From 393585017d45cf174384530f57cb8bc5cec1b457 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 9 Jun 2006 16:44:06 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2006-06-09 Thorsten Kukuk * modules/pam_wheel/Makefile.am: Include Make.xml.rules. * modules/pam_wheel/pam_wheel.8.xml: New. * modules/pam_wheel/pam_wheel.8: New, generated from xml file. * modules/pam_wheel/README.xml: New. * modules/pam_wheel/README: Regenerated from xml file. * modules/pam_xauth/Makefile.am: Include Make.xml.rules. * modules/pam_xauth/pam_xauth.8.xml: New. * modules/pam_xauth/pam_xauth.8: Regenerated from xml file. * modules/pam_xauth/README.xml: New. * modules/pam_xauth/README: Regenerated from xml file. * modules/pam_deny/pam_deny.8.xml: Fix syntax errors. * modules/pam_deny/pam_deny.8: Regenerate from xml file. * modules/pam_deny/README: Likewise. * modules/pam_warn/Makefile.am: Include Make.xml.rules. * modules/pam_warn/pam_warn.8.xml: New. * modules/pam_warn/pam_warn.8: New, generated from xml file. * modules/pam_warn/README.xml: New. * modules/pam_warn/README: Regenerated from xml file. * modules/pam_userdb/Makefile.am: Include Make.xml.rules. * modules/pam_userdb/pam_userdb.8.xml: New. * modules/pam_userdb/pam_userdb.8: New, generated from xml file. * modules/pam_userdb/README.xml: New. * modules/pam_userdb/README: Regenerated from xml file. --- modules/pam_wheel/Makefile.am | 12 +- modules/pam_wheel/README | 96 +++++++++------ modules/pam_wheel/README.xml | 41 +++++++ modules/pam_wheel/pam_wheel.8 | 101 ++++++++++++++++ modules/pam_wheel/pam_wheel.8.xml | 242 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 454 insertions(+), 38 deletions(-) create mode 100644 modules/pam_wheel/README.xml create mode 100644 modules/pam_wheel/pam_wheel.8 create mode 100644 modules/pam_wheel/pam_wheel.8.xml (limited to 'modules/pam_wheel') diff --git a/modules/pam_wheel/Makefile.am b/modules/pam_wheel/Makefile.am index 3405adb3..82a98305 100644 --- a/modules/pam_wheel/Makefile.am +++ b/modules/pam_wheel/Makefile.am @@ -4,7 +4,10 @@ CLEANFILES = *~ -EXTRA_DIST = README tst-pam_wheel +EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_wheel + +man_MANS = pam_wheel.8 +XMLS = README.xml pam_wheel.8.xml TESTS = tst-pam_wheel @@ -19,3 +22,10 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_wheel.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_wheel.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README index 2cd156c0..db118205 100644 --- a/modules/pam_wheel/README +++ b/modules/pam_wheel/README @@ -1,39 +1,61 @@ +pam_wheel — Only permit root access to members of group wheel -pam_wheel: - only permit root authentication to members of wheel group - -RECOGNIZED ARGUMENTS: - debug Write a message to syslog indicating success or - failure. - - use_uid The check for wheel membership will be done against - the current uid instead of the original one - (useful when jumping with su from one account to - another for example). - - trust The pam_wheel module will return PAM_SUCCESS instead - of PAM_IGNORE if the user is a member of the wheel - group (thus with a little play stacking the modules - the wheel members may be able to su to root without - being prompted for a passwd). - - deny Reverse the sense of the auth operation: if the user - is trying to get UID 0 access and is a member of the - wheel group, deny access (well, kind of nonsense, but - for use in conjunction with 'group' argument... :-) - Conversely, if the user is not in the group, return - PAM_IGNORE (unless 'trust' was also specified, in - which case we return PAM_SUCCESS). - - group=xxxx Instead of checking the wheel or GID 0 groups, use - the xxxx group to perform the authentification. - - root_only The check for wheel membership is done only - if the uid of requested account is 0. - -MODULE SERVICES PROVIDED: - auth _authentication, _setcred (blank) and _acct_mgmt - -AUTHOR: - Cristian Gafton +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_wheel PAM module is used to enforce the so-called wheel group. By +default it permits root access to the system if the applicant user is a member +of the wheel group. If no group with this name exist, the module is using the +group with the group-ID 0. + +OPTIONS + +debug + + Print debug information. + +deny + + Reverse the sense of the auth operation: if the user is trying to get UID 0 + access and is a member of the wheel group (or the group of the group + option), deny access. Conversely, if the user is not in the group, return + PAM_IGNORE (unless trust was also specified, in which case we return + PAM_SUCCESS). + +group=name + + Instead of checking the wheel or GID 0 groups, use the name group to + perform the authentification. + +root_only + + The check for wheel membership is done only. + +trust + + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the + user is a member of the wheel group (thus with a little play stacking the + modules the wheel members may be able to su to root without being prompted + for a passwd). + +use_uid + + The check for wheel membership will be done against the current uid instead + of the original one (useful when jumping with su from one account to + another for example). + +EXAMPLES + +The root account gains access by default (rootok), only wheel members can +become root (wheel) but Unix authenticate non-root applicants. + +su auth sufficient pam_rootok.so +su auth required pam_wheel.so +su auth required pam_unix.so + + +AUTHOR + +pam_wheel was written by Cristian Gafton . diff --git a/modules/pam_wheel/README.xml b/modules/pam_wheel/README.xml new file mode 100644 index 00000000..9e33d7ff --- /dev/null +++ b/modules/pam_wheel/README.xml @@ -0,0 +1,41 @@ + + +--> +]> + +
+ + + + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_wheel.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_wheel-name"]/*)'/> + + + + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8 new file mode 100644 index 00000000..aaecc1a5 --- /dev/null +++ b/modules/pam_wheel/pam_wheel.8 @@ -0,0 +1,101 @@ +.\" Title: pam_wheel +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: 06/09/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_wheel \- Only permit root access to members of group wheel +.SH "SYNOPSIS" +.HP 13 +\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] +.SH "DESCRIPTION" +.PP +The pam_wheel PAM module is used to enforce the so\-called +\fIwheel\fR +group. By default it permits root access to the system if the applicant user is a member of the +\fIwheel\fR +group. If no group with this name exist, the module is using the group with the group\-ID +\fB0\fR. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBdeny\fR +Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the +\fBgroup\fR +option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless +\fBtrust\fR +was also specified, in which case we return PAM_SUCCESS). +.TP 3n +\fBgroup=\fR\fB\fIname\fR\fR +Instead of checking the wheel or GID 0 groups, use the +\fB\fIname\fR\fR +group to perform the authentification. +.TP 3n +\fBroot_only\fR +The check for wheel membership is done only. +.TP 3n +\fBtrust\fR +The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd). +.TP 3n +\fBuse_uid\fR +The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example). +.SH "MODULE SERVICES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +services are supported. +.SH "RETURN VALUES" +.TP 3n +PAM_AUTH_ERR +Authentication failure. +.TP 3n +PAM_BUF_ERR +Memory buffer error. +.TP 3n +PAM_IGNORE +The return value should be ignored by PAM dispatch. +.TP 3n +PAM_PERM_DENY +Permission denied. +.TP 3n +PAM_SERVICE_ERR +Cannot determine the user name. +.TP 3n +PAM_SUCCESS +Success. +.TP 3n +PAM_USER_UNKNOWN +User not known. +.SH "EXAMPLES" +.PP +The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants. +.sp +.RS 3n +.nf +su auth sufficient pam_rootok.so +su auth required pam_wheel.so +su auth required pam_unix.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_wheel was written by Cristian Gafton . diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml new file mode 100644 index 00000000..f3d2fb42 --- /dev/null +++ b/modules/pam_wheel/pam_wheel.8.xml @@ -0,0 +1,242 @@ + + + + + + + pam_wheel + 8 + Linux-PAM Manual + + + + pam_wheel + Only permit root access to members of group wheel + + + + + pam_wheel.so + + debug + + + deny + + + group=name + + + root_only + + + trust + + + use_uid + + + + + + DESCRIPTION + + The pam_wheel PAM module is used to enforce the so-called + wheel group. By default it permits root + access to the system if the applicant user is a member of the + wheel group. If no group with this name exist, + the module is using the group with the group-ID + 0. + + + + + OPTIONS + + + + + + + + Print debug information. + + + + + + + + + + Reverse the sense of the auth operation: if the user + is trying to get UID 0 access and is a member of the + wheel group (or the group of the option), + deny access. Conversely, if the user is not in the group, return + PAM_IGNORE (unless was also specified, + in which case we return PAM_SUCCESS). + + + + + + + + + + Instead of checking the wheel or GID 0 groups, use + the group + to perform the authentification. + + + + + + + + + + The check for wheel membership is done only. + + + + + + + + + + The pam_wheel module will return PAM_SUCCESS instead + of PAM_IGNORE if the user is a member of the wheel group + (thus with a little play stacking the modules the wheel + members may be able to su to root without being prompted + for a passwd). + + + + + + + + + + The check for wheel membership will be done against + the current uid instead of the original one (useful when + jumping with su from one account to another for example). + + + + + + + + MODULE SERVICES PROVIDED + + The auth and + account services are supported. + + + + + RETURN VALUES + + + PAM_AUTH_ERR + + + Authentication failure. + + + + + PAM_BUF_ERR + + + Memory buffer error. + + + + + PAM_IGNORE + + + The return value should be ignored by PAM dispatch. + + + + + PAM_PERM_DENY + + + Permission denied. + + + + + PAM_SERVICE_ERR + + + Cannot determine the user name. + + + + + + PAM_SUCCESS + + + Success. + + + + + + PAM_USER_UNKNOWN + + + User not known. + + + + + + + + + EXAMPLES + + The root account gains access by default (rootok), only wheel + members can become root (wheel) but Unix authenticate non-root + applicants. + +su auth sufficient pam_rootok.so +su auth required pam_wheel.so +su auth required pam_unix.so + + + + + + SEE ALSO + + + pam.conf5 + , + + pam.d8 + , + + pam8 + + + + + + AUTHOR + + pam_wheel was written by Cristian Gafton <gafton@redhat.com>. + + + + -- cgit v1.2.3