summaryrefslogtreecommitdiffstats
path: root/modules/pam_loginuid/pam_loginuid.8
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/pam_loginuid/pam_loginuid.893
-rw-r--r--modules/pam_loginuid/pam_loginuid.8.xml142
2 files changed, 235 insertions, 0 deletions
diff --git a/modules/pam_loginuid/pam_loginuid.8 b/modules/pam_loginuid/pam_loginuid.8
new file mode 100644
index 0000000..3bb3fda
--- /dev/null
+++ b/modules/pam_loginuid/pam_loginuid.8
@@ -0,0 +1,93 @@
+'\" t
+.\" Title: pam_loginuid
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 09/03/2021
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_LOGINUID" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pam_loginuid \- Record user\*(Aqs login uid to the process attribute
+.SH "SYNOPSIS"
+.HP \w'\fBpam_loginuid\&.so\fR\ 'u
+\fBpam_loginuid\&.so\fR [require_auditd]
+.SH "DESCRIPTION"
+.PP
+The pam_loginuid module sets the loginuid process attribute for the process that was authenticated\&. This is necessary for applications to be correctly audited\&. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd\&. There are probably other entry point applications besides these\&. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to\&.
+.SH "OPTIONS"
+.PP
+\fBrequire_auditd\fR
+.RS 4
+This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running\&.
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+Only the
+\fBsession\fR
+module type is provided\&.
+.SH "RETURN VALUES"
+.PP
+.PP
+PAM_SUCCESS
+.RS 4
+The loginuid value is set and auditd is running if check requested\&.
+.RE
+.PP
+PAM_IGNORE
+.RS 4
+The /proc/self/loginuid file is not present on the system or the login process runs inside uid namespace and kernel does not support overwriting loginuid\&.
+.RE
+.PP
+PAM_SESSION_ERR
+.RS 4
+Any other error prevented setting loginuid or auditd is not running\&.
+.RE
+.SH "EXAMPLES"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+#%PAM\-1\&.0
+auth required pam_unix\&.so
+auth required pam_nologin\&.so
+account required pam_unix\&.so
+password required pam_unix\&.so
+session required pam_unix\&.so
+session required pam_loginuid\&.so
+
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8),
+\fBauditctl\fR(8),
+\fBauditd\fR(8)
+.SH "AUTHOR"
+.PP
+pam_loginuid was written by Steve Grubb <sgrubb@redhat\&.com>
diff --git a/modules/pam_loginuid/pam_loginuid.8.xml b/modules/pam_loginuid/pam_loginuid.8.xml
new file mode 100644
index 0000000..9513b0e
--- /dev/null
+++ b/modules/pam_loginuid/pam_loginuid.8.xml
@@ -0,0 +1,142 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_loginuid">
+
+ <refmeta>
+ <refentrytitle>pam_loginuid</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_loginuid-name">
+ <refname>pam_loginuid</refname>
+ <refpurpose>Record user's login uid to the process attribute</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_loginuid-cmdsynopsis">
+ <command>pam_loginuid.so</command>
+ <arg choice="opt">
+ require_auditd
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_loginuid-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ The pam_loginuid module sets the loginuid process attribute for the
+ process that was authenticated. This is necessary for applications
+ to be correctly audited. This PAM module should only be used for entry
+ point applications like: login, sshd, gdm, vsftpd, crond and atd.
+ There are probably other entry point applications besides these.
+ You should not use it for applications like sudo or su as that
+ defeats the purpose by changing the loginuid to the account they just
+ switched to.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_loginuid-options">
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>require_auditd</option>
+ </term>
+ <listitem>
+ <para>
+ This option, when given, will cause this module to query
+ the audit daemon status and deny logins if it is not running.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_loginuid-types">
+ <title>MODULE TYPES PROVIDED</title>
+ <para>
+ Only the <option>session</option> module type is provided.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_loginuid-return_values'>
+ <title>RETURN VALUES</title>
+ <para>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ The loginuid value is set and auditd is running if check requested.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_IGNORE</term>
+ <listitem>
+ <para>
+ The /proc/self/loginuid file is not present on the system or the
+ login process runs inside uid namespace and kernel does not support
+ overwriting loginuid.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SESSION_ERR</term>
+ <listitem>
+ <para>
+ Any other error prevented setting loginuid or auditd is not running.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_loginuid-examples'>
+ <title>EXAMPLES</title>
+ <programlisting>
+#%PAM-1.0
+auth required pam_unix.so
+auth required pam_nologin.so
+account required pam_unix.so
+password required pam_unix.so
+session required pam_unix.so
+session required pam_loginuid.so
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id='pam_loginuid-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>auditd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_loginuid-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_loginuid was written by Steve Grubb &lt;sgrubb@redhat.com&gt;
+ </para>
+ </refsect1>
+
+</refentry>