diff options
Diffstat (limited to 'modules/pam_rootok')
| -rw-r--r-- | modules/pam_rootok/Makefile.am | 11 | ||||
| -rw-r--r-- | modules/pam_rootok/README | 39 | ||||
| -rw-r--r-- | modules/pam_rootok/README.xml | 41 | ||||
| -rw-r--r-- | modules/pam_rootok/pam_rootok.8 | 77 | ||||
| -rw-r--r-- | modules/pam_rootok/pam_rootok.8.xml | 130 |
5 files changed, 285 insertions, 13 deletions
diff --git a/modules/pam_rootok/Makefile.am b/modules/pam_rootok/Makefile.am index f8e2d9c7..7a97f20f 100644 --- a/modules/pam_rootok/Makefile.am +++ b/modules/pam_rootok/Makefile.am @@ -4,7 +4,10 @@ CLEANFILES = *~ -EXTRA_DIST = README tst-pam_rootok +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rootok + +man_MANS = pam_rootok.8 +XMLS = README.xml pam_rootok.8.xml TESTS = tst-pam_rootok @@ -22,3 +25,9 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_rootok.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_rootok.8.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_rootok/README b/modules/pam_rootok/README index cccb5ce1..55a44756 100644 --- a/modules/pam_rootok/README +++ b/modules/pam_rootok/README @@ -1,18 +1,33 @@ -# $Id$ -# +pam_rootok — Gain only root access -this module is an authentication module that performs one task: if the -id of the user is '0' then it returns 'PAM_SUCCESS' with the -'sufficient' /etc/pam.conf control flag it can be used to allow -password free access to some service for 'root' +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ -Recognized arguments: +DESCRIPTION - debug write a message to syslog indicating success or - failure. +pam_rootok is a PAM module that authenticates the user if their UID is 0. +Applications that are created setuid-root generally retain the UID of the user +but run with the authority of an enhanced effective-UID. It is the real UID +that is checked. -module services provided: +OPTIONS - auth _authentication and _setcred (blank) +debug + + Print debug information. + +EXAMPLES + +In the case of the su(1) application the historical usage is to permit the +superuser to adopt the identity of a lesser user without the use of a password. +To obtain this behavior with PAM the following pair of lines are needed for the +corresponding entry in the /etc/pam.d/su configuration file: + +# su authentication. Root is granted access by default. +auth sufficient pam_rootok.so +auth required pam_unix.so + + +AUTHOR + +pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. -Andrew Morgan diff --git a/modules/pam_rootok/README.xml b/modules/pam_rootok/README.xml new file mode 100644 index 00000000..6fb58cd0 --- /dev/null +++ b/modules/pam_rootok/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_rootok.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rootok-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-author"]/*)'/> + </section> + +</article> diff --git a/modules/pam_rootok/pam_rootok.8 b/modules/pam_rootok/pam_rootok.8 new file mode 100644 index 00000000..b1436f79 --- /dev/null +++ b/modules/pam_rootok/pam_rootok.8 @@ -0,0 +1,77 @@ +.\" Title: pam_rootok +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/04/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_ROOTOK" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_rootok \- Gain only root access +.SH "SYNOPSIS" +.HP 14 +\fBpam_rootok.so\fR [debug] +.SH "DESCRIPTION" +.PP +pam_rootok is a PAM module that authenticates the user if their +\fIUID\fR +is +\fI0\fR. Applications that are created setuid\-root generally retain the +\fIUID\fR +of the user but run with the authority of an enhanced effective\-UID. It is the real +\fIUID\fR +that is checked. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Print debug information. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_SUCCESS +The +\fIUID\fR +is +\fI0\fR. +.TP 3n +PAM_AUTH_ERR +The +\fIUID\fR +is +\fBnot\fR +\fI0\fR. +.SH "EXAMPLES" +.PP +In the case of the +\fBsu\fR(1) +application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the +\fI/etc/pam.d/su\fR +configuration file: +.sp +.RS 3n +.nf +# su authentication. Root is granted access by default. +auth sufficient pam_rootok.so +auth required pam_unix.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBsu\fR(1), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. diff --git a/modules/pam_rootok/pam_rootok.8.xml b/modules/pam_rootok/pam_rootok.8.xml new file mode 100644 index 00000000..ec8dee43 --- /dev/null +++ b/modules/pam_rootok/pam_rootok.8.xml @@ -0,0 +1,130 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_rootok"> + + <refmeta> + <refentrytitle>pam_rootok</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_rootok-name"> + <refname>pam_rootok</refname> + <refpurpose>Gain only root access</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_rootok-cmdsynopsis"> + <command>pam_rootok.so</command> + <arg choice="opt"> + debug + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_rootok-description"> + + <title>DESCRIPTION</title> + + <para> + pam_rootok is a PAM module that authenticates the user if their + <emphasis>UID</emphasis> is <emphasis>0</emphasis>. + Applications that are created setuid-root generally retain the + <emphasis>UID</emphasis> of the user but run with the authority + of an enhanced effective-UID. It is the real <emphasis>UID</emphasis> + that is checked. + </para> + </refsect1> + + <refsect1 id="pam_rootok-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_rootok-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>auth</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_rootok-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The <emphasis>UID</emphasis> is <emphasis>0</emphasis>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The <emphasis>UID</emphasis> is <emphasis remap='B'>not</emphasis> + <emphasis>0</emphasis>. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_rootok-examples'> + <title>EXAMPLES</title> + <para> + In the case of the <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> application the historical usage is to + permit the superuser to adopt the identity of a lesser user + without the use of a password. To obtain this behavior with PAM + the following pair of lines are needed for the corresponding entry + in the <filename>/etc/pam.d/su</filename> configuration file: + <programlisting> +# su authentication. Root is granted access by default. +auth sufficient pam_rootok.so +auth required pam_unix.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_rootok-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_rootok-author'> + <title>AUTHOR</title> + <para> + pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. + </para> + </refsect1> + +</refentry> |