-2006-06-06 Thorsten Kukuk <kukuk@suse.de>
+2006-06-09 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * modules/pam_wheel/Makefile.am: Include Make.xml.rules.
+ * modules/pam_wheel/pam_wheel.8.xml: New.
+ * modules/pam_wheel/pam_wheel.8: New, generated from xml file.
+ * modules/pam_wheel/README.xml: New.
+ * modules/pam_wheel/README: Regenerated from xml file.
+
+ * modules/pam_xauth/Makefile.am: Include Make.xml.rules.
+ * modules/pam_xauth/pam_xauth.8.xml: New.
+ * modules/pam_xauth/pam_xauth.8: Regenerated from xml file.
+ * modules/pam_xauth/README.xml: New.
+ * modules/pam_xauth/README: Regenerated from xml file.
+
+ * modules/pam_deny/pam_deny.8.xml: Fix syntax errors.
+ * modules/pam_deny/pam_deny.8: Regenerate from xml file.
+ * modules/pam_deny/README: Likewise.
+
+ * modules/pam_warn/Makefile.am: Include Make.xml.rules.
+ * modules/pam_warn/pam_warn.8.xml: New.
+ * modules/pam_warn/pam_warn.8: New, generated from xml file.
+ * modules/pam_warn/README.xml: New.
+ * modules/pam_warn/README: Regenerated from xml file.
+
+ * modules/pam_userdb/Makefile.am: Include Make.xml.rules.
+ * modules/pam_userdb/pam_userdb.8.xml: New.
+ * modules/pam_userdb/pam_userdb.8: New, generated from xml file.
+ * modules/pam_userdb/README.xml: New.
+ * modules/pam_userdb/README: Regenerated from xml file.
+
+2006-06-06 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_shells/Makefile.am: Include Make.xml.rules.
* modules/pam_shells/pam_shells.8.xml: New.
* modules/pam_shells/README.xml: New.
* modules/pam_shells/README: Regenerated from xml file.
-2006-06-06 Thorsten Kukuk <kukuk@thkukuk.de>
-
* libpam/include/security/pam_malloc.h: Add missing license
informations.
* Add manual page for pam_mkhomedir, pam_umask, pam_filter,
pam_issue, pam_ftp, pam_group, pam_lastlog, pam_listfile,
pam_localuser, pam_mail, pam_motd, pam_nologin, pam_permit,
- pam_rootok, pam_securetty, pam_shells
+ pam_rootok, pam_securetty, pam_shells, pam_userdb, pam_warn
Release 0.99.4.0
EXAMPLES
- #%PAM-1.0
- #
- # If we don't have config entries for a service, the
- # OTHER entries are used. To be secure, warn and deny
- # access to everything.
- other auth required pam_warn.so
- other auth required pam_deny.so
- other account required pam_warn.so
- other account required pam_deny.so
- other password required pam_warn.so
- other password required pam_deny.so
- other session required pam_warn.so
- other session required pam_deny.so
+#%PAM-1.0
+#
+# If we don't have config entries for a service, the
+# OTHER entries are used. To be secure, warn and deny
+# access to everything.
+other auth required pam_warn.so
+other auth required pam_deny.so
+other account required pam_warn.so
+other account required pam_deny.so
+other password required pam_warn.so
+other password required pam_deny.so
+other session required pam_warn.so
+other session required pam_deny.so
AUTHOR
.\" Title: pam_deny
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/02/2006
+.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_DENY" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_DENY" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
PAM_SESSION_ERR
This is returned by the session service.
.SH "EXAMPLES"
-.PP
-
.sp
.RS 3n
.nf
- #%PAM\-1.0
- #
- # If we don't have config entries for a service, the
- # OTHER entries are used. To be secure, warn and deny
- # access to everything.
- other auth required pam_warn.so
- other auth required pam_deny.so
- other account required pam_warn.so
- other account required pam_deny.so
- other password required pam_warn.so
- other password required pam_deny.so
- other session required pam_warn.so
- other session required pam_deny.so
-
+#%PAM\-1.0
+#
+# If we don't have config entries for a service, the
+# OTHER entries are used. To be secure, warn and deny
+# access to everything.
+other auth required pam_warn.so
+other auth required pam_deny.so
+other account required pam_warn.so
+other account required pam_deny.so
+other password required pam_warn.so
+other password required pam_deny.so
+other session required pam_warn.so
+other session required pam_deny.so
+
.fi
.RE
-.sp
.SH "SEE ALSO"
.PP
<refsect1 id='pam_deny-examples'>
<title>EXAMPLES</title>
- <para>
- <programlisting>
- #%PAM-1.0
- #
- # If we don't have config entries for a service, the
- # OTHER entries are used. To be secure, warn and deny
- # access to everything.
- other auth required pam_warn.so
- other auth required pam_deny.so
- other account required pam_warn.so
- other account required pam_deny.so
- other password required pam_warn.so
- other password required pam_deny.so
- other session required pam_warn.so
- other session required pam_deny.so
- </programlisting>
- </para>
+ <programlisting>
+#%PAM-1.0
+#
+# If we don't have config entries for a service, the
+# OTHER entries are used. To be secure, warn and deny
+# access to everything.
+other auth required pam_warn.so
+other auth required pam_deny.so
+other account required pam_warn.so
+other account required pam_deny.so
+other password required pam_warn.so
+other password required pam_deny.so
+other session required pam_warn.so
+other session required pam_deny.so
+ </programlisting>
</refsect1>
<refsect1 id='pam_deny-see_also'>
.\" Title: pam_exec
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/02/2006
+.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_EXEC" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_EXEC" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
</refsect1>
</refentry>
-<!-- vim: sw=2
--->
.\" Title: pam_filter
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/02/2006
+.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_FILTER" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_FILTER" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
</refsect1>
</refentry>
-<!-- vim: sw=2
--->
.\" Title: pam_ftp
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/02/2006
+.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_FTP" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_FTP" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
</refsect1>
</refentry>
-<!-- vim: sw=2
--->
.\" Title: pam_issue
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/02/2006
+.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_ISSUE" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ISSUE" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
</refsect1>
</refentry>
-<!-- vim: sw=2
--->
.\" Title: pam_lastlog
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/02/2006
+.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_LASTLOG" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_LASTLOG" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
</refsect1>
</refentry>
-<!-- vim: sw=2
--->
.\" Title: pam_localuser
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/02/2006
+.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_LOCALUSER" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_LOCALUSER" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
</refsect1>
</refentry>
-<!-- vim: sw=2
--->
.\" Title: pam_mail
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/02/2006
+.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_MAIL" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_MAIL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
</refsect1>
</refentry>
-<!-- vim: sw=2
--->
.\" Title: pam_umask
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/02/2006
+.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_UMASK" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_UMASK" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
</refsect1>
</refentry>
-<!-- vim: sw=2
--->
CLEANFILES = *~
-EXTRA_DIST = README create.pl tst-pam_userdb
+EXTRA_DIST = README (MANS) $(XMLS) create.pl tst-pam_userdb
+
+man_MANS = pam_userdb.8
+XMLS = README.xml pam_userdb.8.xml
TESTS = tst-pam_userdb
endif
noinst_HEADERS = pam_userdb.h
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_userdb.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
-pam_userdb:
- Look up users in a .db database and verify their password against
- what is contained in that database. The database will have been
- created using db_load.
-
-RECOGNIZED ARGUMENTS:
- debug write a message to syslog indicating success or
- failure.
-
- db=[path] use the [path] database for performing lookup. There
- is no default; the module will return PAM_IGNORE if
- no database is provided. Some versions of DB will
- automatically append ".db" to whatever pathname you
- supply here.
-
- crypt=[mode] indicates whether encrypted or plaintext passwords
- are stored in the database. If [mode] is "crypt",
- passwords should be stored in the database in
- crypt(3) form. If [mode] is "none" or any other
- value, passwords should be stored in the database in
- plaintext.
-
- icase make the password verification to be case insensitive
- (ie when working with registration numbers and such)
- only works with plaintext password storage.
-
- dump dump all the entries in the database to the log (eek,
- don't do this by default!)
-
- try_first_pass use the authentication token previously obtained by
- another module that did the conversation with the
- application. If this token can not be obtained then
- the module will try to converse. This option can
- be used for stacking different modules that need to
- deal with the authentication tokens.
-
- use_first_pass use the authentication token previously obtained by
- another module that did the conversation with the
- application. If this token can not be obtained then
- the module will fail. This option can be used for
- stacking different modules that need to deal with
- the authentication tokens.
-
- unknown_ok do not return error when checking for a user that is
- not in the database. This can be used to stack more
- than one pam_userdb module that will check a
- username/password pair in more than a database.
-
- key_only the username and password are concatenated together
- in the database hash as 'username-password' with a
- random value. if the concatenation of the username and
- password with a dash in the middle returns any result,
- the user is valid. this is useful in cases where
- the username may not be unique but the username and
- password pair are.
-
-MODULE SERVICES PROVIDED:
- auth _authentication and _setcred (blank)
-
-EXAMPLE USE:
- auth sufficient pam_userdb.so icase db=/etc/dbtest.db
-
-AUTHOR:
- Cristian Gafton <gafton@redhat.com>
-
-
-
-$Id$
+pam_userdb — PAM module to authenticate against a db database
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+The pam_userdb module is used to verify a username/password pair against values
+stored in a Berkeley DB database. The database is indexed by the username, and
+the data fields corresponding to the username keys are the passwords.
+
+OPTIONS
+
+crypt=[crypt|none]
+
+ Indicates whether encrypted or plaintext passwords are stored in the
+ database. If it is crypt, passwords should be stored in the database in
+ crypt(3) form. If none is selected, passwords should be stored in the
+ database as plaintext.
+
+db=/path/database
+
+ Use the /path/database database for performing lookup. There is no default;
+ the module will return PAM_IGNORE if no database is provided.
+
+debug
+
+ Print debug information.
+
+dump
+
+ Dump all the entries in the database to the log. Don't do this by default!
+
+icase
+
+ Make the password verification to be case insensitive (ie when working with
+ registration numbers and such). Only works with plaintext password storage.
+
+try_first_pass
+
+ Use the authentication token previously obtained by another module that did
+ the conversation with the application. If this token can not be obtained
+ then the module will try to converse. This option can be used for stacking
+ different modules that need to deal with the authentication tokens.
+
+use_first_pass
+
+ Use the authentication token previously obtained by another module that did
+ the conversation with the application. If this token can not be obtained
+ then the module will fail. This option can be used for stacking different
+ modules that need to deal with the authentication tokens.
+
+unknown_ok
+
+ Do not return error when checking for a user that is not in the database.
+ This can be used to stack more than one pam_userdb module that will check a
+ username/password pair in more than a database.
+
+key_only
+
+ The username and password are concatenated together in the database hash as
+ 'username-password' with a random value. if the concatenation of the
+ username and password with a dash in the middle returns any result, the
+ user is valid. this is useful in cases where the username may not be unique
+ but the username and password pair are.
+
+EXAMPLES
+
+auth sufficient pam_userdb.so icase db=/etc/dbtest.db
+
+
+AUTHOR
+
+pam_userdb was written by Cristian Gafton >gafton@redhat.com<.
+
--- /dev/null
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_userdb.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_userdb.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_userdb-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-author"]/*)'/>
+ </section>
+
+</article>
--- /dev/null
+.\" Title: pam_userdb
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Date: 06/07/2006
+.\" Manual: Linux\-PAM Manual
+.\" Source: Linux\-PAM Manual
+.\"
+.TH "PAM_USERDB" "8" "06/07/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_userdb \- PAM module to authenticate against a db database
+.SH "SYNOPSIS"
+.HP 14
+\fBpam_userdb.so\fR db=\fI/path/database\fR [debug] [crypt=[crypt|none]] [icase] [dump] [try_first_pass] [use_first_pass] [unknown_ok] [key_only]
+.SH "DESCRIPTION"
+.PP
+The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords.
+.SH "OPTIONS"
+.TP 3n
+\fBcrypt=[crypt|none]\fR
+Indicates whether encrypted or plaintext passwords are stored in the database. If it is
+\fBcrypt\fR, passwords should be stored in the database in
+\fBcrypt\fR(3)
+form. If
+\fBnone\fR
+is selected, passwords should be stored in the database as plaintext.
+.TP 3n
+\fBdb=\fR\fB\fI/path/database\fR\fR
+Use the
+\fI/path/database\fR
+database for performing lookup. There is no default; the module will return
+\fBPAM_IGNORE\fR
+if no database is provided.
+.TP 3n
+\fBdebug\fR
+Print debug information.
+.TP 3n
+\fBdump\fR
+Dump all the entries in the database to the log. Don't do this by default!
+.TP 3n
+\fBicase\fR
+Make the password verification to be case insensitive (ie when working with registration numbers and such). Only works with plaintext password storage.
+.TP 3n
+\fBtry_first_pass\fR
+Use the authentication token previously obtained by another module that did the conversation with the application. If this token can not be obtained then the module will try to converse. This option can be used for stacking different modules that need to deal with the authentication tokens.
+.TP 3n
+\fBuse_first_pass\fR
+Use the authentication token previously obtained by another module that did the conversation with the application. If this token can not be obtained then the module will fail. This option can be used for stacking different modules that need to deal with the authentication tokens.
+.TP 3n
+\fBunknown_ok\fR
+Do not return error when checking for a user that is not in the database. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database.
+.TP 3n
+\fBkey_only\fR
+The username and password are concatenated together in the database hash as 'username\-password' with a random value. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid. this is useful in cases where the username may not be unique but the username and password pair are.
+.SH "MODULE SERVICES PROVIDED"
+.PP
+The services
+\fBauth\fR
+and
+\fBaccount\fR
+are supported.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTH_ERR
+Authentication failure.
+.TP 3n
+PAM_AUTHTOK_RECOVERY_ERR
+Authentication information cannot be recovered.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_CONV_ERR
+Conversation failure.
+.TP 3n
+PAM_SERVICE_ERR
+Error in service module.
+.TP 3n
+PAM_SUCCESS
+Success.
+.TP 3n
+PAM_USER_UNKNOWN
+User not known to the underlying authentication module.
+.SH "EXAMPLES"
+.sp
+.RS 3n
+.nf
+auth sufficient pam_userdb.so icase db=/etc/dbtest.db
+
+.fi
+.RE
+.SH "SEE ALSO"
+.PP
+
+\fBcrypt\fR(3),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_userdb was written by Cristian Gafton >gafton@redhat.com<.
--- /dev/null
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_userdb">
+
+ <refmeta>
+ <refentrytitle>pam_userdb</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_userdb-name">
+ <refname>pam_userdb</refname>
+ <refpurpose>PAM module to authenticate against a db database</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_userdb-cmdsynopsis">
+ <command>pam_userdb.so</command>
+ <arg choice="plain">
+ db=<replaceable>/path/database</replaceable>
+ </arg>
+ <arg choice="opt">
+ debug
+ </arg>
+ <arg choice="opt">
+ crypt=[crypt|none]
+ </arg>
+ <arg choice="opt">
+ icase
+ </arg>
+ <arg choice="opt">
+ dump
+ </arg>
+ <arg choice="opt">
+ try_first_pass
+ </arg>
+ <arg choice="opt">
+ use_first_pass
+ </arg>
+ <arg choice="opt">
+ unknown_ok
+ </arg>
+ <arg choice="opt">
+ key_only
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_userdb-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ The pam_userdb module is used to verify a username/password pair
+ against values stored in a Berkeley DB database. The database is
+ indexed by the username, and the data fields corresponding to the
+ username keys are the passwords.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_userdb-options">
+
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>crypt=[crypt|none]</option>
+ </term>
+ <listitem>
+ <para>
+ Indicates whether encrypted or plaintext passwords are stored
+ in the database. If it is <option>crypt</option>, passwords
+ should be stored in the database in
+ <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> form. If <option>none</option> is selected,
+ passwords should be stored in the database as plaintext.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>db=<replaceable>/path/database</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Use the <filename>/path/database</filename> database for
+ performing lookup. There is no default; the module will
+ return <emphasis remap='B'>PAM_IGNORE</emphasis> if no
+ database is provided.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Print debug information.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>dump</option>
+ </term>
+ <listitem>
+ <para>
+ Dump all the entries in the database to the log.
+ Don't do this by default!
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>icase</option>
+ </term>
+ <listitem>
+ <para>
+ Make the password verification to be case insensitive
+ (ie when working with registration numbers and such).
+ Only works with plaintext password storage.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>try_first_pass</option>
+ </term>
+ <listitem>
+ <para>
+ Use the authentication token previously obtained by
+ another module that did the conversation with the
+ application. If this token can not be obtained then
+ the module will try to converse. This option can
+ be used for stacking different modules that need to
+ deal with the authentication tokens.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>use_first_pass</option>
+ </term>
+ <listitem>
+ <para>
+ Use the authentication token previously obtained by
+ another module that did the conversation with the
+ application. If this token can not be obtained then
+ the module will fail. This option can be used for
+ stacking different modules that need to deal with
+ the authentication tokens.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>unknown_ok</option>
+ </term>
+ <listitem>
+ <para>
+ Do not return error when checking for a user that is
+ not in the database. This can be used to stack more
+ than one pam_userdb module that will check a
+ username/password pair in more than a database.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>key_only</option>
+ </term>
+ <listitem>
+ <para>
+ The username and password are concatenated together
+ in the database hash as 'username-password' with a
+ random value. if the concatenation of the username and
+ password with a dash in the middle returns any result,
+ the user is valid. this is useful in cases where
+ the username may not be unique but the username and
+ password pair are.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_userdb-services">
+ <title>MODULE SERVICES PROVIDED</title>
+ <para>
+ The services <option>auth</option> and <option>account</option>
+ are supported.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_userdb-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>Authentication failure.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_AUTHTOK_RECOVERY_ERR</term>
+ <listitem>
+ <para>
+ Authentication information cannot be recovered.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_BUF_ERR</term>
+ <listitem>
+ <para>
+ Memory buffer error.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_CONV_ERR</term>
+ <listitem>
+ <para>
+ Conversation failure.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SERVICE_ERR</term>
+ <listitem>
+ <para>
+ Error in service module.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ Success.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_USER_UNKNOWN</term>
+ <listitem>
+ <para>
+ User not known to the underlying authentication module.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_userdb-examples'>
+ <title>EXAMPLES</title>
+ <programlisting>
+auth sufficient pam_userdb.so icase db=/etc/dbtest.db
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id='pam_userdb-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_userdb-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_userdb was written by Cristian Gafton >gafton@redhat.com<.
+ </para>
+ </refsect1>
+
+</refentry>
CLEANFILES = *~
-EXTRA_DIST = README tst-pam_warn
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_warn
+
+man_MANS = pam_warn.8
+XMLS = README.xml pam_warn.8.xml
TESTS = tst-pam_warn
endif
securelib_LTLIBRARIES = pam_warn.la
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_warn.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
-# $Id$
-#
+pam_warn — PAM module which logs all PAM items if called
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
-This module is an authentication module that does not authenticate.
-Instead it always returns PAM_IGNORE, indicating that it does not want
-to affect the authentication process.
+pam_warn is a PAM module that logs the service, terminal, user, remote user and
+remote host to syslog(3). The items are not probed for, but instead obtained
+from the standard PAM items. The module always returns PAM_IGNORE, indicating
+that it does not want to affect the authentication process.
-Its purpose is to log a message to the syslog indicating the
-pam_item's available at the time it was invoked. It is a diagnostic
-tool.
+OPTIONS
-Recognized arguments:
+This module does not recognice any options.
- <none>
+EXAMPLES
+
+#%PAM-1.0
+#
+# If we don't have config entries for a service, the
+# OTHER entries are used. To be secure, warn and deny
+# access to everything.
+other auth required pam_warn.so
+other auth required pam_deny.so
+other account required pam_warn.so
+other account required pam_deny.so
+other password required pam_warn.so
+other password required pam_deny.so
+other session required pam_warn.so
+other session required pam_deny.so
-module services provided:
- auth _authenticate and _setcred (blank)
- acct _acct_mgmt [mapped to _authenticate]
- session _open_session and
- _close_session [mapped to _authenticate ]
- password _chauthtok [mapped to _authenticate]
+AUTHOR
+pam_warn was written by Andrew G. Morgan <morgan@kernel.org>.
-Andrew Morgan
-1996/11/14
--- /dev/null
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_warn.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_warn.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_warn-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-author"]/*)'/>
+ </section>
+
+</article>
--- /dev/null
+.\" Title: pam_warn
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Date: 06/09/2006
+.\" Manual: Linux\-PAM Manual
+.\" Source: Linux\-PAM Manual
+.\"
+.TH "PAM_WARN" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_warn \- PAM module which logs all PAM items if called
+.SH "SYNOPSIS"
+.HP 12
+\fBpam_warn.so\fR
+.SH "DESCRIPTION"
+.PP
+pam_warn is a PAM module that logs the service, terminal, user, remote user and remote host to
+\fBsyslog\fR(3). The items are not probed for, but instead obtained from the standard PAM items. The module always returns
+\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process.
+.SH "OPTIONS"
+.PP
+This module does not recognice any options.
+.SH "MODULE SERVICES PROVIDED"
+.PP
+The services
+\fBauth\fR,
+\fBaccount\fR,
+\fBpassword\fR
+and
+\fBsession\fR
+are supported.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_IGNORE
+This module always returns PAM_IGNORE.
+.SH "EXAMPLES"
+.sp
+.RS 3n
+.nf
+#%PAM\-1.0
+#
+# If we don't have config entries for a service, the
+# OTHER entries are used. To be secure, warn and deny
+# access to everything.
+other auth required pam_warn.so
+other auth required pam_deny.so
+other account required pam_warn.so
+other account required pam_deny.so
+other password required pam_warn.so
+other password required pam_deny.so
+other session required pam_warn.so
+other session required pam_deny.so
+
+.fi
+.RE
+.SH "SEE ALSO"
+.PP
+
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_warn was written by Andrew G. Morgan <morgan@kernel.org>.
--- /dev/null
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_warn">
+
+ <refmeta>
+ <refentrytitle>pam_warn</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+ <refnamediv id="pam_warn-name">
+ <refname>pam_warn</refname>
+ <refpurpose>PAM module which logs all PAM items if called</refpurpose>
+ </refnamediv>
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_warn-cmdsynopsis">
+ <command>pam_warn.so</command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_warn-description">
+ <title>DESCRIPTION</title>
+ <para>
+ pam_warn is a PAM module that logs the service, terminal, user,
+ remote user and remote host to
+ <citerefentry>
+ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>. The items are not probed for, but instead obtained
+ from the standard PAM items. The module always returns
+ <emphasis remap='B'>PAM_IGNORE</emphasis>, indicating that it
+ does not want to affect the authentication process.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_warn-options">
+ <title>OPTIONS</title>
+ <para>This module does not recognice any options.</para>
+ </refsect1>
+
+ <refsect1 id="pam_warn-services">
+ <title>MODULE SERVICES PROVIDED</title>
+ <para>
+ The services <option>auth</option>, <option>account</option>,
+ <option>password</option> and <option>session</option> are supported.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_warn-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_IGNORE</term>
+ <listitem>
+ <para>
+ This module always returns PAM_IGNORE.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_warn-examples'>
+ <title>EXAMPLES</title>
+ <programlisting>
+#%PAM-1.0
+#
+# If we don't have config entries for a service, the
+# OTHER entries are used. To be secure, warn and deny
+# access to everything.
+other auth required pam_warn.so
+other auth required pam_deny.so
+other account required pam_warn.so
+other account required pam_deny.so
+other password required pam_warn.so
+other password required pam_deny.so
+other session required pam_warn.so
+other session required pam_deny.so
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id='pam_warn-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_warn-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_warn was written by Andrew G. Morgan <morgan@kernel.org>.
+ </para>
+ </refsect1>
+
+</refentry>
CLEANFILES = *~
-EXTRA_DIST = README tst-pam_wheel
+EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_wheel
+
+man_MANS = pam_wheel.8
+XMLS = README.xml pam_wheel.8.xml
TESTS = tst-pam_wheel
endif
securelib_LTLIBRARIES = pam_wheel.la
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_wheel.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
+pam_wheel — Only permit root access to members of group wheel
-pam_wheel:
- only permit root authentication to members of wheel group
-
-RECOGNIZED ARGUMENTS:
- debug Write a message to syslog indicating success or
- failure.
-
- use_uid The check for wheel membership will be done against
- the current uid instead of the original one
- (useful when jumping with su from one account to
- another for example).
-
- trust The pam_wheel module will return PAM_SUCCESS instead
- of PAM_IGNORE if the user is a member of the wheel
- group (thus with a little play stacking the modules
- the wheel members may be able to su to root without
- being prompted for a passwd).
-
- deny Reverse the sense of the auth operation: if the user
- is trying to get UID 0 access and is a member of the
- wheel group, deny access (well, kind of nonsense, but
- for use in conjunction with 'group' argument... :-)
- Conversely, if the user is not in the group, return
- PAM_IGNORE (unless 'trust' was also specified, in
- which case we return PAM_SUCCESS).
-
- group=xxxx Instead of checking the wheel or GID 0 groups, use
- the xxxx group to perform the authentification.
-
- root_only The check for wheel membership is done only
- if the uid of requested account is 0.
-
-MODULE SERVICES PROVIDED:
- auth _authentication, _setcred (blank) and _acct_mgmt
-
-AUTHOR:
- Cristian Gafton <gafton@redhat.com>
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+The pam_wheel PAM module is used to enforce the so-called wheel group. By
+default it permits root access to the system if the applicant user is a member
+of the wheel group. If no group with this name exist, the module is using the
+group with the group-ID 0.
+
+OPTIONS
+
+debug
+
+ Print debug information.
+
+deny
+
+ Reverse the sense of the auth operation: if the user is trying to get UID 0
+ access and is a member of the wheel group (or the group of the group
+ option), deny access. Conversely, if the user is not in the group, return
+ PAM_IGNORE (unless trust was also specified, in which case we return
+ PAM_SUCCESS).
+
+group=name
+
+ Instead of checking the wheel or GID 0 groups, use the name group to
+ perform the authentification.
+
+root_only
+
+ The check for wheel membership is done only.
+
+trust
+
+ The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the
+ user is a member of the wheel group (thus with a little play stacking the
+ modules the wheel members may be able to su to root without being prompted
+ for a passwd).
+
+use_uid
+
+ The check for wheel membership will be done against the current uid instead
+ of the original one (useful when jumping with su from one account to
+ another for example).
+
+EXAMPLES
+
+The root account gains access by default (rootok), only wheel members can
+become root (wheel) but Unix authenticate non-root applicants.
+
+su auth sufficient pam_rootok.so
+su auth required pam_wheel.so
+su auth required pam_unix.so
+
+
+AUTHOR
+
+pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
--- /dev/null
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_wheel.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_wheel.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_wheel-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-author"]/*)'/>
+ </section>
+
+</article>
--- /dev/null
+.\" Title: pam_wheel
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Date: 06/09/2006
+.\" Manual: Linux\-PAM Manual
+.\" Source: Linux\-PAM Manual
+.\"
+.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_wheel \- Only permit root access to members of group wheel
+.SH "SYNOPSIS"
+.HP 13
+\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
+.SH "DESCRIPTION"
+.PP
+The pam_wheel PAM module is used to enforce the so\-called
+\fIwheel\fR
+group. By default it permits root access to the system if the applicant user is a member of the
+\fIwheel\fR
+group. If no group with this name exist, the module is using the group with the group\-ID
+\fB0\fR.
+.SH "OPTIONS"
+.TP 3n
+\fBdebug\fR
+Print debug information.
+.TP 3n
+\fBdeny\fR
+Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the
+\fBgroup\fR
+option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless
+\fBtrust\fR
+was also specified, in which case we return PAM_SUCCESS).
+.TP 3n
+\fBgroup=\fR\fB\fIname\fR\fR
+Instead of checking the wheel or GID 0 groups, use the
+\fB\fIname\fR\fR
+group to perform the authentification.
+.TP 3n
+\fBroot_only\fR
+The check for wheel membership is done only.
+.TP 3n
+\fBtrust\fR
+The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).
+.TP 3n
+\fBuse_uid\fR
+The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example).
+.SH "MODULE SERVICES PROVIDED"
+.PP
+The
+\fBauth\fR
+and
+\fBaccount\fR
+services are supported.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTH_ERR
+Authentication failure.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_IGNORE
+The return value should be ignored by PAM dispatch.
+.TP 3n
+PAM_PERM_DENY
+Permission denied.
+.TP 3n
+PAM_SERVICE_ERR
+Cannot determine the user name.
+.TP 3n
+PAM_SUCCESS
+Success.
+.TP 3n
+PAM_USER_UNKNOWN
+User not known.
+.SH "EXAMPLES"
+.PP
+The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants.
+.sp
+.RS 3n
+.nf
+su auth sufficient pam_rootok.so
+su auth required pam_wheel.so
+su auth required pam_unix.so
+
+.fi
+.RE
+.sp
+.SH "SEE ALSO"
+.PP
+
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
--- /dev/null
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_wheel">
+
+ <refmeta>
+ <refentrytitle>pam_wheel</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_wheel-name">
+ <refname>pam_wheel</refname>
+ <refpurpose>Only permit root access to members of group wheel</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_wheel-cmdsynopsis">
+ <command>pam_wheel.so</command>
+ <arg choice="opt">
+ debug
+ </arg>
+ <arg choice="opt">
+ deny
+ </arg>
+ <arg choice="opt">
+ group=<replaceable>name</replaceable>
+ </arg>
+ <arg choice="opt">
+ root_only
+ </arg>
+ <arg choice="opt">
+ trust
+ </arg>
+ <arg choice="opt">
+ use_uid
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_wheel-description">
+ <title>DESCRIPTION</title>
+ <para>
+ The pam_wheel PAM module is used to enforce the so-called
+ <emphasis>wheel</emphasis> group. By default it permits root
+ access to the system if the applicant user is a member of the
+ <emphasis>wheel</emphasis> group. If no group with this name exist,
+ the module is using the group with the group-ID
+ <emphasis remap='B'>0</emphasis>.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_wheel-options">
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Print debug information.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>deny</option>
+ </term>
+ <listitem>
+ <para>
+ Reverse the sense of the auth operation: if the user
+ is trying to get UID 0 access and is a member of the
+ wheel group (or the group of the <option>group</option> option),
+ deny access. Conversely, if the user is not in the group, return
+ PAM_IGNORE (unless <option>trust</option> was also specified,
+ in which case we return PAM_SUCCESS).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>group=<replaceable>name</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Instead of checking the wheel or GID 0 groups, use
+ the <option><replaceable>name</replaceable></option> group
+ to perform the authentification.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>root_only</option>
+ </term>
+ <listitem>
+ <para>
+ The check for wheel membership is done only.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>trust</option>
+ </term>
+ <listitem>
+ <para>
+ The pam_wheel module will return PAM_SUCCESS instead
+ of PAM_IGNORE if the user is a member of the wheel group
+ (thus with a little play stacking the modules the wheel
+ members may be able to su to root without being prompted
+ for a passwd).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>use_uid</option>
+ </term>
+ <listitem>
+ <para>
+ The check for wheel membership will be done against
+ the current uid instead of the original one (useful when
+ jumping with su from one account to another for example).
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_wheel-services">
+ <title>MODULE SERVICES PROVIDED</title>
+ <para>
+ The <emphasis remap='B'>auth</emphasis> and
+ <emphasis remap='B'>account</emphasis> services are supported.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_wheel-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ Authentication failure.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_BUF_ERR</term>
+ <listitem>
+ <para>
+ Memory buffer error.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_IGNORE</term>
+ <listitem>
+ <para>
+ The return value should be ignored by PAM dispatch.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_PERM_DENY</term>
+ <listitem>
+ <para>
+ Permission denied.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SERVICE_ERR</term>
+ <listitem>
+ <para>
+ Cannot determine the user name.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ Success.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_USER_UNKNOWN</term>
+ <listitem>
+ <para>
+ User not known.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_wheel-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ The root account gains access by default (rootok), only wheel
+ members can become root (wheel) but Unix authenticate non-root
+ applicants.
+ <programlisting>
+su auth sufficient pam_rootok.so
+su auth required pam_wheel.so
+su auth required pam_unix.so
+ </programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_wheel-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_wheel-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
+ </para>
+ </refsect1>
+
+</refentry>
CLEANFILES = *~
-man_MANS = pam_xauth.8
+EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_xauth
-EXTRA_DIST = README ${MANS} tst-pam_xauth
+man_MANS = pam_xauth.8
+XMLS = README.xml pam_xauth.8.xml
TESTS = tst-pam_xauth
endif
securelib_LTLIBRARIES = pam_xauth.la
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_xauth.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
-pam_xauth:
- Forward xauth cookies from user to user, normally used by su, sudo, or
- userhelper.
-
- Primitive access control is provided by ~/.xauth/export in the invoking
- user's home directory and ~/.xauth/import in the target user's home
- directory.
-
- If a user has a ~/.xauth/import file, the user will only receive cookies
- from users listed in the file. If there is no ~/.xauth/import file,
- the user will accept cookies from any other user.
-
- If a user has a .xauth/export file, the user will only forward cookies
- to users listed in the file. If there is no ~/.xauth/export file, and
- the invoking user is not "root", the user will forward cookies to
- any other user. If there is no ~/.xauth/export file, and the invoking
- user is "root", the user will NOT forward cookies to other users.
-
- Both the import and export files support wildcards (such as "*"). Both
- the import and export files can be empty, signifying that no users are
- allowed.
-
-RECOGNIZED ARGUMENTS:
- debug write debugging messages to syslog
- xauthpath= the path to the xauth program, by default
- /usr/X11R6/bin/xauth, /usr/bin/xauth and
- /usr/bin/X11/xauth
- systemuser= highest user id assigned to system users, defaults
- to 499 (pam_xauth will refuse to forward creds to
- target users with id equal to or below this number,
- except for root and possibly another specified user)
- targetuser= a target user id which is excepted from the systemuser
- checks
-
-
-MODULE SERVICES PROVIDED:
- session open session copies xauth cookie to new user
- close session deletes copied xauth cookie
-
-AUTHOR:
- Nalin Dahyabhai <nalin@redhat.com>, based on original version by
- Michael K. Johnson <johnsonm@redhat.com>
+pam_xauth — PAM module to forward xauth keys between users
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+The pam_xauth PAM module is designed to forward xauth keys (sometimes referred
+to as "cookies") between users.
+
+Without pam_xauth, when xauth is enabled and a user uses the su(1) command to
+assume another user's priviledges, that user is no longer able to access the
+original user's X display because the new user does not have the key needed to
+access the display. pam_xauth solves the problem by forwarding the key from the
+user running su (the source user) to the user whose identity the source user is
+assuming (the target user) when the session is created, and destroying the key
+when the session is torn down.
+
+This means, for example, that when you run su(1) from an xterm sesssion, you
+will be able to run X programs without explicitly dealing with the xauth(1)
+xauth command or ~/.Xauthority files.
+
+pam_xauth will only forward keys if xauth can list a key connected to the
+$DISPLAY environment variable.
+
+Primitive access control is provided by ~/.xauth/export in the invoking user's
+home directory and ~/.xauth/import in the target user's home directory.
+
+If a user has a ~/.xauth/import file, the user will only receive cookies from
+users listed in the file. If there is no ~/.xauth/import file, the user will
+accept cookies from any other user.
+
+If a user has a .xauth/export file, the user will only forward cookies to users
+listed in the file. If there is no ~/.xauth/export file, and the invoking user
+is not root, the user will forward cookies to any other user. If there is no ~
+/.xauth/export file, and the invoking user is root, the user will not forward
+cookies to other users.
+
+Both the import and export files support wildcards (such as *). Both the import
+and export files can be empty, signifying that no users are allowed.
+
+OPTIONS
+
+debug
+
+ Print debug information.
+
+xauthpath=/path/to/xauth
+
+ Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth,
+ /usr/bin/xauth, or /usr/bin/X11/xauth by default).
+
+systemuser=UID
+
+ Specify the highest UID which will be assumed to belong to a "system" user.
+ pam_xauth will refuse to forward credentials to users with UID less than or
+ equal to this number, except for root and the "targetuser", if specified.
+
+targetuser=UID
+
+ Specify a single target UID which is exempt from the systemuser check.
+
+EXAMPLES
+
+Add the following line to /etc/pam.d/su to forward xauth keys between users
+when calling su:
+
+session optional pam_xauth.so
+
+
+IMPLEMENTATION DETAILS
+
+pam_xauth will work only if it is used from a setuid application in which the
+getuid() call returns the id of the user running the application, and for which
+PAM can supply the name of the account that the user is attempting to assume.
+The typical application of this type is su(1). The application must call both
+pam_open_session() and pam_close_session() with the ruid set to the uid of the
+calling user and the euid set to root, and must have provided as the PAM_USER
+item the name of the target user.
+
+pam_xauth calls xauth(1) the source user to extract the key for $DISPLAY, then
+calls xauth as the target user to merge the key into the a temporary database
+and later remove the database.
+
+pam_xauth cannot be told to not remove the keys when the session is closed.
+
+AUTHOR
+
+pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original
+version by Michael K. Johnson <johnsonm@redhat.com>.
+
--- /dev/null
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_xauth.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_xauth.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_xauth-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-implementation"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-author"]/*)'/>
+ </section>
+
+</article>
-.\" Copyright 2001,2003 Red Hat, Inc.
-.\" Written by Nalin Dahyabhai <nalin@redhat.com>, based on the original
-.\" version by Michael K. Johnson
-.TH pam_xauth 8 2005/10/20 "Red Hat Linux" "System Administrator's Manual"
-.SH NAME
-pam_xauth \- forward xauth keys between users
-.SH SYNOPSIS
-.B session optional pam_xauth.so \fIarguments\fP
-.SH DESCRIPTION
-pam_xauth.so is designed to forward xauth keys (sometimes referred
-to as "cookies") between users.
-
-Without pam_xauth, when xauth is enabled and a user uses the \fBsu\fP command
-to assume another user's priviledges, that user is no longer able to access
-the original user's X display because the new user does not have the key
-needed to access the display. pam_xauth solves the problem by forwarding the
-key from the user running su (the source user) to the user whose
-identity the source user is assuming (the target user) when the session
-is created, and destroying the key when the session is torn down.
-
-This means, for example, that when you run \fBsu\fP from an xterm sesssion,
-you will be able to run X programs without explicitly dealing with the
+.\" Title: pam_xauth
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Date: 06/09/2006
+.\" Manual: Linux\-PAM Manual
+.\" Source: Linux\-PAM Manual
+.\"
+.TH "PAM_XAUTH" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_xauth \- PAM module to forward xauth keys between users
+.SH "SYNOPSIS"
+.HP 13
+\fBpam_xauth.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR]
+.SH "DESCRIPTION"
+.PP
+The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users.
+.PP
+Without pam_xauth, when xauth is enabled and a user uses the
+\fBsu\fR(1)
+command to assume another user's priviledges, that user is no longer able to access the original user's X display because the new user does not have the key needed to access the display. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down.
+.PP
+This means, for example, that when you run
+\fBsu\fR(1)
+from an xterm sesssion, you will be able to run X programs without explicitly dealing with the
+\fBxauth\fR(1)
xauth command or ~/.Xauthority files.
-
-pam_xauth will only forward keys if xauth can list a key connected
-to the $DISPLAY environment variable.
-
-Primitive access control is provided by \fB~/.xauth/export\fP in the invoking
-user's home directory and \fB~/.xauth/import\fP in the target user's home
-directory.
-
-If a user has a \fB~/.xauth/import\fP file, the user will only receive cookies
-from users listed in the file. If there is no \fB~/.xauth/import\fP file,
-the user will accept cookies from any other user.
-
-If a user has a \fB.xauth/export\fP file, the user will only forward cookies
-to users listed in the file. If there is no \fB~/.xauth/export\fP file, and
-the invoking user is not \fBroot\fP, the user will forward cookies to
-any other user. If there is no \fB~/.xauth/export\fP file, and the invoking
-user is \fBroot\fP, the user will \fInot\fP forward cookies to other users.
-
-Both the import and export files support wildcards (such as \fI*\fP). Both
-the import and export files can be empty, signifying that no users are allowed.
-
-.SH ARGUMENTS
-.IP debug
-Turns on debugging messages sent to syslog.
-.IP xauthpath=\fI/path/to/xauth\fP
-Specify the path the xauth program (it is expected in \fB/usr/X11R6/bin/xauth,\fP
-or \fB/usr/bin/xauth\fP, or \fB/usr/bin/X11/xauth\fP by default).
-.IP systemuser=\fInumber\fP
-Specify the highest UID which will be assumed to belong to a "system" user.
-pam_xauth will refuse to forward credentials to users with UID less than or
-equal to this number, except for root and the "targetuser", if specified.
-.IP targetuser=\fInumber\fP
+.PP
+pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable.
+.PP
+Primitive access control is provided by
+\fI~/.xauth/export\fR
+in the invoking user's home directory and
+\fI~/.xauth/import\fR
+in the target user's home directory.
+.PP
+If a user has a
+\fI~/.xauth/import\fR
+file, the user will only receive cookies from users listed in the file. If there is no
+\fI~/.xauth/import\fR
+file, the user will accept cookies from any other user.
+.PP
+If a user has a
+\fI.xauth/export\fR
+file, the user will only forward cookies to users listed in the file. If there is no
+\fI~/.xauth/export\fR
+file, and the invoking user is not
+\fBroot\fR, the user will forward cookies to any other user. If there is no
+\fI~/.xauth/export\fR
+file, and the invoking user is
+\fBroot\fR, the user will
+\fInot\fR
+forward cookies to other users.
+.PP
+Both the import and export files support wildcards (such as
+\fI*\fR). Both the import and export files can be empty, signifying that no users are allowed.
+.SH "OPTIONS"
+.TP 3n
+\fBdebug\fR
+Print debug information.
+.TP 3n
+\fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR
+Specify the path the xauth program (it is expected in
+\fI/usr/X11R6/bin/xauth\fR,
+\fI/usr/bin/xauth\fR, or
+\fI/usr/bin/X11/xauth\fR
+by default).
+.TP 3n
+\fBsystemuser=\fR\fB\fIUID\fR\fR
+Specify the highest UID which will be assumed to belong to a "system" user. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified.
+.TP 3n
+\fBtargetuser=\fR\fB\fIUID\fR\fR
Specify a single target UID which is exempt from the systemuser check.
+.SH "MODULE SERVICES PROVIDED"
+.PP
+Only the
+\fBsession\fR
+service is supported.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_PERM_DENIED
+Permission denied by import/export file.
+.TP 3n
+PAM_SESSION_ERR
+Cannot determine user name, UID or access users home directory.
+.TP 3n
+PAM_SUCCESS
+Success.
+.TP 3n
+PAM_USER_UNKNOWN
+User not known.
+.SH "EXAMPLES"
+.PP
+Add the following line to
+\fI/etc/pam.d/su\fR
+to forward xauth keys between users when calling su:
+.sp
+.RS 3n
+.nf
+session optional pam_xauth.so
+
+.fi
+.RE
+.sp
.SH "IMPLEMENTATION DETAILS"
-pam_xauth will work \fIonly\fP if it is used from a setuid application
-in which the getuid() call returns the id of the user running the
-application, and for which PAM can supply the name of the account that
-the user is attempting to assume. The typical application of this
-type is \fBsu\fP. The application must call both pam_open_session() and
-pam_close_session() with the ruid set to the uid of the calling user
-and the euid set to root, and must have provided as the PAM_USER item
-the name of the target user.
-
-pam_xauth calls \fBxauth\fP as the source user to extract the key for
-$DISPLAY, then calls xauth as the target user to merge the key
-into the a temporary database and later remove the database.
-
-pam_xauth cannot be told not to remove the keys when the session
-is closed.
+.PP
+pam_xauth will work
+\fIonly\fR
+if it is used from a setuid application in which the
+\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume. The typical application of this type is
+\fBsu\fR(1). The application must call both
+\fBpam_open_session\fR() and
+\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user.
+.PP
+pam_xauth calls
+\fBxauth\fR(1)
+the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database.
+.PP
+pam_xauth cannot be told to not remove the keys when the session is closed.
+.SH "FILES"
+.TP 3n
+\fI~/.xauth/import\fR
+XXX
+.TP 3n
+\fI~/.xauth/export\fR
+XXX
.SH "SEE ALSO"
-\fI/usr/share/doc/pam*/html/index.html\fP
-.SH FILES
-\fI~/.xauth/import\fP
-\fI~/.xauth/export\fP
-.SH BUGS
-Let's hope not, but if you find any, please report them via the "Bug Track"
-link at http://bugzilla.redhat.com/bugzilla/
-.SH AUTHOR
-Nalin Dahyabhai <nalin@redhat.com>, based on original version by
-Michael K. Johnson <johnsonm@redhat.com>
+.PP
+
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original version by Michael K. Johnson <johnsonm@redhat.com>.
--- /dev/null
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_xauth">
+
+ <refmeta>
+ <refentrytitle>pam_xauth</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_xauth-name">
+ <refname>pam_xauth</refname>
+ <refpurpose>PAM module to forward xauth keys between users</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_xauth-cmdsynopsis">
+ <command>pam_xauth.so</command>
+ <arg choice="opt">
+ debug
+ </arg>
+ <arg choice="opt">
+ xauthpath=<replaceable>/path/to/xauth</replaceable>
+ </arg>
+ <arg choice="opt">
+ systemuser=<replaceable>UID</replaceable>
+ </arg>
+ <arg choice="opt">
+ targetuser=<replaceable>UID</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_xauth-description">
+ <title>DESCRIPTION</title>
+ <para>
+ The pam_xauth PAM module is designed to forward xauth keys
+ (sometimes referred to as "cookies") between users.
+ </para>
+ <para>
+ Without pam_xauth, when xauth is enabled and a user uses the
+ <citerefentry>
+ <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry> command to assume another user's priviledges,
+ that user is no longer able to access the original user's X display
+ because the new user does not have the key needed to access the
+ display. pam_xauth solves the problem by forwarding the key from
+ the user running su (the source user) to the user whose identity the
+ source user is assuming (the target user) when the session is created,
+ and destroying the key when the session is torn down.
+ </para>
+ <para>
+ This means, for example, that when you run
+ <citerefentry>
+ <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry> from an xterm sesssion, you will be able to run
+ X programs without explicitly dealing with the
+ <citerefentry>
+ <refentrytitle>xauth</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry> xauth command or ~/.Xauthority files.
+ </para>
+ <para>
+ pam_xauth will only forward keys if xauth can list a key connected
+ to the $DISPLAY environment variable.
+ </para>
+ <para>
+ Primitive access control is provided by
+ <filename>~/.xauth/export</filename> in the invoking user's home
+ directory and <filename>~/.xauth/import</filename> in the target
+ user's home directory.
+ </para>
+ <para>
+ If a user has a <filename>~/.xauth/import</filename> file, the user
+ will only receive cookies from users listed in the file. If there is
+ no <filename>~/.xauth/import</filename> file, the user will accept
+ cookies from any other user.
+ </para>
+ <para>
+ If a user has a <filename>.xauth/export</filename> file, the user will
+ only forward cookies to users listed in the file. If there is no
+ <filename>~/.xauth/export</filename> file, and the invoking user is
+ not <emphasis remap='B'>root</emphasis>, the user will forward cookies
+ to any other user. If there is no <filename>~/.xauth/export</filename>
+ file, and the invoking user is <emphasis remap='B'>root</emphasis>,
+ the user will <emphasis remap='I'>not</emphasis> forward cookies to
+ other users.
+ </para>
+ <para>
+ Both the import and export files support wildcards (such as
+ <emphasis remap='I'>*</emphasis>). Both the import and export files
+ can be empty, signifying that no users are allowed.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_xauth-options">
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Print debug information.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>xauthpath=<replaceable>/path/to/xauth</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Specify the path the xauth program (it is expected in
+ <filename>/usr/X11R6/bin/xauth</filename>,
+ <filename>/usr/bin/xauth</filename>, or
+ <filename>/usr/bin/X11/xauth</filename> by default).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>systemuser=<replaceable>UID</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Specify the highest UID which will be assumed to belong to a
+ "system" user. pam_xauth will refuse to forward credentials to
+ users with UID less than or equal to this number, except for
+ root and the "targetuser", if specified.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>targetuser=<replaceable>UID</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Specify a single target UID which is exempt from the
+ systemuser check.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_xauth-services">
+ <title>MODULE SERVICES PROVIDED</title>
+ <para>
+ Only the <emphasis remap='B'>session</emphasis> service is supported.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_xauth-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_BUF_ERR</term>
+ <listitem>
+ <para>
+ Memory buffer error.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_PERM_DENIED</term>
+ <listitem>
+ <para>
+ Permission denied by import/export file.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_SESSION_ERR</term>
+ <listitem>
+ <para>
+ Cannot determine user name, UID or access users home directory.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ Success.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_USER_UNKNOWN</term>
+ <listitem>
+ <para>
+ User not known.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_xauth-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ Add the following line to <filename>/etc/pam.d/su</filename> to
+ forward xauth keys between users when calling su:
+ <programlisting>
+session optional pam_xauth.so
+ </programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_xauth-implementation">
+ <title>IMPLEMENTATION DETAILS</title>
+ <para>
+ pam_xauth will work <emphasis remap='I'>only</emphasis> if it is
+ used from a setuid application in which the
+ <function>getuid</function>() call returns the id of the user
+ running the application, and for which PAM can supply the name
+ of the account that the user is attempting to assume. The typical
+ application of this type is
+ <citerefentry>
+ <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>.
+ The application must call both <function>pam_open_session</function>()
+ and <function>pam_close_session</function>() with the ruid set to the
+ uid of the calling user and the euid set to root, and must have
+ provided as the PAM_USER item the name of the target user.
+ </para>
+ <para>
+ pam_xauth calls
+ <citerefentry>
+ <refentrytitle>xauth</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry> the source user to extract the key for $DISPLAY,
+ then calls xauth as the target user to merge the key into the a
+ temporary database and later remove the database.
+ </para>
+ <para>
+ pam_xauth cannot be told to not remove the keys when the session
+ is closed.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_lastlog-files">
+ <title>FILES</title>
+ <variablelist>
+ <varlistentry>
+ <term><filename>~/.xauth/import</filename></term>
+ <listitem>
+ <para>XXX</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><filename>~/.xauth/export</filename></term>
+ <listitem>
+ <para>XXX</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+
+ <refsect1 id='pam_xauth-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_xauth-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>,
+ based on original version by
+ Michael K. Johnson <johnsonm@redhat.com>.
+ </para>
+ </refsect1>
+
+</refentry>
projects / linux-pam / commitdiff