diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-05-06 17:24:58 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-05-06 17:24:58 +0300 |
commit | 0c37dfded3f1208bb1fa4ff06dd30ac5ff522308 (patch) | |
tree | 30095b6536d0f9aa0f28e6a8b3480a2dd0c5343d /doc | |
parent | 43427d51405bbda49f8f86e0a5426940a6fb578a (diff) | |
download | pam-modules-0c37dfded3f1208bb1fa4ff06dd30ac5ff522308.tar.gz pam-modules-0c37dfded3f1208bb1fa4ff06dd30ac5ff522308.tar.bz2 |
New module: pam_groupmember
* Makefile.am: Add pam_groupmember.
* configure.ac: Likewise.
* NEWS: Update.
* pam_groupmember/Makefile.am: New file.
* pam_groupmember/pam_groupmember.c: New file,
* doc/Makefile.am: Add pam_groupmember.8
* doc/pam-modules.texi: Document pam_groupmember
* doc/pam_groupmember.8: New file.
* lib/graypam.h (gray_calloc, gray_strdup): New protos.
* lib/mem.c (gray_calloc, gray_strdup): New functions.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/Makefile.am | 3 | ||||
-rw-r--r-- | doc/pam-modules.texi | 46 | ||||
-rw-r--r-- | doc/pam_groupmember.8 | 125 |
3 files changed, 174 insertions, 0 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am index d42be90..e792390 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -39,6 +39,9 @@ endif if PAM_COND_PGSQL dist_man_MANS += pam_pgsql.8 endif +if PAM_COND_GROUPMEMBER + dist_man_MANS += pam_groupmember.8 +endif config.so: $(top_srcdir)/configure.ac $(top_srcdir)/doc/Makefile.am $(AM_V_GEN){\ diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi index 28043f4..a0578da 100644 --- a/doc/pam-modules.texi +++ b/doc/pam-modules.texi @@ -34,6 +34,7 @@ * pam_ldaphome (pam-modules)ldaphome Maintain home directories and SSH keys od LDAP users. * pam_umotd (pam-modules)umotd Display a user-specific MOTD. +* pam_groupmember (pam_modules)groupmember Test group membership. * pamck: (pam-modules)pamck. Verify PAM Access. @end direntry @end ifinfo @@ -85,6 +86,7 @@ Individual modules * sql:: Modules for SQL authentication and session management. * ldaphome:: Maintain home directories and SSH keys of LDAP users. * umotd:: Display a user-specific MOTD. +* groupmember:: Test group membership. * Reporting Bugs:: How to Report a Bug. @@ -1453,6 +1455,50 @@ Exit immediately if the 5-minute load average is greater than or equal to @var{d} (a floating-point number). @end table +@node groupmember +@chapter pam_groupmember +@set MODULE pam_umotd +@cindex groupmember +@cindex group membership +@cindex test group membership + +The @command{pam_groupmember} module checks whether the user is member +of one or more groups. Both primary and supplementary groups are +checked. The list of groups to be checked is given with the +@option{groups} option. Its argument is a comma-separated list of +group names of numeric IDs, prefixed with @samp{+} sign. + +The module returns PAM_SUCCESS if the user is member of one of the +supplied groups and PAM_AUTH_ERR on otherwise. The return value can +be inverted using the @option{sense=deny} option. + +Additionally, the module can return PAM_USER_UNKNOWN if the user is +not known and PAM_AUTHINFO_UNAVAIL if unable to retrieve the user +name. + +The @command{pam_groupmember} module can be used in any PAM service stack. + +@menu +* summary of pam_groupmember options:: +@end menu + +@node summary of pam_groupmember options +@section Summary of @command{pam_groupmember} options + +@table @option +@opsummary{groups} +@item groups=@var{group-list} +Defines groups to check against. The argument is a comma-separated +list of group names or IDs. Group IDs must be prefixed with a plus +sign. + +@opsummary{sense} +@item sense=@{allow|deny@} + What to do on success. The value @samp{allow} means to return +@code{PAM_SUCCESS}, @samp{deny} means to return @code{PAM_AUTH_ERR}. +Default is @samp{allow}. +@end table + @node Reporting Bugs @chapter How to Report a Bug diff --git a/doc/pam_groupmember.8 b/doc/pam_groupmember.8 new file mode 100644 index 0000000..243cefb --- /dev/null +++ b/doc/pam_groupmember.8 @@ -0,0 +1,125 @@ +.\" This file is part of PAM-Modules -*- nroff -*- +.\" Copyright (C) 2001-2014 Sergey Poznyakoff +.\" +.\" PAM-Modules is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 3, or (at your option) +.\" any later version. +.\" +.\" PAM-Modules is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>. +.TH PAM_GROUPMEMBER 8 "May 6, 2014" "PAM-MODULES" "Pam-Modules User Reference" +.SH NAME +pam_groupmember \- test group membership +.SH SYNOPSIS +.nh +.na +\fBpam_groupmember\fR\ + \fBgroups=\fIGROUPLIST\fR\ + [\fBsense=\fISENSE\fR]\ + [\fBdebug\fR[\fB=\fINUMBER\fR]]\ + [\fBwaitdebug\fR]\ + [\fBaudit\fR] +.ad +.hy +.SH DESCRIPTION +Tests if the user is member of at least one group from +\fIGROUPLIST\fR. \fIGROUPLIST\fR is a comma-separated list of +group names or IDs (numbers prefixed with a plus sign). +.SH OPTIONS +.TP +\fBgroups=\fIGROUPLIST\fR +Defines a list of groups to check against. \fIGROUPLIST\fR is a +comma-separated list of group names. A group name prefixed with a +plus sign is treated as GID number. +.TP +\fBsense=allow\fR|\fBdeny\fR +What to do if the user name matches the expression given by the +\fBregex\fR option. The value \fBallow\fR (the default) instructs the +module to return \fBPAM_SUCCESS\fR, the \fBdeny\fR instructs it to +return \fBPAM_AUTH_ERR\fR. +.TP +\fBdebug\fR[\fB=\fINUMBER\fR] +Set debugging level (0 <= \fINUMBER\fR <= 100). +.TP +\fBaudit\fR +Log auditing information. +.TP +\fBwaitdebug=\fIN\fR +Wait for \fIN\fR seconds before starting up. This option is intended +to facilitate attaching to the module with +.BR gdb (1). +It is available only if the package was configured with +the \fB\-\-enable\-debug\fR option. +.SH MODULE TYPES PROVIDED +All module types (\fBaccount\fR, \fBauth\fR, \fBpassword\fR and +\fBsession\fR) are provided. +.SH RETURN VALUES +.TP +.B PAM_SUCCESS +Successful return. +.TP +.B PAM_AUTH_ERR +Authentication failed. +.TP +.B PAM_AUTHINFO_UNAVAIL +The input information is not sufficient. +.TP +.B PAM_USER_UNKNOWN +Supplied username not found. +.SH EXAMPLES +auth required pam_groupmember.so groups=users,+80,ftp +.SH NOTE +This manpage is a short description of \fBpam_groupmember\fR. For a detailed +discussion, including examples and usage recommendations, refer to the +\fBPAM-modules Manual\fR available in texinfo format. If the \fBinfo\fR +reader and the tar documentation are properly installed on your +system, the command +.PP +.RS +4 +.B info pam-modules +.RE +.PP +should give you access to the complete manual. +.PP +You can also view the manual using the info mode in +.BR emacs (1), +or find it in various formats online at +.PP +.RS +4 +.B http://www.gnu.org.ua/software/pam-modules/manual +.RE +.PP +If any discrepancies occur between this manpage and the +\fBPAM-modules Manual\fR, the later shall be considered the authoritative +source. +.SH "SEE ALSO" +.BR pam.conf (5), +.BR pam.d (5), +.BR pam (8). +.SH AUTHORS +Sergey Poznyakoff <gray@gnu.org> +.SH "BUG REPORTS" +Report bugs to <bug\-pam\-modules@gnu.org.ua>. +.SH COPYRIGHT +Copyright \(co 2001-2014 Sergey Poznyakoff +.br +.na +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +.br +.ad +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +.\" Local variables: +.\" eval: (add-hook 'write-file-hooks 'time-stamp) +.\" time-stamp-start: ".TH [A-Z_][A-Z0-9_.\\-]* [0-9] \"" +.\" time-stamp-format: "%:B %:d, %:y" +.\" time-stamp-end: "\"" +.\" time-stamp-line-limit: 20 +.\" end: + |