summaryrefslogtreecommitdiffstats
path: root/modules/pam_group/group.conf.5.xml
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_group/group.conf.5.xml')
-rw-r--r--modules/pam_group/group.conf.5.xml147
1 files changed, 147 insertions, 0 deletions
diff --git a/modules/pam_group/group.conf.5.xml b/modules/pam_group/group.conf.5.xml
new file mode 100644
index 0000000..2b7fb34
--- /dev/null
+++ b/modules/pam_group/group.conf.5.xml
@@ -0,0 +1,147 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="group.conf">
+
+ <refmeta>
+ <refentrytitle>group.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname>group.conf</refname>
+ <refpurpose>configuration file for the pam_group module</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='group.conf-description'>
+ <title>DESCRIPTION</title>
+
+ <para>
+ The pam_group PAM module does not authenticate the user, but instead
+ it grants group memberships (in the credential setting phase of the
+ authentication module) to the user. Such memberships are based on the
+ service they are applying for.
+ </para>
+ <para>
+ For this module to function correctly there must be a correctly
+ formatted <filename>/etc/security/group.conf</filename> file present.
+ White spaces are ignored and lines maybe extended with '\' (escaped
+ newlines). Text following a '#' is ignored to the end of the line.
+ </para>
+
+ <para>
+ The syntax of the lines is as follows:
+ </para>
+
+ <para>
+ <replaceable>services</replaceable>;<replaceable>ttys</replaceable>;<replaceable>users</replaceable>;<replaceable>times</replaceable>;<replaceable>groups</replaceable>
+ </para>
+
+
+ <para>
+ The first field, the <replaceable>services</replaceable> field, is a logic list
+ of PAM service names that the rule applies to.
+ </para>
+
+ <para>
+ The second field, the <replaceable>tty</replaceable>
+ field, is a logic list of terminal names that this rule applies to.
+ </para>
+
+ <para>
+ The third field, the <replaceable>users</replaceable>
+ field, is a logic list of users, or a UNIX group, or a netgroup of
+ users to whom this rule applies. Group names are preceded by a '%'
+ symbol, while netgroup names are preceded by a '@' symbol.
+ </para>
+
+ <para>
+ A logic list namely means individual tokens that are optionally prefixed
+ with '!' (logical not) and separated with '&amp;' (logical and) and '|'
+ (logical or).
+ </para>
+
+ <para>
+ For these items the simple wildcard '*' may be used only once.
+ With UNIX groups or netgroups no wildcards or logic operators
+ are allowed.
+ </para>
+
+ <para>
+ The <replaceable>times</replaceable> field is used to indicate "when"
+ these groups are to be given to the user. The format here is a logic
+ list of day/time-range entries. The days are specified by a sequence of
+ two character entries, MoTuSa for example is Monday Tuesday and Saturday.
+ Note that repeated days are unset MoMo = no day, and MoWk = all weekdays
+ bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa
+ Su Wk Wd Al, the last two being week-end days and all 7 days of the week
+ respectively. As a final example, AlFr means all days except Friday.
+ </para>
+ <para>
+ Each day/time-range can be prefixed with a '!' to indicate "anything but".
+ The time-range part is two 24-hour times HHMM, separated by a hyphen,
+ indicating the start and finish time (if the finish time is smaller
+ than the start time it is deemed to apply on the following day).
+ </para>
+
+ <para>
+ The <replaceable>groups</replaceable> field is a comma or space
+ separated list of groups that the user inherits membership of. These
+ groups are added if the previous fields are satisfied by the user's request.
+ </para>
+
+ <para>
+ For a rule to be active, ALL of service+ttys+users must be satisfied
+ by the applying process.
+ </para>
+ </refsect1>
+
+ <refsect1 id="group.conf-examples">
+ <title>EXAMPLES</title>
+ <para>
+ These are some example lines which might be specified in
+ <filename>/etc/security/group.conf</filename>.
+ </para>
+
+ <para>
+ Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access
+ to the floppy (through membership of the floppy group)
+ </para>
+ <programlisting>xsh;tty*&amp;!ttyp*;us;Al0000-2400;floppy</programlisting>
+
+ <para>
+ Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and
+ 'shield' are given access to games (through membership of the floppy group) after work hours.
+ </para>
+ <programlisting>
+xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound
+xsh; tty* ;*;Al0900-1800;floppy
+ </programlisting>
+ <para>
+ Any member of the group 'admin' running 'xsh' on tty*,
+ is granted access (at any time) to the group 'plugdev'
+ </para>
+ <programlisting>
+xsh; tty* ;%admin;Al0000-2400;plugdev
+ </programlisting>
+
+ </refsect1>
+
+ <refsect1 id="group.conf-see_also">
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id="group.conf-author">
+ <title>AUTHOR</title>
+ <para>
+ pam_group was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
+ </para>
+ </refsect1>
+</refentry>