* libpam/pam_static_modules.h: Fix name of pam_namespace variable.
+2007-11-01 Peter Breitenlohner <peb@mppmu.mpg.de>
+
+ * doc/man/pam_conv.3.xml: Correct typo.
+
2007-10-30 Peter Breitenlohner <peb@mppmu.mpg.de>
+ * modules/pam_cracklib/pam_cracklib.8.xml: Correct typo.
+ * modules/pam_limits/limits.conf.5.xml: Likewise.
+ * modules/pam_listfile/pam_listfile.8.xml: Likewise.
+ * modules/pam_xauth/pam_xauth.8.xml: Likewise.
+
+ * modules/pam_deny/pam_deny.8.xml: Correct spelling.
+ * modules/pam_group/pam_group.8.xml: Likewise.
+ * modules/pam_permit/pam_permit.8.xml: Likewise.
+ * modules/pam_shells/pam_shells.8.xml: Likewise.
+ * modules/pam_time/pam_time.8.xml: Likewise.
+ * modules/pam_warn/pam_warn.8.xml: Likewise.
+
* tests/tst-dlopen.c: Return 77 in case of static modules, such that
all modules/pam_*/tst-pam_* tests yield SKIP instead of FAIL.
* libpam/Makefile.am (libpam_la_LIBADD): Use "$(shell ls ...)" instead
* xtests/tst-pam_substack5.sh: Likewise.
2007-10-18 Tomas Mraz <t8m@centrum.cz>
+
* xtests/tst-pam_dispatch4.c: Fix comment about the test.
* xtests/tst-pam_dispatch4.pamd: Improve the testcase.
* xtests/tst-pam_cracklib2.c: Make the testcase more robust.
* xtests/tst-pam_dispatch5.pamd: New test configuration.
2007-10-09 Tomas Mraz <t8m@centrum.cz>
+
* modules/pam_tally/pam_tally.8.xml: Document audit option
correctly.
.\" Title: pam_conv
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/27/2006
-.\" Manual: Linux\-PAM Manual
-.\" Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
.\"
-.TH "PAM_CONV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_CONV" "3" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_conv \- PAM conversation function
+pam_conv - PAM conversation function
.SH "SYNOPSIS"
.sp
.ft B
.nf
-#include <security/pam_appl.h>
+#include <security/pam_appl\.h>
.fi
.ft
.sp
-.RS 3n
+.RS 4
.nf
struct pam_message {
int msg_style;
.RE
.SH "DESCRIPTION"
.PP
-The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the
+The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\. This callback is specified by the
\fIstruct pam_conv\fR
passed to
\fBpam_start\fR(3)
-at the start of the transaction.
+at the start of the transaction\.
.PP
When a module calls the referenced conv() function, the argument
\fIappdata_ptr\fR
-is set to the second element of this structure.
+is set to the second element of this structure\.
.PP
-The other arguments of a call to conv() concern the information exchanged by module and application. That is to say,
+The other arguments of a call to conv() concern the information exchanged by module and application\. That is to say,
\fInum_msg\fR
holds the length of the array of pointers,
-\fImsg\fR. After a successful return, the pointer
+\fImsg\fR\. After a successful return, the pointer
\fIresp\fR
-points to an array of pam_response structures, holding the application supplied text. The
+points to an array of pam_response structures, holding the application supplied text\. The
\fIresp_retcode\fR
-member of this struct is unused and should be set to zero. It is the caller's responsibility to release both, this array and the responses themselves, using
-\fBfree\fR(3). Note,
+member of this struct is unused and should be set to zero\. It is the caller\'s responsibility to release both, this array and the responses themselves, using
+\fBfree\fR(3)\. Note,
\fI*resp\fR
is a
\fIstruct pam_response\fR
-array and not an array of pointers.
+array and not an array of pointers\.
.PP
The number of responses is always equal to the
\fInum_msg\fR
-conversation function argument. This does require that the response array is
-\fBfree\fR(3)'d after every call to the conversation function. The index of the responses corresponds directly to the prompt index in the pam_message array.
+conversation function argument\. This does require that the response array is
+\fBfree\fR(3)\'d after every call to the conversation function\. The index of the responses corresponds directly to the prompt index in the pam_message array\.
.PP
-On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes.
+On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes\.
.PP
Each message can have one of four types, specified by the
\fImsg_style\fR
member of
\fIstruct pam_message\fR:
-.TP 3n
+.PP
PAM_PROMPT_ECHO_OFF
-Obtain a string without echoing any text.
-.TP 3n
+.RS 4
+Obtain a string without echoing any text\.
+.RE
+.PP
PAM_PROMPT_ECHO_ON
-Obtain a string whilst echoing text.
-.TP 3n
+.RS 4
+Obtain a string whilst echoing text\.
+.RE
+.PP
PAM_ERROR_MSG
-Display an error message.
-.TP 3n
+.RS 4
+Display an error message\.
+.RE
+.PP
PAM_TEXT_INFO
-Display some text.
+.RS 4
+Display some text\.
+.RE
.PP
-The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once.
+The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module\. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once\.
.PP
-In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris' PAM (and derivitives, known to include HP/UX, are there others?) does. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[]). Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_meg read only 'struct pam_message' pointers. Solaris' PAM implementation interprets this argument as a pointer to a pointer to an array of num_meg pam_message structures. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems.
+In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris\' PAM (and derivitives, known to include HP/UX, are there others?) does\. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[])\. Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_msg read only \'struct pam_message\' pointers\. Solaris\' PAM implementation interprets this argument as a pointer to a pointer to an array of num_msg pam_message structures\. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent\. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems\.
.PP
For what its worth the two known module writer work\-arounds for trying to maintain source level compatibility with both PAM implementations are:
-.TP 3n
-\(bu
-never call the conversation function with num_msg greater than one.
-.TP 3n
-\(bu
-set up msg as doubly referenced so both types of conversation function can find the messages. That is, make
.sp
-.RS 3n
+.RS 4
+\h'-04'\(bu\h'+03'never call the conversation function with num_msg greater than one\.
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'set up msg as doubly referenced so both types of conversation function can find the messages\. That is, make
+.sp
+.RS 4
.nf
msg[n] = & (( *msg )[n])
.fi
.RE
+.RE
.SH "RETURN VALUES"
-.TP 3n
+.PP
PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
PAM_CONV_ERR
-Conversation failure. The application should not set
-\fI*resp\fR.
-.TP 3n
+.RS 4
+Conversation failure\. The application should not set
+\fI*resp\fR\.
+.RE
+.PP
PAM_SUCCESS
-Success.
+.RS 4
+Success\.
+.RE
.SH "SEE ALSO"
.PP
const struct pam_message *msg[] (which, in spirit, is consistent with
the commonly used prototypes for argv argument to the familiar main()
function: char **argv; and char *argv[]). Said another way Linux-PAM
- interprets the msg argument as a pointer to an array of num_meg read
+ interprets the msg argument as a pointer to an array of num_msg read
only 'struct pam_message' pointers. Solaris' PAM implementation
interprets this argument as a pointer to a pointer to an array of
- num_meg pam_message structures. Fortunately, perhaps, for most
+ num_msg pam_message structures. Fortunately, perhaps, for most
module/application developers when num_msg has a value of one these
two definitions are entirely equivalent. Unfortunately, casually
raising this number to two has led to unanticipated compatibility
.\" Title: pam_cracklib
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\" Date: 06/20/2007
-.\" Manual: Linux\-PAM Manual
-.\" Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
.\"
-.TH "PAM_CRACKLIB" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_CRACKLIB" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_cracklib \- PAM module to check the password against dictionary words
+pam_cracklib - PAM module to check the password against dictionary words
.SH "SYNOPSIS"
.HP 16
-\fBpam_cracklib.so\fR [\fI...\fR]
+\fBpam_cracklib\.so\fR [\fI\.\.\.\fR]
.SH "DESCRIPTION"
.PP
This module can be plugged into the
\fIpassword\fR
-stack of a given application to provide some plug\-in strength\-checking for passwords.
+stack of a given application to provide some plug\-in strength\-checking for passwords\.
.PP
-The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.
+The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices\.
.PP
-The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.
+The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion)\. All being well, the password is passed on to subsequent modules to be installed as the new authentication token\.
.PP
The strength checks works in the following manner: at first the
\fBCracklib\fR
-routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are:
+routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done\. These checks are:
.PP
Palindrome
.RS 4
.RS 4
Is the new password too much like the old one? This is primarily controlled by one argument,
\fBdifok\fR
-which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller.
+which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller\.
.sp
To avoid the lockup associated with trying to change a long and complicated password,
\fBdifignore\fR
-is available. This argument can be used to specify the minimum length a new password needs to be before the
+is available\. This argument can be used to specify the minimum length a new password needs to be before the
\fBdifok\fR
-value is ignored. The default value for
+value is ignored\. The default value for
\fBdifignore\fR
-is 23.
+is 23\.
.RE
.PP
Simple
\fBdcredit\fR,
\fBucredit\fR,
\fBlcredit\fR, and
-\fBocredit\fR. See the section on the arguments for the details of how these work and there defaults.
+\fBocredit\fR\. See the section on the arguments for the details of how these work and there defaults\.
.RE
.PP
Rotated
Already used
.RS 4
Was the password used in the past? Previously used passwords are to be found in
-\fI/etc/security/opasswd\fR.
+\fI/etc/security/opasswd\fR\.
.RE
.PP
-This module with no arguments will work well for standard unix password encryption. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change... In addition, the default action is to allow passwords as small as 5 characters in length. For a md5 systems it can be a good idea to increase the required minimum size of a password. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password.
+This module with no arguments will work well for standard unix password encryption\. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password\. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint\. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change\.\.\. In addition, the default action is to allow passwords as small as 5 characters in length\. For a md5 systems it can be a good idea to increase the required minimum size of a password\. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password\.
.SH "OPTIONS"
.PP
.PP
.RS 4
This option makes the module write information to
\fBsyslog\fR(3)
-indicating the behavior of the module (this option does not write password information to the log file).
+indicating the behavior of the module (this option does not write password information to the log file)\.
.RE
.PP
\fBtype=\fR\fB\fIXXX\fR\fR
.RS 4
-The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The default word
+The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\. The default word
\fIUNIX\fR
-can be replaced with this option.
+can be replaced with this option\.
.RE
.PP
\fBretry=\fR\fB\fIN\fR\fR
.RS 4
Prompt user at most
\fIN\fR
-times before returning with error. The default is
+times before returning with error\. The default is
\fI1\fR
.RE
.PP
.RS 4
This argument will change the default of
\fI5\fR
-for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway.
+for the number of characters in the new password that must not be present in the old password\. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway\.
.RE
.PP
\fBdifignore=\fR\fB\fIN\fR\fR
.RS 4
-How many characters should the password have before difok will be ignored. The default is
-\fI23\fR.
+How many characters should the password have before difok will be ignored\. The default is
+\fI23\fR\.
.RE
.PP
\fBminlen=\fR\fB\fIN\fR\fR
.RS 4
-The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR,
+The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)\. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR,
\fIupper\fR,
\fIlower\fR
and
-\fIdigit\fR). The default for this parameter is
+\fIdigit\fR)\. The default for this parameter is
\fI9\fR
-which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in
+which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system\. Note that there is a pair of length limits in
\fICracklib\fR
itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to
-\fBminlen\fR. If you want to allow passwords as short as 5 characters you should not use this module.
+\fBminlen\fR\. If you want to allow passwords as short as 5 characters you should not use this module\.
.RE
.PP
\fBdcredit=\fR\fB\fIN\fR\fR
.RS 4
-(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or
+(N >= 0) This is the maximum credit for having digits in the new password\. If you have less than or
\fIN\fR
digits, each digit will count +1 towards meeting the current
\fBminlen\fR
-value. The default for
+value\. The default for
\fBdcredit\fR
is 1 which is the recommended value for
\fBminlen\fR
-less than 10.
+less than 10\.
.sp
-(N < 0) This is the minimum number of digits that must be met for a new password.
+(N < 0) This is the minimum number of digits that must be met for a new password\.
.RE
.PP
\fBucredit=\fR\fB\fIN\fR\fR
.RS 4
-(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or
+(N >= 0) This is the maximum credit for having upper case letters in the new password\. If you have less than or
\fIN\fR
upper case letters each letter will count +1 towards meeting the current
\fBminlen\fR
-value. The default for
+value\. The default for
\fBucredit\fR
is
\fI1\fR
which is the recommended value for
\fBminlen\fR
-less than 10.
+less than 10\.
.sp
-(N > 0) This is the minimum number of upper case letters that must be met for a new password.
+(N > 0) This is the minimum number of upper case letters that must be met for a new password\.
.RE
.PP
\fBlcredit=\fR\fB\fIN\fR\fR
.RS 4
-(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or
+(N >= 0) This is the maximum credit for having lower case letters in the new password\. If you have less than or
\fIN\fR
lower case letters, each letter will count +1 towards meeting the current
\fBminlen\fR
-value. The default for
+value\. The default for
\fBlcredit\fR
is 1 which is the recommended value for
\fBminlen\fR
-less than 10.
+less than 10\.
.sp
-(N < 0) This is the minimum number of lower case letters that must be met for a new password.
+(N < 0) This is the minimum number of lower case letters that must be met for a new password\.
.RE
.PP
\fBocredit=\fR\fB\fIN\fR\fR
.RS 4
-(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or
+(N >= 0) This is the maximum credit for having other characters in the new password\. If you have less than or
\fIN\fR
other characters, each character will count +1 towards meeting the current
\fBminlen\fR
-value. The default for
+value\. The default for
\fBocredit\fR
is 1 which is the recommended value for
\fBminlen\fR
-less than 10.
+less than 10\.
.sp
-(N < 0) This is the minimum number of other characters that must be met for a new password.
+(N < 0) This is the minimum number of other characters that must be met for a new password\.
.RE
.PP
\fBminclass=\fR\fB\fIN\fR\fR
.RS 4
-The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the
+The minimum number of required classes of characters for the new password\. The default number is zero\. The four classes are digits, upper and lower letters and other characters\. The difference to the
\fBcredit\fR
-check is that a specific class if of characters is not required. Instead
+check is that a specific class if of characters is not required\. Instead
\fIN\fR
-out of four of the classes are required.
+out of four of the classes are required\.
.RE
.PP
\fBuse_authtok\fR
\fIforce\fR
the module to not prompt the user for a new password but use the one provided by the previously stacked
\fIpassword\fR
-module.
+module\.
.RE
.PP
\fBdictpath=\fR\fB\fI/path/to/dict\fR\fR
.RS 4
-Path to the cracklib dictionaries.
+Path to the cracklib dictionaries\.
.RE
.SH "MODULE SERVICES PROVIDED"
.PP
Only he
\fBpassword\fR
-service is supported.
+service is supported\.
.SH "RETURN VALUES"
.PP
.PP
PAM_SUCCESS
.RS 4
-The new password passes all checks.
+The new password passes all checks\.
.RE
.PP
PAM_AUTHTOK_ERR
.RS 4
-No new password was entered, the username could not be determined or the new password fails the strength checks.
+No new password was entered, the username could not be determined or the new password fails the strength checks\.
.RE
.PP
PAM_AUTHTOK_RECOVERY_ERR
.RS 4
-The old password was not supplied by a previous stackked module or got not requested from the user. The first error can happen if
+The old password was not supplied by a previous stacked module or got not requested from the user\. The first error can happen if
\fBuse_authtok\fR
-is specified.
+is specified\.
.RE
.PP
PAM_SERVICE_ERR
.RS 4
-A internal error occured.
+A internal error occured\.
.RE
.SH "EXAMPLES"
.PP
.RS 4
.nf
#
-# These lines stack two password type modules. In this example the
-# user is given 3 opportunities to enter a strong password. The
+# These lines stack two password type modules\. In this example the
+# user is given 3 opportunities to enter a strong password\. The
# "use_authtok" argument ensures that the pam_unix module does not
# prompt for a password, but instead uses the one provided by
-# pam_cracklib.
+# pam_cracklib\.
#
-passwd password required pam_cracklib.so retry=3
-passwd password required pam_unix.so use_authtok
+passwd password required pam_cracklib\.so retry=3
+passwd password required pam_unix\.so use_authtok
.fi
.RE
-.sp
.PP
Another example (in the
-\fI/etc/pam.d/passwd\fR
+\fI/etc/pam\.d/passwd\fR
format) is for the case that you want to use md5 password encryption:
.sp
.RS 4
.nf
-#%PAM\-1.0
+#%PAM\-1\.0
#
# These lines allow a md5 systems to support passwords of at least 14
# bytes with extra credit of 2 for digits and 2 for others the new
# password must have at least three bytes that are not present in the
# old password
#
-password required pam_cracklib.so \\
+password required pam_cracklib\.so \e
difok=3 minlen=15 dcredit= 2 ocredit=2
-password required pam_unix.so use_authtok nullok md5
+password required pam_unix\.so use_authtok nullok md5
.fi
.RE
-.sp
.PP
-And here is another example in case you don't want to use credits:
+And here is another example in case you don\'t want to use credits:
.sp
.RS 4
.nf
-#%PAM\-1.0
+#%PAM\-1\.0
#
# These lines require the user to select a password with a minimum
# length of 8 and with at least 1 digit number, 1 upper case letter,
# and 1 other character
#
-password required pam_cracklib.so \\
+password required pam_cracklib\.so \e
dcredit=\-1 ucredit=\-1 ocredit=\-1 lcredit=0 minlen=8
-password required pam_unix.so use_authtok nullok md5
+password required pam_unix\.so use_authtok nullok md5
.fi
.RE
\fBpam\fR(8)
.SH "AUTHOR"
.PP
-pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
+pam_cracklib was written by Cristian Gafton <gafton@redhat\.com>
<term>PAM_AUTHTOK_RECOVERY_ERR</term>
<listitem>
<para>
- The old password was not supplied by a previous stackked
+ The old password was not supplied by a previous stacked
module or got not requested from the user.
The first error can happen if <option>use_authtok</option>
is specified.
.\" Title: pam_deny
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/21/2006
-.\" Manual: Linux\-PAM Manual
-.\" Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
.\"
-.TH "PAM_DENY" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_DENY" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_deny \- The locking\-out PAM module
+pam_deny - The locking-out PAM module
.SH "SYNOPSIS"
.HP 12
-\fBpam_deny.so\fR
+\fBpam_deny\.so\fR
.SH "DESCRIPTION"
.PP
-This module can be used to deny access. It always indicates a failure to the application through the PAM framework. It might be suitable for using for default (the
-\fIOTHER\fR) entries.
+This module can be used to deny access\. It always indicates a failure to the application through the PAM framework\. It might be suitable for using for default (the
+\fIOTHER\fR) entries\.
.SH "OPTIONS"
.PP
-This module does not recognice any options.
+This module does not recognise any options\.
.SH "MODULE SERVICES PROVIDED"
.PP
All services (\fBaccount\fR,
\fBauth\fR,
\fBpassword\fR
and
-\fBsession\fR) are supported.
+\fBsession\fR) are supported\.
.SH "RETURN VALUES"
.PP
-.TP 3n
+.PP
PAM_AUTH_ERR
-This is returned by the account and auth services.
-.TP 3n
+.RS 4
+This is returned by the account and auth services\.
+.RE
+.PP
PAM_CRED_ERR
-This is returned by the setcred function.
-.TP 3n
+.RS 4
+This is returned by the setcred function\.
+.RE
+.PP
PAM_AUTHTOK_ERR
-This is returned by the password service.
-.TP 3n
+.RS 4
+This is returned by the password service\.
+.RE
+.PP
PAM_SESSION_ERR
-This is returned by the session service.
+.RS 4
+This is returned by the session service\.
+.RE
.SH "EXAMPLES"
.sp
-.RS 3n
+.RS 4
.nf
-#%PAM\-1.0
+#%PAM\-1\.0
#
-# If we don't have config entries for a service, the
-# OTHER entries are used. To be secure, warn and deny
-# access to everything.
-other auth required pam_warn.so
-other auth required pam_deny.so
-other account required pam_warn.so
-other account required pam_deny.so
-other password required pam_warn.so
-other password required pam_deny.so
-other session required pam_warn.so
-other session required pam_deny.so
+# If we don\'t have config entries for a service, the
+# OTHER entries are used\. To be secure, warn and deny
+# access to everything\.
+other auth required pam_warn\.so
+other auth required pam_deny\.so
+other account required pam_warn\.so
+other account required pam_deny\.so
+other password required pam_warn\.so
+other password required pam_deny\.so
+other session required pam_warn\.so
+other session required pam_deny\.so
.fi
.RE
\fBpam\fR(8)
.SH "AUTHOR"
.PP
-pam_deny was written by Andrew G. Morgan <morgan@kernel.org>
+pam_deny was written by Andrew G\. Morgan <morgan@kernel\.org>
<refsect1 id="pam_deny-options">
<title>OPTIONS</title>
- <para>This module does not recognice any options.</para>
+ <para>This module does not recognise any options.</para>
</refsect1>
<refsect1 id="pam_deny-services">
.\" Title: pam_group
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/22/2006
-.\" Manual: Linux\-PAM Manual
-.\" Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
.\"
-.TH "PAM_GROUP" "8" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_GROUP" "8" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_group \- PAM module for group access
+pam_group - PAM module for group access
.SH "SYNOPSIS"
.HP 13
-\fBpam_group.so\fR
+\fBpam_group\.so\fR
.SH "DESCRIPTION"
.PP
-The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for.
+The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\.
.PP
By default rules for group memberships are taken from config file
-\fI/etc/security/group.conf\fR.
+\fI/etc/security/group\.conf\fR\.
.PP
-This module's usefulness relies on the file\-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a
+This module\'s usefulness relies on the file\-systems accessible to the user\. The point being that once granted the membership of a group, the user may attempt to create a
\fBsetgid\fR
-binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted
+binary with a restricted group ownership\. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary\. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted
\fInosuid\fR
-the user is unable to create or execute such a binary file. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted
-\fInosuid\fR.
+the user is unable to create or execute such a binary file\. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted
+\fInosuid\fR\.
.PP
The pam_group module fuctions in parallel with the
\fI/etc/group\fR
-file. If the user is granted any groups based on the behavior of this module, they are granted
+file\. If the user is granted any groups based on the behavior of this module, they are granted
\fIin addition\fR
to those entries
\fI/etc/group\fR
-(or equivalent).
+(or equivalent)\.
.SH "OPTIONS"
.PP
-This module does not recognice any options.
+This module does not recognise any options\.
.SH "MODULE SERVICES PROVIDED"
.PP
Only the
\fBauth\fR
-service is supported.
+service is supported\.
.SH "RETURN VALUES"
-.TP 3n
+.PP
PAM_SUCCESS
-group membership was granted.
-.TP 3n
+.RS 4
+group membership was granted\.
+.RE
+.PP
PAM_ABORT
-Not all relevant data could be gotten.
-.TP 3n
+.RS 4
+Not all relevant data could be gotten\.
+.RE
+.PP
PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
PAM_CRED_ERR
-Group membership was not granted.
-.TP 3n
+.RS 4
+Group membership was not granted\.
+.RE
+.PP
PAM_IGNORE
+.RS 4
\fBpam_sm_authenticate\fR
-was called which does nothing.
-.TP 3n
+was called which does nothing\.
+.RE
+.PP
PAM_USER_UNKNOWN
-The user is not known to the system.
+.RS 4
+The user is not known to the system\.
+.RE
.SH "FILES"
-.TP 3n
-\fI/etc/security/group.conf\fR
+.PP
+\fI/etc/security/group\.conf\fR
+.RS 4
Default configuration file
+.RE
.SH "SEE ALSO"
.PP
\fBgroup.conf\fR(5),
\fBpam.d\fR(8),
-\fBpam\fR(8).
+\fBpam\fR(8)\.
.SH "AUTHORS"
.PP
-pam_group was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_group was written by Andrew G\. Morgan <morgan@kernel\.org>\.
<refsect1 id="pam_group-options">
<title>OPTIONS</title>
- <para>This module does not recognice any options.</para>
+ <para>This module does not recognise any options.</para>
</refsect1>
<refsect1 id="pam_group-services">
.\" Title: limits.conf
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/>
-.\" Date: 08/30/2007
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\"
-.TH "LIMITS.CONF" "5" "08/30/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "LIMITS\.CONF" "5" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-limits.conf \- configuration file for the pam_limits module
+limits.conf - configuration file for the pam_limits module
.SH "DESCRIPTION"
.PP
The syntax of the lines is as follows:
.PP
\fB<domain>\fR
.RS 4
+.sp
.RS 4
\h'-04'\(bu\h'+03'a username
.RE
+.sp
.RS 4
\h'-04'\(bu\h'+03'a groupname, with
\fB@group\fR
-syntax. This should not be confused with netgroups.
+syntax\. This should not be confused with netgroups\.
.RE
+.sp
.RS 4
\h'-04'\(bu\h'+03'the wildcard
-\fB*\fR, for default entry.
+\fB*\fR, for default entry\.
.RE
+.sp
.RS 4
\h'-04'\(bu\h'+03'the wildcard
\fB%\fR, for maxlogins limit only, can also be used with
\fI%group\fR
-syntax.
+syntax\.
.RE
.RE
.PP
\fB<type>\fR
.RS 4
-.RS 4
.PP
\fBhard\fR
.RS 4
for enforcing
\fBhard\fR
-resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values.
+resource limits\. These limits are set by the superuser and enforced by the Kernel\. The user cannot raise his requirement of system resources above such values\.
.RE
.PP
\fBsoft\fR
.RS 4
for enforcing
\fBsoft\fR
-resource limits. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting
+resource limits\. These limits are ones that the user can move up or down within the permitted range by any pre\-existing
\fBhard\fR
-limits. The values specified with this token can be thought of as
+limits\. The values specified with this token can be thought of as
\fIdefault\fR
-values, for normal system usage.
+values, for normal system usage\.
.RE
.PP
\fB\-\fR
\fBsoft\fR
and
\fBhard\fR
-resource limits together.
+resource limits together\.
.sp
-Note, if you specify a type of '\-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. .
-.RE
+Note, if you specify a type of \'\-\' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\. \.
.RE
.RE
.PP
\fB<item>\fR
.RS 4
-.RS 4
.PP
\fBcore\fR
.RS 4
.PP
\fBlocks\fR
.RS 4
-maximum locked files (Linux 2.4 and higher)
+maximum locked files (Linux 2\.4 and higher)
.RE
.PP
\fBsigpending\fR
.RS 4
-maximum number of pending signals (Linux 2.6 and higher)
+maximum number of pending signals (Linux 2\.6 and higher)
.RE
.PP
\fBmsqqueue\fR
.RS 4
-maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher)
+maximum memory used by POSIX message queues (bytes) (Linux 2\.6 and higher)
.RE
.PP
\fBnice\fR
.RS 4
-maximum nice priority allowed to raise to (Linux 2.6.12 and higher)
+maximum nice priority allowed to raise to (Linux 2\.6\.12 and higher)
.RE
.PP
\fBrtprio\fR
.RS 4
-maximum realtime priority allowed for non\-privileged processes (Linux 2.6.12 and higher)
-.RE
+maximum realtime priority allowed for non\-privileged processes (Linux 2\.6\.12 and higher)
.RE
.RE
.PP
In general, individual limits have priority over group limits, so if you impose no limits for
\fIadmin\fR
-group, but one of the members in this group have a limits line, the user will have its limits set according to this line.
+group, but one of the members in this group have a limits line, the user will have its limits set according to this line\.
.PP
Also, please note that all limit settings are set
-\fIper login\fR. They are not global, nor are they permanent; existing only for the duration of the session.
+\fIper login\fR\. They are not global, nor are they permanent; existing only for the duration of the session\.
.PP
In the
\fIlimits\fR
-configuration file, the '\fB#\fR' character introduces a comment \- after which the rest of the line is ignored.
+configuration file, the \'\fB#\fR\' character introduces a comment \- after which the rest of the line is ignored\.
.PP
The pam_limits module does its best to report configuration problems found in its configuration file via
-\fBsyslog\fR(3).
+\fBsyslog\fR(3)\.
.SH "EXAMPLES"
.PP
These are some example lines which might be specified in
-\fI/etc/security/limits.conf\fR.
+\fI/etc/security/limits\.conf\fR\.
.sp
.RS 4
.nf
\fBpam\fR(8)
.SH "AUTHOR"
.PP
-pam_limits was initially written by Cristian Gafton <gafton@redhat.com>
+pam_limits was initially written by Cristian Gafton <gafton@redhat\.com>
<para>
for enforcing <emphasis remap='B'>soft</emphasis> resource limits.
These limits are ones that the user can move up or down within the
- permitted range by any pre-exisiting <emphasis remap='B'>hard</emphasis>
+ permitted range by any pre-existing <emphasis remap='B'>hard</emphasis>
limits. The values specified with this token can be thought of as
<emphasis>default</emphasis> values, for normal system usage.
</para>
apply=[user|@group]
Restrict the user class for which the restriction apply. Note that with
- item=[user|ruser|group] this oes not make sense, but for item=[tty|rhost|
+ item=[user|ruser|group] this does not make sense, but for item=[tty|rhost|
shell] it have a meaning.
quiet
.\" Title: pam_listfile
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/>
-.\" Date: 08/25/2007
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\"
-.TH "PAM_LISTFILE" "8" "08/25/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_LISTFILE" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_listfile \- deny or allow services based on an arbitrary file
+pam_listfile - deny or allow services based on an arbitrary file
.SH "SYNOPSIS"
.HP 16
-\fBpam_listfile.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet]
+\fBpam_listfile\.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet]
.SH "DESCRIPTION"
.PP
-pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file.
+pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file\.
.PP
The module gets the
\fBitem\fR
\fIPAM_RHOST\fR; and ruser specifies the name of the remote user (if available) who made the request,
\fIPAM_RUSER\fR
\-\- and looks for an instance of that item in the
-\fBfile=\fR\fB\fIfilename\fR\fR.
+\fBfile=\fR\fB\fIfilename\fR\fR\.
\fIfilename\fR
-contains one line per item listed. If the item is found, then if
+contains one line per item listed\. If the item is found, then if
\fBsense=\fR\fB\fIallow\fR\fR,
\fIPAM_SUCCESS\fR
is returned, causing the authorization request to succeed; else if
\fBsense=\fR\fB\fIdeny\fR\fR,
\fIPAM_AUTH_ERR\fR
-is returned, causing the authorization request to fail.
+is returned, causing the authorization request to fail\.
.PP
If an error is encountered (for instance, if
\fIfilename\fR
\fIPAM_AUTH_ERR\fR
or
\fIPAM_SERVICE_ERR\fR
-(as appropriate) will be returned.
+(as appropriate) will be returned\.
.PP
An additional argument,
-\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR). This added restriction is only meaningful when used with the
+\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR)\. This added restriction is only meaningful when used with the
\fItty\fR,
\fIrhost\fR
and
\fIshell\fR
-items.
+items\.
.PP
-Besides this last one, all arguments should be specified; do not count on any default behavior.
+Besides this last one, all arguments should be specified; do not count on any default behavior\.
.PP
-No credentials are awarded by this module.
+No credentials are awarded by this module\.
.SH "OPTIONS"
.PP
.PP
\fBitem=[tty|user|rhost|ruser|group|shell]\fR
.RS 4
-What is listed in the file and should be checked for.
+What is listed in the file and should be checked for\.
.RE
.PP
\fBsense=[allow|deny]\fR
.RS 4
-Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.
+Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\.
.RE
.PP
\fBfile=\fR\fB\fI/path/filename\fR\fR
.RS 4
-File containing one item per line. The file needs to be a plain file and not world writeable.
+File containing one item per line\. The file needs to be a plain file and not world writeable\.
.RE
.PP
\fBonerr=[succeed|fail]\fR
.RS 4
-What to do if something weird happens like being unable to open the file.
+What to do if something weird happens like being unable to open the file\.
.RE
.PP
\fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR
.RS 4
-Restrict the user class for which the restriction apply. Note that with
+Restrict the user class for which the restriction apply\. Note that with
\fBitem=[user|ruser|group]\fR
-this oes not make sense, but for
+this does not make sense, but for
\fBitem=[tty|rhost|shell]\fR
-it have a meaning.
+it have a meaning\.
.RE
.PP
\fBquiet\fR
.RS 4
-Do not treat service refusals or missing list files as errors that need to be logged.
+Do not treat service refusals or missing list files as errors that need to be logged\.
.RE
.SH "MODULE SERVICES PROVIDED"
.PP
\fBpassword\fR
and
\fBsession\fR
-are supported.
+are supported\.
.SH "RETURN VALUES"
.PP
.PP
PAM_AUTH_ERR
.RS 4
-Authentication failure.
+Authentication failure\.
.RE
.PP
PAM_BUF_ERR
.RS 4
-Memory buffer error.
+Memory buffer error\.
.RE
.PP
PAM_IGNORE
.RS 4
The rule does not apply to the
\fBapply\fR
-option.
+option\.
.RE
.PP
PAM_SERVICE_ERR
.RS 4
-Error in service module.
+Error in service module\.
.RE
.PP
PAM_SUCCESS
.RS 4
-Success.
+Success\.
.RE
.SH "EXAMPLES"
.PP
-Classic 'ftpusers' authentication can be implemented with this entry in
-\fI/etc/pam.d/ftpd\fR:
+Classic \'ftpusers\' authentication can be implemented with this entry in
+\fI/etc/pam\.d/ftpd\fR:
.sp
.RS 4
.nf
#
# deny ftp\-access to users listed in the /etc/ftpusers file
#
-auth required pam_listfile.so \e
+auth required pam_listfile\.so \e
onerr=succeed item=user sense=deny file=/etc/ftpusers
.fi
\fI/etc/ftpusers\fR
file are (counterintuitively)
\fInot\fR
-allowed access to the ftp service.
+allowed access to the ftp service\.
.PP
To allow login access only for certain users, you can use a
-\fI/etc/pam.d/login\fR
+\fI/etc/pam\.d/login\fR
entry like this:
.sp
.RS 4
#
# permit login to users listed in /etc/loginusers
#
-auth required pam_listfile.so \e
+auth required pam_listfile\.so \e
onerr=fail item=user sense=allow file=/etc/loginusers
.fi
.RE
.sp
For this example to work, all users who are allowed to use the login service should be listed in the file
-\fI/etc/loginusers\fR. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in
+\fI/etc/loginusers\fR\. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in
\fI/etc/loginusers\fR, or by listing a user who is able to
\fIsu\fR
-to the root account.
+to the root account\.
.SH "SEE ALSO"
.PP
\fBpam\fR(8)
.SH "AUTHOR"
.PP
-pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and Elliot Lee <sopwith@cuc.edu>.
+pam_listfile was written by Michael K\. Johnson <johnsonm@redhat\.com> and Elliot Lee <sopwith@cuc\.edu>\.
<listitem>
<para>
Restrict the user class for which the restriction apply. Note that
- with <option>item=[user|ruser|group]</option> this oes not make sense,
+ with <option>item=[user|ruser|group]</option> this does not make sense,
but for <option>item=[tty|rhost|shell]</option> it have a meaning.
</para>
</listitem>
OPTIONS
-This module does not recognice any options.
+This module does not recognise any options.
EXAMPLES
.\" Title: pam_permit
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/04/2006
-.\" Manual: Linux\-PAM Manual
-.\" Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
.\"
-.TH "PAM_PERMIT" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_PERMIT" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_permit \- The promiscuous module
+pam_permit - The promiscuous module
.SH "SYNOPSIS"
.HP 14
-\fBpam_permit.so\fR
+\fBpam_permit\.so\fR
.SH "DESCRIPTION"
.PP
-pam_permit is a PAM module that always permit access. It does nothing else.
+pam_permit is a PAM module that always permit access\. It does nothing else\.
.PP
-In the case of authentication, the user's name will be set to
+In the case of authentication, the user\'s name will be set to
\fInobody\fR
-if the application didn't set one. Many applications and PAM modules become confused if this name is unknown.
+if the application didn\'t set one\. Many applications and PAM modules become confused if this name is unknown\.
.PP
-This module is very dangerous. It should be used with extreme caution.
+This module is very dangerous\. It should be used with extreme caution\.
.SH "OPTIONS"
.PP
-This module does not recognice any options.
+This module does not recognise any options\.
.SH "MODULE SERVICES PROVIDED"
.PP
The services
\fBpassword\fR
and
\fBsession\fR
-are supported.
+are supported\.
.SH "RETURN VALUES"
-.TP 3n
+.PP
PAM_SUCCESS
-This module always returns this value.
+.RS 4
+This module always returns this value\.
+.RE
.SH "EXAMPLES"
.PP
-Add this line to your other login entries to disable account management, but continue to permit users to log in.
+Add this line to your other login entries to disable account management, but continue to permit users to log in\.
.sp
-.RS 3n
+.RS 4
.nf
-account required pam_permit.so
+account required pam_permit\.so
.fi
.RE
\fBpam\fR(8)
.SH "AUTHOR"
.PP
-pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>.
+pam_permit was written by Andrew G\. Morgan, <morgan@kernel\.org>\.
<refsect1 id="pam_permit-options">
<title>OPTIONS</title>
- <para> This module does not recognice any options.</para>
+ <para> This module does not recognise any options.</para>
</refsect1>
<refsect1 id="pam_permit-services">
OPTIONS
-This module does not recognice any options.
+This module does not recognise any options.
EXAMPLES
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "PAM_SHELLS" "8" "06/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" Title: pam_shells
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\"
+.TH "PAM_SHELLS" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_shells \- PAM module to check for valid login shell
+pam_shells - PAM module to check for valid login shell
.SH "SYNOPSIS"
.HP 14
-\fBpam_shells.so\fR
+\fBpam_shells\.so\fR
.SH "DESCRIPTION"
.PP
pam_shells is a PAM module that only allows access to the system if the users shell is listed in
-\fI/etc/shells\fR.
+\fI/etc/shells\fR\.
.PP
It also checks if
\fI/etc/shells\fR
-is a plain file and not world writable.
+is a plain file and not world writable\.
.SH "OPTIONS"
.PP
-This module does not recognice any options.
+This module does not recognise any options\.
.SH "MODULE SERVICES PROVIDED"
.PP
The services
\fBauth\fR
and
\fBaccount\fR
-are supported.
+are supported\.
.SH "RETURN VALUES"
-.TP
+.PP
PAM_AUTH_ERR
-Access to the system was denied.
-.TP
+.RS 4
+Access to the system was denied\.
+.RE
+.PP
PAM_SUCCESS
+.RS 4
The users login shell was listed as valid shell in
-\fI/etc/shells\fR.
-.TP
+\fI/etc/shells\fR\.
+.RE
+.PP
PAM_SERVICE_ERR
-The module was not able to get the name of the user.
+.RS 4
+The module was not able to get the name of the user\.
+.RE
.SH "EXAMPLES"
.PP
+
+.sp
+.RS 4
.nf
-auth required pam_shells.so
+auth required pam_shells\.so
.fi
+.RE
.sp
.SH "SEE ALSO"
.PP
+
\fBshells\fR(5),
\fBpam.conf\fR(5),
\fBpam.d\fR(8),
\fBpam\fR(8)
.SH "AUTHOR"
.PP
-pam_shells was written by Erik Troan <ewt@redhat.com>.
+pam_shells was written by Erik Troan <ewt@redhat\.com>\.
<refsect1 id="pam_shells-options">
<title>OPTIONS</title>
- <para> This module does not recognice any options.</para>
+ <para> This module does not recognise any options.</para>
</refsect1>
<refsect1 id="pam_shells-services">
.\" Title: pam_time
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/21/2006
-.\" Manual: Linux\-PAM Manual
-.\" Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
.\"
-.TH "PAM_TIME" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_TIME" "8" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_time \- PAM module for time control access
+pam_time - PAM module for time control access
.SH "SYNOPSIS"
.HP 12
-\fBpam_time.so\fR
+\fBpam_time\.so\fR
.SH "DESCRIPTION"
.PP
-The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request.
+The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\.
.PP
By default rules for time/port access are taken from config file
-\fI/etc/security/time.conf\fR.
+\fI/etc/security/time\.conf\fR\.
.SH "OPTIONS"
.PP
-This module does not recognice any options.
+This module does not recognise any options\.
.SH "MODULE SERVICES PROVIDED"
.PP
Only the
\fBaccount\fR
-service is supported.
+service is supported\.
.SH "RETURN VALUES"
-.TP 3n
+.PP
PAM_SUCCESS
-Access was granted.
-.TP 3n
+.RS 4
+Access was granted\.
+.RE
+.PP
PAM_ABORT
-Not all relevant data could be gotten.
-.TP 3n
+.RS 4
+Not all relevant data could be gotten\.
+.RE
+.PP
PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
PAM_PERM_DENIED
-Access was not granted.
-.TP 3n
+.RS 4
+Access was not granted\.
+.RE
+.PP
PAM_USER_UNKNOWN
-The user is not known to the system.
+.RS 4
+The user is not known to the system\.
+.RE
.SH "FILES"
-.TP 3n
-\fI/etc/security/time.conf\fR
+.PP
+\fI/etc/security/time\.conf\fR
+.RS 4
Default configuration file
+.RE
.SH "EXAMPLES"
.sp
-.RS 3n
+.RS 4
.nf
-#%PAM\-1.0
+#%PAM\-1\.0
#
# apply pam_time accounting to login requests
#
-login account required pam_time.so
+login account required pam_time\.so
.fi
.RE
\fBtime.conf\fR(5),
\fBpam.d\fR(8),
-\fBpam\fR(8).
+\fBpam\fR(8)\.
.SH "AUTHOR"
.PP
-pam_time was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_time was written by Andrew G\. Morgan <morgan@kernel\.org>\.
<refsect1 id="pam_time-options">
<title>OPTIONS</title>
- <para>This module does not recognice any options.</para>
+ <para>This module does not recognise any options.</para>
</refsect1>
<refsect1 id="pam_time-services">
OPTIONS
-This module does not recognice any options.
+This module does not recognise any options.
EXAMPLES
.\" Title: pam_warn
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/09/2006
-.\" Manual: Linux\-PAM Manual
-.\" Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
.\"
-.TH "PAM_WARN" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_WARN" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_warn \- PAM module which logs all PAM items if called
+pam_warn - PAM module which logs all PAM items if called
.SH "SYNOPSIS"
.HP 12
-\fBpam_warn.so\fR
+\fBpam_warn\.so\fR
.SH "DESCRIPTION"
.PP
pam_warn is a PAM module that logs the service, terminal, user, remote user and remote host to
-\fBsyslog\fR(3). The items are not probed for, but instead obtained from the standard PAM items. The module always returns
-\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process.
+\fBsyslog\fR(3)\. The items are not probed for, but instead obtained from the standard PAM items\. The module always returns
+\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process\.
.SH "OPTIONS"
.PP
-This module does not recognice any options.
+This module does not recognise any options\.
.SH "MODULE SERVICES PROVIDED"
.PP
The services
\fBpassword\fR
and
\fBsession\fR
-are supported.
+are supported\.
.SH "RETURN VALUES"
-.TP 3n
+.PP
PAM_IGNORE
-This module always returns PAM_IGNORE.
+.RS 4
+This module always returns PAM_IGNORE\.
+.RE
.SH "EXAMPLES"
.sp
-.RS 3n
+.RS 4
.nf
-#%PAM\-1.0
+#%PAM\-1\.0
#
-# If we don't have config entries for a service, the
-# OTHER entries are used. To be secure, warn and deny
-# access to everything.
-other auth required pam_warn.so
-other auth required pam_deny.so
-other account required pam_warn.so
-other account required pam_deny.so
-other password required pam_warn.so
-other password required pam_deny.so
-other session required pam_warn.so
-other session required pam_deny.so
+# If we don\'t have config entries for a service, the
+# OTHER entries are used\. To be secure, warn and deny
+# access to everything\.
+other auth required pam_warn\.so
+other auth required pam_deny\.so
+other account required pam_warn\.so
+other account required pam_deny\.so
+other password required pam_warn\.so
+other password required pam_deny\.so
+other session required pam_warn\.so
+other session required pam_deny\.so
.fi
.RE
\fBpam\fR(8)
.SH "AUTHOR"
.PP
-pam_warn was written by Andrew G. Morgan <morgan@kernel.org>.
+pam_warn was written by Andrew G\. Morgan <morgan@kernel\.org>\.
<refsect1 id="pam_warn-options">
<title>OPTIONS</title>
- <para>This module does not recognice any options.</para>
+ <para>This module does not recognise any options.</para>
</refsect1>
<refsect1 id="pam_warn-services">
calling user and the euid set to root, and must have provided as the PAM_USER
item the name of the target user.
-pam_xauth calls xauth(1) the source user to extract the key for $DISPLAY, then
-calls xauth as the target user to merge the key into the a temporary database
-and later remove the database.
+pam_xauth calls xauth(1) as the source user to extract the key for $DISPLAY,
+then calls xauth as the target user to merge the key into the a temporary
+database and later remove the database.
pam_xauth cannot be told to not remove the keys when the session is closed.
.\" Title: pam_xauth
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/09/2006
-.\" Manual: Linux\-PAM Manual
-.\" Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 11/06/2007
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
.\"
-.TH "PAM_XAUTH" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_XAUTH" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pam_xauth \- PAM module to forward xauth keys between users
+pam_xauth - PAM module to forward xauth keys between users
.SH "SYNOPSIS"
.HP 13
-\fBpam_xauth.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR]
+\fBpam_xauth\.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR]
.SH "DESCRIPTION"
.PP
-The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users.
+The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users\.
.PP
Without pam_xauth, when xauth is enabled and a user uses the
\fBsu\fR(1)
-command to assume another user's priviledges, that user is no longer able to access the original user's X display because the new user does not have the key needed to access the display. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down.
+command to assume another user\'s priviledges, that user is no longer able to access the original user\'s X display because the new user does not have the key needed to access the display\. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down\.
.PP
This means, for example, that when you run
\fBsu\fR(1)
from an xterm sesssion, you will be able to run X programs without explicitly dealing with the
\fBxauth\fR(1)
-xauth command or ~/.Xauthority files.
+xauth command or ~/\.Xauthority files\.
.PP
-pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable.
+pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable\.
.PP
Primitive access control is provided by
-\fI~/.xauth/export\fR
-in the invoking user's home directory and
-\fI~/.xauth/import\fR
-in the target user's home directory.
+\fI~/\.xauth/export\fR
+in the invoking user\'s home directory and
+\fI~/\.xauth/import\fR
+in the target user\'s home directory\.
.PP
If a user has a
-\fI~/.xauth/import\fR
-file, the user will only receive cookies from users listed in the file. If there is no
-\fI~/.xauth/import\fR
-file, the user will accept cookies from any other user.
+\fI~/\.xauth/import\fR
+file, the user will only receive cookies from users listed in the file\. If there is no
+\fI~/\.xauth/import\fR
+file, the user will accept cookies from any other user\.
.PP
If a user has a
-\fI.xauth/export\fR
-file, the user will only forward cookies to users listed in the file. If there is no
-\fI~/.xauth/export\fR
+\fI\.xauth/export\fR
+file, the user will only forward cookies to users listed in the file\. If there is no
+\fI~/\.xauth/export\fR
file, and the invoking user is not
-\fBroot\fR, the user will forward cookies to any other user. If there is no
-\fI~/.xauth/export\fR
+\fBroot\fR, the user will forward cookies to any other user\. If there is no
+\fI~/\.xauth/export\fR
file, and the invoking user is
\fBroot\fR, the user will
\fInot\fR
-forward cookies to other users.
+forward cookies to other users\.
.PP
Both the import and export files support wildcards (such as
-\fI*\fR). Both the import and export files can be empty, signifying that no users are allowed.
+\fI*\fR)\. Both the import and export files can be empty, signifying that no users are allowed\.
.SH "OPTIONS"
-.TP 3n
+.PP
\fBdebug\fR
-Print debug information.
-.TP 3n
+.RS 4
+Print debug information\.
+.RE
+.PP
\fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR
+.RS 4
Specify the path the xauth program (it is expected in
\fI/usr/X11R6/bin/xauth\fR,
\fI/usr/bin/xauth\fR, or
\fI/usr/bin/X11/xauth\fR
-by default).
-.TP 3n
+by default)\.
+.RE
+.PP
\fBsystemuser=\fR\fB\fIUID\fR\fR
-Specify the highest UID which will be assumed to belong to a "system" user. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified.
-.TP 3n
+.RS 4
+Specify the highest UID which will be assumed to belong to a "system" user\. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\.
+.RE
+.PP
\fBtargetuser=\fR\fB\fIUID\fR\fR
-Specify a single target UID which is exempt from the systemuser check.
+.RS 4
+Specify a single target UID which is exempt from the systemuser check\.
+.RE
.SH "MODULE SERVICES PROVIDED"
.PP
Only the
\fBsession\fR
-service is supported.
+service is supported\.
.SH "RETURN VALUES"
-.TP 3n
+.PP
PAM_BUF_ERR
-Memory buffer error.
-.TP 3n
+.RS 4
+Memory buffer error\.
+.RE
+.PP
PAM_PERM_DENIED
-Permission denied by import/export file.
-.TP 3n
+.RS 4
+Permission denied by import/export file\.
+.RE
+.PP
PAM_SESSION_ERR
-Cannot determine user name, UID or access users home directory.
-.TP 3n
+.RS 4
+Cannot determine user name, UID or access users home directory\.
+.RE
+.PP
PAM_SUCCESS
-Success.
-.TP 3n
+.RS 4
+Success\.
+.RE
+.PP
PAM_USER_UNKNOWN
-User not known.
+.RS 4
+User not known\.
+.RE
.SH "EXAMPLES"
.PP
Add the following line to
-\fI/etc/pam.d/su\fR
+\fI/etc/pam\.d/su\fR
to forward xauth keys between users when calling su:
.sp
-.RS 3n
+.RS 4
.nf
-session optional pam_xauth.so
+session optional pam_xauth\.so
.fi
.RE
pam_xauth will work
\fIonly\fR
if it is used from a setuid application in which the
-\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume. The typical application of this type is
-\fBsu\fR(1). The application must call both
+\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume\. The typical application of this type is
+\fBsu\fR(1)\. The application must call both
\fBpam_open_session\fR() and
-\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user.
+\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user\.
.PP
pam_xauth calls
\fBxauth\fR(1)
-the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database.
+as the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database\.
.PP
-pam_xauth cannot be told to not remove the keys when the session is closed.
+pam_xauth cannot be told to not remove the keys when the session is closed\.
.SH "FILES"
-.TP 3n
-\fI~/.xauth/import\fR
+.PP
+\fI~/\.xauth/import\fR
+.RS 4
XXX
-.TP 3n
-\fI~/.xauth/export\fR
+.RE
+.PP
+\fI~/\.xauth/export\fR
+.RS 4
XXX
+.RE
.SH "SEE ALSO"
.PP
\fBpam\fR(8)
.SH "AUTHOR"
.PP
-pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original version by Michael K. Johnson <johnsonm@redhat.com>.
+pam_xauth was written by Nalin Dahyabhai <nalin@redhat\.com>, based on original version by Michael K\. Johnson <johnsonm@redhat\.com>\.
pam_xauth calls
<citerefentry>
<refentrytitle>xauth</refentrytitle><manvolnum>1</manvolnum>
- </citerefentry> the source user to extract the key for $DISPLAY,
+ </citerefentry> as the source user to extract the key for $DISPLAY,
then calls xauth as the target user to merge the key into the a
temporary database and later remove the database.
</para>
projects / linux-pam / commitdiff