diff options
Diffstat (limited to 'Linux-PAM/modules/pam_succeed_if/README')
| -rw-r--r-- | Linux-PAM/modules/pam_succeed_if/README | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/Linux-PAM/modules/pam_succeed_if/README b/Linux-PAM/modules/pam_succeed_if/README new file mode 100644 index 00000000..4516a9d1 --- /dev/null +++ b/Linux-PAM/modules/pam_succeed_if/README @@ -0,0 +1,124 @@ +pam_succeed_if — test account characteristics + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +pam_succeed_if.so is designed to succeed or fail authentication based on +characteristics of the account belonging to the user being authenticated. One +use is to select whether to load other modules based on this test. + +The module should be given one or more conditions as module arguments, and +authentication will succeed only if all of the conditions are met. + +OPTIONS + +The following flags are supported: + +debug + + Turns on debugging messages sent to syslog. + +use_uid + + Evaluate conditions using the account of the user whose UID the application + is running under instead of the user being authenticated. + +quiet + + Don't log failure or success to the system log. + +quiet_fail + + Don't log failure to the system log. + +quiet_success + + Don't log success to the system log. + +Conditions are three words: a field, a test, and a value to test for. + +Available fields are user, uid, gid, shell, home and service: + +field < number + + Field has a value numerically less than number. + +field <= number + + Field has a value numerically less than or equal to number. + +field eq number + + Field has a value numerically less equal to number. + +field >= number + + Field has a value numerically greater than or equal to number. + +field > number + + Field has a value numerically greater than number. + +field ne number + + Field has a value numerically different from number. + +field = string + + Field exactly matches the given string. + +field != string + + Field does not match the given string. + +field =~ glob + + Field matches the given glob. + +field !~ glob + + Field does not match the given glob. + +field in item:item:... + + Field is contained in the list of items separated by colons. + +field notin item:item:... + + Field is not contained in the list of items separated by colons. + +user ingroup group + + User is in given group. + +user notingroup group + + User is not in given group. + +user innetgr netgroup + + (user,host) is in given netgroup. + +user notinnetgr group + + (user,host) is not in given netgroup. + +EXAMPLES + +To emulate the behaviour of pam_wheel, except there is no fallback to group 0: + +auth required pam_succeed_if.so quiet user ingroup wheel + + +Given that the type matches, only loads the othermodule rule if the UID is over +500. Adjust the number after default to skip several rules. + +type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 +type required othermodule.so arguments... + + +AUTHOR + +Nalin Dahyabhai <nalin@redhat.com> + |