Relevant BUGIDs:

Purpose of commit: new feature Commit summary: --------------- 2006-06-09 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_wheel/Makefile.am: Include Make.xml.rules. * modules/pam_wheel/pam_wheel.8.xml: New. * modules/pam_wheel/pam_wheel.8: New, generated from xml file. * modules/pam_wheel/README.xml: New. * modules/pam_wheel/README: Regenerated from xml file. * modules/pam_xauth/Makefile.am: Include Make.xml.rules. * modules/pam_xauth/pam_xauth.8.xml: New. * modules/pam_xauth/pam_xauth.8: Regenerated from xml file. * modules/pam_xauth/README.xml: New. * modules/pam_xauth/README: Regenerated from xml file. * modules/pam_deny/pam_deny.8.xml: Fix syntax errors. * modules/pam_deny/pam_deny.8: Regenerate from xml file. * modules/pam_deny/README: Likewise. * modules/pam_warn/Makefile.am: Include Make.xml.rules. * modules/pam_warn/pam_warn.8.xml: New. * modules/pam_warn/pam_warn.8: New, generated from xml file. * modules/pam_warn/README.xml: New. * modules/pam_warn/README: Regenerated from xml file. * modules/pam_userdb/Makefile.am: Include Make.xml.rules. * modules/pam_userdb/pam_userdb.8.xml: New. * modules/pam_userdb/pam_userdb.8: New, generated from xml file. * modules/pam_userdb/README.xml: New. * modules/pam_userdb/README: Regenerated from xml file.
author: Thorsten Kukuk <kukuk@thkukuk.de> 2006-06-09 16:44:06 +0000
committer: Thorsten Kukuk <kukuk@thkukuk.de> 2006-06-09 16:44:06 +0000
commit: 393585017d45cf174384530f57cb8bc5cec1b457 (patch)
tree: 3985421a45d437485de6eee26026beb3cecefbd1 /modules/pam_wheel
parent: deda060dfbfb989de28235617fc3a9149aaee1e3 (diff)
download: pam-393585017d45cf174384530f57cb8bc5cec1b457.tar.gz
pam-393585017d45cf174384530f57cb8bc5cec1b457.tar.bz2
pam-393585017d45cf174384530f57cb8bc5cec1b457.zip
5 files changed, 454 insertions, 38 deletions
diff --git a/modules/pam_wheel/Makefile.am b/modules/pam_wheel/Makefile.am
index 3405adb3..82a98305 100644
--- a/modules/pam_wheel/Makefile.am
+++ b/modules/pam_wheel/Makefile.am
@@ -4,7 +4,10 @@
 
 CLEANFILES = *~
 
-EXTRA_DIST = README tst-pam_wheel
+EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_wheel
+
+man_MANS = pam_wheel.8
+XMLS = README.xml pam_wheel.8.xml
 
 TESTS = tst-pam_wheel
 
@@ -19,3 +22,10 @@ if HAVE_VERSIONING
 endif
 
 securelib_LTLIBRARIES = pam_wheel.la
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_wheel.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README
index 2cd156c0..db118205 100644
--- a/modules/pam_wheel/README
+++ b/modules/pam_wheel/README
@@ -1,39 +1,61 @@
+pam_wheel — Only permit root access to members of group wheel
 
-pam_wheel:
-	only permit root authentication to members of wheel group
-
-RECOGNIZED ARGUMENTS:
-	debug		Write a message to syslog indicating success or
-			failure.
-
-	use_uid		The check for wheel membership will be done against
-			the current uid instead of the original one
-			(useful when jumping with su from one account to
-			another for example).
-			
-	trust		The pam_wheel module will return PAM_SUCCESS instead
-			of PAM_IGNORE if the user is a member of the wheel
-			group (thus with a little play stacking the modules
-			the wheel members may be able to su to root without
-			being prompted for a passwd).
-
-	deny		Reverse the sense of the auth operation: if the user
-			is trying to get UID 0 access and is a member of the
-			wheel group, deny access (well, kind of nonsense, but
-			for use in conjunction with 'group' argument... :-)
-	                Conversely, if the user is not in the group, return
-                        PAM_IGNORE (unless 'trust' was also specified, in
-                        which case we return PAM_SUCCESS).
-
-	group=xxxx	Instead of checking the wheel or GID 0 groups, use
-			the xxxx group to perform the authentification.
-
-	root_only	The check for wheel membership is done only
-			if the uid of requested account is 0.
-
-MODULE SERVICES PROVIDED:
-	auth		_authentication, _setcred (blank) and _acct_mgmt
-
-AUTHOR:
-	Cristian Gafton <gafton@redhat.com>
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+The pam_wheel PAM module is used to enforce the so-called wheel group. By
+default it permits root access to the system if the applicant user is a member
+of the wheel group. If no group with this name exist, the module is using the
+group with the group-ID 0.
+
+OPTIONS
+
+debug
+
+    Print debug information.
+
+deny
+
+    Reverse the sense of the auth operation: if the user is trying to get UID 0
+    access and is a member of the wheel group (or the group of the group
+    option), deny access. Conversely, if the user is not in the group, return
+    PAM_IGNORE (unless trust was also specified, in which case we return
+    PAM_SUCCESS).
+
+group=name
+
+    Instead of checking the wheel or GID 0 groups, use the name group to
+    perform the authentification.
+
+root_only
+
+    The check for wheel membership is done only.
+
+trust
+
+    The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the
+    user is a member of the wheel group (thus with a little play stacking the
+    modules the wheel members may be able to su to root without being prompted
+    for a passwd).
+
+use_uid
+
+    The check for wheel membership will be done against the current uid instead
+    of the original one (useful when jumping with su from one account to
+    another for example).
+
+EXAMPLES
+
+The root account gains access by default (rootok), only wheel members can
+become root (wheel) but Unix authenticate non-root applicants.
+
+su      auth     sufficient     pam_rootok.so
+su      auth     required       pam_wheel.so
+su      auth     required       pam_unix.so
+
+
+AUTHOR
+
+pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
 
diff --git a/modules/pam_wheel/README.xml b/modules/pam_wheel/README.xml
new file mode 100644
index 00000000..9e33d7ff
--- /dev/null
+++ b/modules/pam_wheel/README.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_wheel.8.xml">
+-->
+]>
+
+<article>
+
+  <articleinfo>
+
+    <title>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_wheel.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_wheel-name"]/*)'/>
+    </title>
+
+  </articleinfo>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-description"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-options"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-examples"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-author"]/*)'/>
+  </section>
+
+</article>
diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8
new file mode 100644
index 00000000..aaecc1a5
--- /dev/null
+++ b/modules/pam_wheel/pam_wheel.8
@@ -0,0 +1,101 @@
+.\"     Title: pam_wheel
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/09/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_wheel \- Only permit root access to members of group wheel
+.SH "SYNOPSIS"
+.HP 13
+\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
+.SH "DESCRIPTION"
+.PP
+The pam_wheel PAM module is used to enforce the so\-called
+\fIwheel\fR
+group. By default it permits root access to the system if the applicant user is a member of the
+\fIwheel\fR
+group. If no group with this name exist, the module is using the group with the group\-ID
+\fB0\fR.
+.SH "OPTIONS"
+.TP 3n
+\fBdebug\fR
+Print debug information.
+.TP 3n
+\fBdeny\fR
+Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the
+\fBgroup\fR
+option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless
+\fBtrust\fR
+was also specified, in which case we return PAM_SUCCESS).
+.TP 3n
+\fBgroup=\fR\fB\fIname\fR\fR
+Instead of checking the wheel or GID 0 groups, use the
+\fB\fIname\fR\fR
+group to perform the authentification.
+.TP 3n
+\fBroot_only\fR
+The check for wheel membership is done only.
+.TP 3n
+\fBtrust\fR
+The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).
+.TP 3n
+\fBuse_uid\fR
+The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example).
+.SH "MODULE SERVICES PROVIDED"
+.PP
+The
+\fBauth\fR
+and
+\fBaccount\fR
+services are supported.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTH_ERR
+Authentication failure.
+.TP 3n
+PAM_BUF_ERR
+Memory buffer error.
+.TP 3n
+PAM_IGNORE
+The return value should be ignored by PAM dispatch.
+.TP 3n
+PAM_PERM_DENY
+Permission denied.
+.TP 3n
+PAM_SERVICE_ERR
+Cannot determine the user name.
+.TP 3n
+PAM_SUCCESS
+Success.
+.TP 3n
+PAM_USER_UNKNOWN
+User not known.
+.SH "EXAMPLES"
+.PP
+The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants.
+.sp
+.RS 3n
+.nf
+su      auth     sufficient     pam_rootok.so
+su      auth     required       pam_wheel.so
+su      auth     required       pam_unix.so
+      
+.fi
+.RE
+.sp
+.SH "SEE ALSO"
+.PP
+
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
new file mode 100644
index 00000000..f3d2fb42
--- /dev/null
+++ b/modules/pam_wheel/pam_wheel.8.xml
@@ -0,0 +1,242 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_wheel">
+
+  <refmeta>
+    <refentrytitle>pam_wheel</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_wheel-name">
+    <refname>pam_wheel</refname>
+    <refpurpose>Only permit root access to members of group wheel</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis id="pam_wheel-cmdsynopsis">
+      <command>pam_wheel.so</command>
+      <arg choice="opt">
+	debug
+      </arg>
+      <arg choice="opt">
+        deny
+      </arg>
+      <arg choice="opt">
+	group=<replaceable>name</replaceable>
+      </arg>
+      <arg choice="opt">
+	root_only
+      </arg>
+      <arg choice="opt">
+	trust
+      </arg>
+      <arg choice="opt">
+	use_uid
+      </arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id="pam_wheel-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The pam_wheel PAM module is used to enforce the so-called
+      <emphasis>wheel</emphasis> group. By default it permits root
+      access to the system if the applicant user is a member of the
+      <emphasis>wheel</emphasis> group. If no group with this name exist,
+      the module is using the group with the group-ID
+      <emphasis remap='B'>0</emphasis>.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_wheel-options">
+    <title>OPTIONS</title>
+    <variablelist>
+      <varlistentry>
+        <term>
+          <option>debug</option>
+        </term>
+        <listitem>
+          <para>
+            Print debug information.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>deny</option>
+        </term>
+        <listitem>
+          <para>
+            Reverse the sense of the auth operation: if the user
+            is trying to get UID 0 access and is a member of the
+            wheel group (or the group of the <option>group</option> option),
+            deny access. Conversely, if the user is not in the group, return
+            PAM_IGNORE (unless <option>trust</option> was also specified,
+            in which case we return PAM_SUCCESS).
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>group=<replaceable>name</replaceable></option>
+        </term>
+        <listitem>
+          <para>
+            Instead of checking the wheel or GID 0 groups, use
+            the <option><replaceable>name</replaceable></option> group
+            to perform the authentification.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>root_only</option>
+        </term>
+        <listitem>
+          <para>
+            The check for wheel membership is done only.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>trust</option>
+        </term>
+        <listitem>
+          <para>
+            The pam_wheel module will return PAM_SUCCESS instead
+            of PAM_IGNORE if the user is a member of the wheel group
+            (thus with a little play stacking the modules the wheel
+            members may be able to su to root without being prompted
+            for a passwd).
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>use_uid</option>
+        </term>
+        <listitem>
+          <para>
+            The check for wheel membership will be done against
+            the current uid instead of the original one (useful when
+            jumping with su from one account to another for example).
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_wheel-services">
+    <title>MODULE SERVICES PROVIDED</title>
+    <para>
+      The <emphasis remap='B'>auth</emphasis> and
+      <emphasis remap='B'>account</emphasis> services are supported.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_wheel-return_values'>
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_AUTH_ERR</term>
+        <listitem>
+           <para>
+             Authentication failure.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+             Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_IGNORE</term>
+        <listitem>
+          <para>
+            The return value should be ignored by PAM dispatch.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_PERM_DENY</term>
+        <listitem>
+          <para>
+            Permission denied.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SERVICE_ERR</term>
+        <listitem>
+          <para>
+	    Cannot determine the user name.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+          <para>
+            Success.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            User not known.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_wheel-examples'>
+    <title>EXAMPLES</title>
+    <para>
+      The root account gains access by default (rootok), only wheel
+      members can become root (wheel) but Unix authenticate non-root
+      applicants.
+      <programlisting>
+su      auth     sufficient     pam_rootok.so
+su      auth     required       pam_wheel.so
+su      auth     required       pam_unix.so
+      </programlisting>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_wheel-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_wheel-author'>
+    <title>AUTHOR</title>
+      <para>
+        pam_wheel was written by Cristian Gafton &lt;gafton@redhat.com&gt;.
+      </para>
+  </refsect1>
+
+</refentry>
author	Thorsten Kukuk <kukuk@thkukuk.de>	2006-06-09 16:44:06 +0000
committer	Thorsten Kukuk <kukuk@thkukuk.de>	2006-06-09 16:44:06 +0000
commit	393585017d45cf174384530f57cb8bc5cec1b457 (patch)
tree	3985421a45d437485de6eee26026beb3cecefbd1 /modules/pam_wheel
parent	deda060dfbfb989de28235617fc3a9149aaee1e3 (diff)
download	pam-393585017d45cf174384530f57cb8bc5cec1b457.tar.gz pam-393585017d45cf174384530f57cb8bc5cec1b457.tar.bz2 pam-393585017d45cf174384530f57cb8bc5cec1b457.zip