diff options
Diffstat (limited to 'Linux-PAM/doc/modules/pam_group.sgml')
| -rw-r--r-- | Linux-PAM/doc/modules/pam_group.sgml | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/Linux-PAM/doc/modules/pam_group.sgml b/Linux-PAM/doc/modules/pam_group.sgml new file mode 100644 index 00000000..2d767275 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_group.sgml @@ -0,0 +1,108 @@ +<!-- + $Id: pam_group.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The group access module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_group/ + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +Author. + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> +Sensitive to <em/setgid/ status of file-systems accessible to users. + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires an <tt>/etc/security/group.conf</tt> file. Can be compiled +with or without <tt/libpwdb/. + +<tag><bf>Network aware:</bf></tag> +Only through correctly set <tt/PAM_TTY/ item. + +</descrip> + +<sect2>Overview of module + +<p> +This module provides group-settings based on the user's name and the +terminal they are requesting a given service from. It takes note of +the time of day. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +This module does not authenticate the user, but instead it grants +group memberships (in the credential setting phase of the +authentication module) to the user. Such memberships are based on the +service they are applying for. The group memberships are listed in +text form in the <tt>/etc/security/group.conf</tt> file. + +<tag><bf>Examples/suggested usage:</bf></tag> + +For this module to function correctly there must be a correctly +formatted <tt>/etc/security/groups.conf</tt> file present. The format +of this file is as follows. Group memberships are given based on the +service application satisfying any combination of lines in the +configuration file. Each line (barring comments which are preceded by +`<tt/#/' marks) has the following +syntax: +<tscreen> +<verb> +services ; ttys ; users ; times ; groups +</verb> +</tscreen> +Here the first four fields share the syntax of the <tt>pam_time</tt> +configuration file; <tt>/etc/security/pam_time.conf</tt>, and the last +field, the <tt/groups/ field, is a comma (or space) separated list of +the text-names of a selection of groups. If the users application for +service satisfies the first four fields, the user is granted membership +of the listed groups. + +<p> +As stated in above this module's usefulness relies on the file-systems +accessible to the user. The point being that once granted the +membership of a group, the user may attempt to create a <em/setgid/ +binary with a restricted group ownership. Later, when the user is not +given membership to this group, they can recover group membership with +the precompiled binary. The reason that the file-systems that the user +has access to are so significant, is the fact that when a system is +mounted <em/nosuid/ the user is unable to create or execute such a +binary file. For this module to provide any level of security, all +file-systems that the user has write access to should be mounted +<em/nosuid/. + +<p> +The <tt>pam_group</tt> module fuctions in parallel with the +<tt>/etc/group</tt> file. If the user is granted any groups based on +the behavior of this module, they are granted <em>in addition</em> to +those entries <tt>/etc/group</tt> (or equivalent). + +</descrip> + +<!-- +End of sgml insert for this module. +--> |