emulate the behaviour of pam_wheel, except there is no fallback to group 0
+being only approximated by checking also the root group membership:
+
+auth required pam_succeed_if.so quiet user ingroup wheel:root
+
+
+Given that the type matches, only loads the othermodule rule if the UID is over
+500. Adjust the number after default to skip several rules.
+
+type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
+type required othermodule.so arguments...
+
+
+AUTHOR
+
+Nalin Dahyabhai <nalin@redhat.com>
+