diff options
Diffstat (limited to '')
-rw-r--r-- | modules/pam_succeed_if/pam_succeed_if.8 | 226 | ||||
-rw-r--r-- | modules/pam_succeed_if/pam_succeed_if.8.xml | 307 |
2 files changed, 533 insertions, 0 deletions
diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8 new file mode 100644 index 0000000..8b33c62 --- /dev/null +++ b/modules/pam_succeed_if/pam_succeed_if.8 @@ -0,0 +1,226 @@ +'\" t +.\" Title: pam_succeed_if +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "PAM_SUCCEED_IF" "8" "09/03/2021" "Linux-PAM" "Linux\-PAM" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_succeed_if \- test account characteristics +.SH "SYNOPSIS" +.HP \w'\fBpam_succeed_if\&.so\fR\ 'u +\fBpam_succeed_if\&.so\fR [\fIflag\fR...] [\fIcondition\fR...] +.SH "DESCRIPTION" +.PP +pam_succeed_if\&.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of other PAM items\&. One use is to select whether to load other modules based on this test\&. +.PP +The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\&. +.SH "OPTIONS" +.PP +The following +\fIflag\fRs are supported: +.PP +\fBdebug\fR +.RS 4 +Turns on debugging messages sent to syslog\&. +.RE +.PP +\fBuse_uid\fR +.RS 4 +Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&. +.RE +.PP +\fBquiet\fR +.RS 4 +Don\*(Aqt log failure or success to the system log\&. +.RE +.PP +\fBquiet_fail\fR +.RS 4 +Don\*(Aqt log failure to the system log\&. +.RE +.PP +\fBquiet_success\fR +.RS 4 +Don\*(Aqt log success to the system log\&. +.RE +.PP +\fBaudit\fR +.RS 4 +Log unknown users to the system log\&. +.RE +.PP +\fICondition\fRs are three words: a field, a test, and a value to test for\&. +.PP +Available fields are +\fIuser\fR, +\fIuid\fR, +\fIgid\fR, +\fIshell\fR, +\fIhome\fR, +\fIruser\fR, +\fIrhost\fR, +\fItty\fR +and +\fIservice\fR: +.PP +\fBfield < number\fR +.RS 4 +Field has a value numerically less than number\&. +.RE +.PP +\fBfield <= number\fR +.RS 4 +Field has a value numerically less than or equal to number\&. +.RE +.PP +\fBfield eq number\fR +.RS 4 +Field has a value numerically equal to number\&. +.RE +.PP +\fBfield >= number\fR +.RS 4 +Field has a value numerically greater than or equal to number\&. +.RE +.PP +\fBfield > number\fR +.RS 4 +Field has a value numerically greater than number\&. +.RE +.PP +\fBfield ne number\fR +.RS 4 +Field has a value numerically different from number\&. +.RE +.PP +\fBfield = string\fR +.RS 4 +Field exactly matches the given string\&. +.RE +.PP +\fBfield != string\fR +.RS 4 +Field does not match the given string\&. +.RE +.PP +\fBfield =~ glob\fR +.RS 4 +Field matches the given glob\&. +.RE +.PP +\fBfield !~ glob\fR +.RS 4 +Field does not match the given glob\&. +.RE +.PP +\fBfield in item:item:\&.\&.\&.\fR +.RS 4 +Field is contained in the list of items separated by colons\&. +.RE +.PP +\fBfield notin item:item:\&.\&.\&.\fR +.RS 4 +Field is not contained in the list of items separated by colons\&. +.RE +.PP +\fBuser ingroup group[:group:\&.\&.\&.\&.]\fR +.RS 4 +User is in given group(s)\&. +.RE +.PP +\fBuser notingroup group[:group:\&.\&.\&.\&.]\fR +.RS 4 +User is not in given group(s)\&. +.RE +.PP +\fBuser innetgr netgroup\fR +.RS 4 +(user,host) is in given netgroup\&. +.RE +.PP +\fBuser notinnetgr group\fR +.RS 4 +(user,host) is not in given netgroup\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +All module types (\fBaccount\fR, +\fBauth\fR, +\fBpassword\fR +and +\fBsession\fR) are provided\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +The condition was true\&. +.RE +.PP +PAM_AUTH_ERR +.RS 4 +The condition was false\&. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +A service error occurred or the arguments can\*(Aqt be parsed correctly\&. +.RE +.SH "EXAMPLES" +.PP +To emulate the behaviour of +\fIpam_wheel\fR, except there is no fallback to group 0 being only approximated by checking also the root group membership: +.sp +.if n \{\ +.RS 4 +.\} +.nf +auth required pam_succeed_if\&.so quiet user ingroup wheel:root + +.fi +.if n \{\ +.RE +.\} +.PP +Given that the type matches, only loads the othermodule rule if the UID is over 500\&. Adjust the number after default to skip several rules\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +type [default=1 success=ignore] pam_succeed_if\&.so quiet uid > 500 +type required othermodule\&.so arguments\&.\&.\&. + +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +\fBglob\fR(7), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +Nalin Dahyabhai <nalin@redhat\&.com> diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml new file mode 100644 index 0000000..14d939a --- /dev/null +++ b/modules/pam_succeed_if/pam_succeed_if.8.xml @@ -0,0 +1,307 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + + +<refentry id='pam_succeed_if'> +<!-- Copyright 2003, 2004 Red Hat, Inc. --> +<!-- Written by Nalin Dahyabhai <nalin@redhat.com> --> + + <refmeta> + <refentrytitle>pam_succeed_if</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='sectdesc'>Linux-PAM</refmiscinfo> + </refmeta> + + <refnamediv id='pam_succeed_if-name'> + <refname>pam_succeed_if</refname> + <refpurpose>test account characteristics</refpurpose> + </refnamediv> + + + <refsynopsisdiv> + <cmdsynopsis id='pam_succeed_if-cmdsynopsis'> + <command>pam_succeed_if.so</command> + <arg choice='opt' rep='repeat'><replaceable>flag</replaceable></arg> + <arg choice='opt' rep='repeat'><replaceable>condition</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_succeed_if-description'> + <title>DESCRIPTION</title> + <para> + pam_succeed_if.so is designed to succeed or fail authentication + based on characteristics of the account belonging to the user being + authenticated or values of other PAM items. One use is to select whether + to load other modules based on this test. + </para> + + <para> + The module should be given one or more conditions as module arguments, + and authentication will succeed only if all of the conditions are met. + </para> + </refsect1> + + <refsect1 id="pam_succeed_if-options"> + <title>OPTIONS</title> + <para> + The following <emphasis>flag</emphasis>s are supported: + </para> + + <variablelist> + <varlistentry> + <term><option>debug</option></term> + <listitem> + <para>Turns on debugging messages sent to syslog.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>use_uid</option></term> + <listitem> + <para> + Evaluate conditions using the account of the user whose UID + the application is running under instead of the user being + authenticated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>quiet</option></term> + <listitem> + <para>Don't log failure or success to the system log.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>quiet_fail</option></term> + <listitem> + <para> + Don't log failure to the system log. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>quiet_success</option></term> + <listitem> + <para> + Don't log success to the system log. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>audit</option></term> + <listitem> + <para> + Log unknown users to the system log. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + <emphasis>Condition</emphasis>s are three words: a field, a test, + and a value to test for. + </para> + <para> + Available fields are <emphasis>user</emphasis>, + <emphasis>uid</emphasis>, <emphasis>gid</emphasis>, + <emphasis>shell</emphasis>, <emphasis>home</emphasis>, + <emphasis>ruser</emphasis>, <emphasis>rhost</emphasis>, + <emphasis>tty</emphasis> and <emphasis>service</emphasis>: + </para> + + <variablelist> + <varlistentry> + <term><option>field < number</option></term> + <listitem> + <para>Field has a value numerically less than number.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field <= number</option></term> + <listitem> + <para> + Field has a value numerically less than or equal to number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field eq number</option></term> + <listitem> + <para> + Field has a value numerically equal to number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field >= number</option></term> + <listitem> + <para> + Field has a value numerically greater than or equal to number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field > number</option></term> + <listitem> + <para> + Field has a value numerically greater than number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field ne number</option></term> + <listitem> + <para> + Field has a value numerically different from number. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field = string</option></term> + <listitem> + <para> + Field exactly matches the given string. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field != string</option></term> + <listitem> + <para> + Field does not match the given string. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field =~ glob</option></term> + <listitem> + <para>Field matches the given glob.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field !~ glob</option></term> + <listitem> + <para>Field does not match the given glob.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field in item:item:...</option></term> + <listitem> + <para>Field is contained in the list of items separated by colons.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>field notin item:item:...</option></term> + <listitem> + <para>Field is not contained in the list of items separated by colons.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user ingroup group[:group:....]</option></term> + <listitem> + <para>User is in given group(s).</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user notingroup group[:group:....]</option></term> + <listitem> + <para>User is not in given group(s).</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user innetgr netgroup</option></term> + <listitem> + <para>(user,host) is in given netgroup.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>user notinnetgr group</option></term> + <listitem> + <para>(user,host) is not in given netgroup.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_succeed_if-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + All module types (<option>account</option>, <option>auth</option>, + <option>password</option> and <option>session</option>) are provided. + </para> + </refsect1> + + <refsect1 id='pam_succeed_if-return_values'> + <title>RETURN VALUES</title> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The condition was true. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The condition was false. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + A service error occurred or the arguments can't be + parsed correctly. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + + <refsect1 id='pam_succeed_if-examples'> + <title>EXAMPLES</title> + <para> + To emulate the behaviour of <emphasis>pam_wheel</emphasis>, except + there is no fallback to group 0 being only approximated by checking also the root group membership: + </para> + <programlisting> +auth required pam_succeed_if.so quiet user ingroup wheel:root + </programlisting> + + <para> + Given that the type matches, only loads the othermodule rule if + the UID is over 500. Adjust the number after default to skip + several rules. + </para> + <programlisting> +type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 +type required othermodule.so arguments... + </programlisting> + </refsect1> + + <refsect1 id='pam_succeed_if-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_succeed_if-author'> + <title>AUTHOR</title> + <para>Nalin Dahyabhai <nalin@redhat.com></para> + </refsect1> +</refentry> |