summaryrefslogtreecommitdiffstats
path: root/modules/pam_succeed_if/pam_succeed_if.8
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_succeed_if/pam_succeed_if.8')
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.8226
1 files changed, 226 insertions, 0 deletions
diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8
new file mode 100644
index 0000000..8b33c62
--- /dev/null
+++ b/modules/pam_succeed_if/pam_succeed_if.8
@@ -0,0 +1,226 @@
+'\" t
+.\" Title: pam_succeed_if
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 09/03/2021
+.\" Manual: Linux-PAM
+.\" Source: Linux-PAM
+.\" Language: English
+.\"
+.TH "PAM_SUCCEED_IF" "8" "09/03/2021" "Linux-PAM" "Linux\-PAM"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pam_succeed_if \- test account characteristics
+.SH "SYNOPSIS"
+.HP \w'\fBpam_succeed_if\&.so\fR\ 'u
+\fBpam_succeed_if\&.so\fR [\fIflag\fR...] [\fIcondition\fR...]
+.SH "DESCRIPTION"
+.PP
+pam_succeed_if\&.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of other PAM items\&. One use is to select whether to load other modules based on this test\&.
+.PP
+The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\&.
+.SH "OPTIONS"
+.PP
+The following
+\fIflag\fRs are supported:
+.PP
+\fBdebug\fR
+.RS 4
+Turns on debugging messages sent to syslog\&.
+.RE
+.PP
+\fBuse_uid\fR
+.RS 4
+Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&.
+.RE
+.PP
+\fBquiet\fR
+.RS 4
+Don\*(Aqt log failure or success to the system log\&.
+.RE
+.PP
+\fBquiet_fail\fR
+.RS 4
+Don\*(Aqt log failure to the system log\&.
+.RE
+.PP
+\fBquiet_success\fR
+.RS 4
+Don\*(Aqt log success to the system log\&.
+.RE
+.PP
+\fBaudit\fR
+.RS 4
+Log unknown users to the system log\&.
+.RE
+.PP
+\fICondition\fRs are three words: a field, a test, and a value to test for\&.
+.PP
+Available fields are
+\fIuser\fR,
+\fIuid\fR,
+\fIgid\fR,
+\fIshell\fR,
+\fIhome\fR,
+\fIruser\fR,
+\fIrhost\fR,
+\fItty\fR
+and
+\fIservice\fR:
+.PP
+\fBfield < number\fR
+.RS 4
+Field has a value numerically less than number\&.
+.RE
+.PP
+\fBfield <= number\fR
+.RS 4
+Field has a value numerically less than or equal to number\&.
+.RE
+.PP
+\fBfield eq number\fR
+.RS 4
+Field has a value numerically equal to number\&.
+.RE
+.PP
+\fBfield >= number\fR
+.RS 4
+Field has a value numerically greater than or equal to number\&.
+.RE
+.PP
+\fBfield > number\fR
+.RS 4
+Field has a value numerically greater than number\&.
+.RE
+.PP
+\fBfield ne number\fR
+.RS 4
+Field has a value numerically different from number\&.
+.RE
+.PP
+\fBfield = string\fR
+.RS 4
+Field exactly matches the given string\&.
+.RE
+.PP
+\fBfield != string\fR
+.RS 4
+Field does not match the given string\&.
+.RE
+.PP
+\fBfield =~ glob\fR
+.RS 4
+Field matches the given glob\&.
+.RE
+.PP
+\fBfield !~ glob\fR
+.RS 4
+Field does not match the given glob\&.
+.RE
+.PP
+\fBfield in item:item:\&.\&.\&.\fR
+.RS 4
+Field is contained in the list of items separated by colons\&.
+.RE
+.PP
+\fBfield notin item:item:\&.\&.\&.\fR
+.RS 4
+Field is not contained in the list of items separated by colons\&.
+.RE
+.PP
+\fBuser ingroup group[:group:\&.\&.\&.\&.]\fR
+.RS 4
+User is in given group(s)\&.
+.RE
+.PP
+\fBuser notingroup group[:group:\&.\&.\&.\&.]\fR
+.RS 4
+User is not in given group(s)\&.
+.RE
+.PP
+\fBuser innetgr netgroup\fR
+.RS 4
+(user,host) is in given netgroup\&.
+.RE
+.PP
+\fBuser notinnetgr group\fR
+.RS 4
+(user,host) is not in given netgroup\&.
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+All module types (\fBaccount\fR,
+\fBauth\fR,
+\fBpassword\fR
+and
+\fBsession\fR) are provided\&.
+.SH "RETURN VALUES"
+.PP
+PAM_SUCCESS
+.RS 4
+The condition was true\&.
+.RE
+.PP
+PAM_AUTH_ERR
+.RS 4
+The condition was false\&.
+.RE
+.PP
+PAM_SERVICE_ERR
+.RS 4
+A service error occurred or the arguments can\*(Aqt be parsed correctly\&.
+.RE
+.SH "EXAMPLES"
+.PP
+To emulate the behaviour of
+\fIpam_wheel\fR, except there is no fallback to group 0 being only approximated by checking also the root group membership:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+auth required pam_succeed_if\&.so quiet user ingroup wheel:root
+
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Given that the type matches, only loads the othermodule rule if the UID is over 500\&. Adjust the number after default to skip several rules\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+type [default=1 success=ignore] pam_succeed_if\&.so quiet uid > 500
+type required othermodule\&.so arguments\&.\&.\&.
+
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+\fBglob\fR(7),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+Nalin Dahyabhai <nalin@redhat\&.com>