diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/pam_wheel/pam_wheel.8 | 147 | ||||
| -rw-r--r-- | modules/pam_wheel/pam_wheel.8.xml | 243 |
2 files changed, 390 insertions, 0 deletions
diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8 new file mode 100644 index 0000000..648046e --- /dev/null +++ b/modules/pam_wheel/pam_wheel.8 @@ -0,0 +1,147 @@ +'\" t +.\" Title: pam_wheel +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_WHEEL" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_wheel \- Only permit root access to members of group wheel +.SH "SYNOPSIS" +.HP \w'\fBpam_wheel\&.so\fR\ 'u +\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] +.SH "DESCRIPTION" +.PP +The pam_wheel PAM module is used to enforce the so\-called +\fIwheel\fR +group\&. By default it permits access to the target user if the applicant user is a member of the +\fIwheel\fR +group\&. If no group with this name exist, the module is using the group with the group\-ID +\fB0\fR\&. +.SH "OPTIONS" +.PP +\fBdebug\fR +.RS 4 +Print debug information\&. +.RE +.PP +\fBdeny\fR +.RS 4 +Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the +\fBgroup\fR +option), deny access\&. Conversely, if the user is not in the group, return PAM_IGNORE (unless +\fBtrust\fR +was also specified, in which case we return PAM_SUCCESS)\&. +.RE +.PP +\fBgroup=\fR\fB\fIname\fR\fR +.RS 4 +Instead of checking the wheel or GID 0 groups, use the +\fB\fIname\fR\fR +group to perform the authentication\&. +.RE +.PP +\fBroot_only\fR +.RS 4 +The check for wheel membership is done only when the target user UID is 0\&. +.RE +.PP +\fBtrust\fR +.RS 4 +The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. +.RE +.PP +\fBuse_uid\fR +.RS 4 +The check will be done against the real uid of the calling process, instead of trying to obtain the user from the login session associated with the terminal in use\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +module types are provided\&. +.SH "RETURN VALUES" +.PP +PAM_AUTH_ERR +.RS 4 +Authentication failure\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_IGNORE +.RS 4 +The return value should be ignored by PAM dispatch\&. +.RE +.PP +PAM_PERM_DENY +.RS 4 +Permission denied\&. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +Cannot determine the user name\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Success\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User not known\&. +.RE +.SH "EXAMPLES" +.PP +The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +su auth sufficient pam_rootok\&.so +su auth required pam_wheel\&.so +su auth required pam_unix\&.so + +.fi +.if n \{\ +.RE +.\} +.sp +.SH "SEE ALSO" +.PP +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&. diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml new file mode 100644 index 0000000..ee8c7d2 --- /dev/null +++ b/modules/pam_wheel/pam_wheel.8.xml @@ -0,0 +1,243 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_wheel"> + + <refmeta> + <refentrytitle>pam_wheel</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_wheel-name"> + <refname>pam_wheel</refname> + <refpurpose>Only permit root access to members of group wheel</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_wheel-cmdsynopsis"> + <command>pam_wheel.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + deny + </arg> + <arg choice="opt"> + group=<replaceable>name</replaceable> + </arg> + <arg choice="opt"> + root_only + </arg> + <arg choice="opt"> + trust + </arg> + <arg choice="opt"> + use_uid + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_wheel-description"> + <title>DESCRIPTION</title> + <para> + The pam_wheel PAM module is used to enforce the so-called + <emphasis>wheel</emphasis> group. By default it permits + access to the target user if the applicant user is a member of the + <emphasis>wheel</emphasis> group. If no group with this name exist, + the module is using the group with the group-ID + <emphasis remap='B'>0</emphasis>. + </para> + </refsect1> + + <refsect1 id="pam_wheel-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>deny</option> + </term> + <listitem> + <para> + Reverse the sense of the auth operation: if the user + is trying to get UID 0 access and is a member of the + wheel group (or the group of the <option>group</option> option), + deny access. Conversely, if the user is not in the group, return + PAM_IGNORE (unless <option>trust</option> was also specified, + in which case we return PAM_SUCCESS). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>group=<replaceable>name</replaceable></option> + </term> + <listitem> + <para> + Instead of checking the wheel or GID 0 groups, use + the <option><replaceable>name</replaceable></option> group + to perform the authentication. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>root_only</option> + </term> + <listitem> + <para> + The check for wheel membership is done only when the target user + UID is 0. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>trust</option> + </term> + <listitem> + <para> + The pam_wheel module will return PAM_SUCCESS instead + of PAM_IGNORE if the user is a member of the wheel group + (thus with a little play stacking the modules the wheel + members may be able to su to root without being prompted + for a passwd). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_uid</option> + </term> + <listitem> + <para> + The check will be done against the real uid of the calling process, + instead of trying to obtain the user from the login session + associated with the terminal in use. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_wheel-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + The <emphasis remap='B'>auth</emphasis> and + <emphasis remap='B'>account</emphasis> module types are provided. + </para> + </refsect1> + + <refsect1 id='pam_wheel-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + The return value should be ignored by PAM dispatch. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENY</term> + <listitem> + <para> + Permission denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Cannot determine the user name. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Success. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id='pam_wheel-examples'> + <title>EXAMPLES</title> + <para> + The root account gains access by default (rootok), only wheel + members can become root (wheel) but Unix authenticate non-root + applicants. + <programlisting> +su auth sufficient pam_rootok.so +su auth required pam_wheel.so +su auth required pam_unix.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_wheel-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_wheel-author'> + <title>AUTHOR</title> + <para> + pam_wheel was written by Cristian Gafton <gafton@redhat.com>. + </para> + </refsect1> + +</refentry> |