'\" te .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] .TH PAM_LIST 7 "April 22, 2020" .SH NAME pam_list \- PAM account management module for UNIX .SH SYNOPSIS .nf pam_list.so.1 .fi .SH DESCRIPTION The \fBpam_list\fR module implements \fBpam_sm_acct_mgmt\fR(3PAM), which provides functionality to the PAM account management stack. The module provides functions to validate that the user's account is valid on this host based on a list of users, groups, and/or netgroups in the given file. The users, groups, and netgroups are separated by newline character. Groups are specified with character '%' and netgroups are specified with character '@' as prefix before name of the group/netgroup in the list. The maximum line length is 1023 characters. .sp .LP The username is the value of \fBPAM_USER\fR. The host is the value of \fBPAM_RHOST\fR or, if \fBPAM_RHOST\fR is not set, the value of the localhost as returned by \fBgethostname\fR(3C) is used. .sp .LP If neither of the \fBallow\fR, \fBdeny\fR, or \fBcompat\fR options are specified, the module will look for +/- entries in the local \fB/etc/passwd\fR file. If this style is used, \fBnsswitch.conf\fR(5) must not be configured with \fBcompat\fR for the \fBpasswd\fR database. If no relevant +/- entry exists for the user, \fBpam_list\fR is not participating in result. .sp .LP If \fBcompat\fR option is specified then the module will look for +/- entries in the local \fB/etc/passwd\fR file. Other entries in this file will be counted as + entries. If no relevant entry exits for the user, \fBpam_list\fR will deny the access. .sp .LP The following options can be passed to the module: .sp .ne 2 .na \fB\fBallow=\fR\fR .ad .RS 19n The full pathname to a file of allowed users, groups, and/or netgroups. Only one of \fBallow=\fR or \fBdeny=\fR can be specified. .RE .sp .ne 2 .na \fB\fBcompat\fR\fR .ad .RS 19n Activate \fBcompat\fR mode. .RE .sp .ne 2 .na \fB\fBdeny=\fR\fR .ad .RS 19n The full pathname to a file of denied users, groups, and/or netgroups. Only one of \fBdeny=\fR or \fBallow=\fR can be specified. .RE .sp .ne 2 .na \fB\fBdebug\fR\fR .ad .RS 19n Provide \fBsyslog\fR(3C) debugging information at the \fBLOG_AUTH\fR | \fBLOG_DEBUG\fR level. .RE .sp .ne 2 .na \fB\fBgroup\fR\fR .ad .RS 19n The module should perform group membership matches for the username. .RE .sp .ne 2 .na \fB\fBuser\fR\fR .ad .RS 19n The module should only perform netgroup matches on the username. This is the default option. .RE .sp .ne 2 .na \fB\fBnouser\fR\fR .ad .RS 19n The username should not be used in the netgroup match. .RE .sp .ne 2 .na \fB\fBhost\fR\fR .ad .RS 19n Only the host should be used in netgroup matches. .RE .sp .ne 2 .na \fB\fBnohost\fR\fR .ad .RS 19n The hostname should not be used in netgroup matches. .RE .sp .ne 2 .na \fB\fBuser_host_exact\fR\fR .ad .RS 19n The user and hostname must be in the same netgroup. .RE .SH ERRORS The following error values are returned: .sp .ne 2 .na \fB\fBPAM_SERVICE_ERR\fR\fR .ad .RS 20n An invalid set of module options was given in the \fBpam.conf\fR(5) for this module, or the \fBuser/netgroup\fR file could not be opened. .RE .sp .ne 2 .na \fB\fBPAM_BUF_ERR\fR\fR .ad .RS 20n A memory buffer error occurred. .RE .sp .ne 2 .na \fB\fBPAM_IGNORE\fR\fR .ad .RS 20n The module is ignored, as it is not participating in the result. .RE .sp .ne 2 .na \fB\fBPAM_PERM_DENIED\fR\fR .ad .RS 20n The user is not on the allow list or is on the deny list. .RE .sp .ne 2 .na \fB\fBPAM_SUCCESS\fR\fR .ad .RS 20n The account is valid for use at this time. .RE .sp .ne 2 .na \fB\fBPAM_USER_UNKNOWN\fR\fR .ad .RS 20n No account is present for the user .RE .SH EXAMPLES \fBExample 1 \fRUsing \fBpam_list\fR in default mode .sp .LP \fB/etc/pam.conf\fR modification looks like: .sp .in +2 .nf other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_list.so.1 .fi .in -2 .sp .LP In the case of \fBdefault\fR mode or \fBcompat\fR mode, the important lines in \fB/etc/passwd\fR appear as follows: .sp .in +2 .nf +loginname - user is approved -loginname - user is disapproved +@netgroup - netgroup members are approved -@netgroup - netgroup members are disapproved .fi .in -2 .LP \fBExample 2 \fRUsing \fBpam_list\fR with allow file .sp .LP \fB/etc/pam.conf\fR modification looks like: .sp .in +2 .nf other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_list.so.1 allow=/etc/users.allow .fi .in -2 .sp .LP \fB/etc/users.allow\fR contains: .sp .in +2 .nf root localloginname remoteloginname @netgroup .fi .in -2 .LP \fBExample 3 \fRUsing \fBpam_list\fR with allow file to allow members of the 'admins' group access. .sp .LP \fB/etc/pam.conf\fR modification looks like: .sp .in +2 .nf other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_list.so.1 group allow=/etc/users.allow .fi .in -2 .sp .LP \fB/etc/users.allow\fR contains: .sp .in +2 .nf root %admins .fi .in -2 .SH ATTRIBUTES See \fBattributes\fR(7) for descriptions of the following attributes: .sp .sp .TS box; c | c l | l . ATTRIBUTE TYPE ATTRIBUTE VALUE _ Interface Stability Committed _ MT-Level MT-Safe with exceptions .TE .sp .LP The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the multithreaded application uses its own PAM handle. .SH SEE ALSO .BR syslog (3C), .BR libpam (3LIB), .BR pam (3PAM), .BR pam_authenticate (3PAM), .BR pam_sm_acct_mgmt (3PAM), .BR nsswitch.conf (5), .BR pam.conf (5), .BR attributes (7)