From de848d9e9146434817c65d74d1d0313e9d729462 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 14:01:37 +0200 Subject: Adding upstream version 1.4.0. Signed-off-by: Daniel Baumann --- modules/pam_group/README | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 modules/pam_group/README (limited to 'modules/pam_group/README') diff --git a/modules/pam_group/README b/modules/pam_group/README new file mode 100644 index 0000000..9d6d097 --- /dev/null +++ b/modules/pam_group/README @@ -0,0 +1,52 @@ +pam_group — PAM module for group access + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_group PAM module does not authenticate the user, but instead it grants +group memberships (in the credential setting phase of the authentication +module) to the user. Such memberships are based on the service they are +applying for. + +By default rules for group memberships are taken from config file /etc/security +/group.conf. + +This module's usefulness relies on the file-systems accessible to the user. The +point being that once granted the membership of a group, the user may attempt +to create a setgid binary with a restricted group ownership. Later, when the +user is not given membership to this group, they can recover group membership +with the precompiled binary. The reason that the file-systems that the user has +access to are so significant, is the fact that when a system is mounted nosuid +the user is unable to create or execute such a binary file. For this module to +provide any level of security, all file-systems that the user has write access +to should be mounted nosuid. + +The pam_group module functions in parallel with the /etc/group file. If the +user is granted any groups based on the behavior of this module, they are +granted in addition to those entries /etc/group (or equivalent). + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +group.conf. + +Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the +floppy (through membership of the floppy group) + +xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and +'shield' are given access to games (through membership of the floppy group) +after work hours. + +xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound +xsh; tty* ;*;Al0900-1800;floppy + + +Any member of the group 'admin' running 'xsh' on tty*, is granted access (at +any time) to the group 'plugdev' + +xsh; tty* ;%admin;Al0000-2400;plugdev + + -- cgit v1.2.3