Clarify pam_access docs re PAM service names and X $DISPLAY value testing.

(Ticket #39)

* modules/pam_access/access.conf.5.xml
* modules/pam_access/pam_access.8.xml

Signed-off-by: Karl O. Pinc <kop at meme.com>

2 files changed, 35 insertions, 10 deletions

diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index a4d3419b..d686d92b 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -21,8 +21,12 @@
     <para>
       The <filename>/etc/security/access.conf</filename> file specifies
       (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
-      (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or
-      (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
+      (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>),
+      (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>),
+      (<replaceable>user/group</replaceable>,
+      <replaceable>X-$DISPLAY-value</replaceable>), or
+      (<replaceable>user/group</replaceable>,
+      <replaceable>pam-service-name</replaceable>)
       combinations for which a login will be either accepted or refused.
     </para>
     <para>
@@ -33,7 +37,14 @@
       combination, or, in case of non-networked logins, the first entry
       that matches the
       (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
-      combination.  The permissions field of that table entry determines
+      combination, or in the case of non-networked logins without a
+      tty, the first entry that matches the
+      (<replaceable>user/group</replaceable>,
+      <replaceable>X-$DISPLAY-value</replaceable>) or
+      (<replaceable>user/group</replaceable>,
+      <replaceable>pam-service-name/</replaceable>)
+      combination.  The permissions field of that table entry
+      determines
       whether the login will be accepted or refused.
    </para>
 
@@ -65,14 +76,27 @@
     <para>
       The third field, the <replaceable>origins</replaceable>
       field, should be a list of one or more tty names (for non-networked
-      logins), host names, domain names (begin with "."), host addresses,
+      logins), X <varname>$DISPLAY</varname> values or PAM service
+      names (for non-networked logins without a tty), host names,
+      domain names (begin with "."), host addresses,
       internet network numbers (end with "."), internet network addresses
       with network mask (where network mask can be a decimal number or an
       internet address also), <emphasis>ALL</emphasis> (which always matches)
-      or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis>
-      keyword matches if and only if the <emphasis>PAM_RHOST</emphasis> is
-      not set and &lt;origin&gt; field is thus set from
-      <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
+      or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
+      keyword matches if and only if
+      <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+      when called with an <parameter>item_type</parameter> of
+      <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code> or an
+      empty string (and therefore the
+      <replaceable>origins</replaceable> field is compared against the
+      return value of
+      <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+      called with an <parameter>item_type</parameter> of
+      <emphasis>PAM_TTY</emphasis> or, absent that,
+      <emphasis>PAM_SERVICE</emphasis>).
+    </para>
+
+    <para>
       If supported by the system you can use
       <emphasis>@netgroupname</emphasis> in host or user patterns. The
       <emphasis>@@netgroupname</emphasis> syntax is supported in the user
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
index 710e2e7b..c629a9f3 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
@@ -50,7 +50,8 @@
       The pam_access PAM module is mainly for access management.
       It provides logdaemon style login access control based on login
       names, host or domain names, internet addresses or network numbers,
-      or on terminal line names in case of non-networked logins.
+      or on terminal line names, X <varname>$DISPLAY</varname> values,
+      or PAM service names in case of non-networked logins.
     </para>
     <para>
       By default rules for access management are taken from config file
@@ -59,7 +60,7 @@
     </para>
     <para>
       If Linux PAM is compiled with audit support the module will report
-      when it denies access based on origin (host or tty).
+      when it denies access based on origin (host, tty, etc.).
     </para>
   </refsect1>