xref: /illumos-gate/usr/src/man/man7/pam_unix_cred.7 (revision 1e56f352c1c208679012bca47d552e127f5b1072)
te
Copyright (c) 2003, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
PAM_UNIX_CRED 7 "August 19, 2023"
NAME
pam_unix_cred - PAM user credential module for UNIX
SYNOPSIS
pam_unix_cred.so.1
DESCRIPTION
The pam_unix_cred module implements pam_sm_setcred(3PAM). It provides functions that establish user credential information. It is a module separate from the pam_unix_auth(7) module to allow replacement of the authentication functionality independently from the credential functionality.

The pam_unix_cred module must always be stacked along with whatever authentication module is used to ensure correct credential setting.

Authentication service modules must implement both pam_sm_authenticate() and pam_sm_setcred().

pam_sm_authenticate() in this module always returns PAM_IGNORE.

pam_sm_setcred() initializes the user's project, privilege sets and initializes or updates the user's audit context if it hasn't already been initialized. The following flags may be set in the flags field: PAM_ESTABLISH_CRED

PAM_REFRESH_CRED

PAM_REINITIALIZE_CRED

Initializes the user's project to the project specified in PAM_RESOURCE, or if PAM_RESOURCE is not specified, to the user's default project. Establishes the user's privilege sets. If the audit context is not already initialized and auditing is configured, these flags cause the context to be initialized to that of the user specified in PAM_AUSER (if any) merged with the user specified in PAM_USER and host specified in PAM_RHOST. If PAM_RHOST is not specified, PAM_TTY specifies the local terminal name. Attributing audit to PAM_AUSER and merging PAM_USER is required for correctly attributing auditing when the system entry is performed by another user that can be identified as trustworthy. If the audit context is already initialized, the PAM_REINITIALIZE_CRED flag merges the current audit context with that of the user specified in PAM_USER. PAM_REINITIALIZE_CRED is useful when a user is assuming a new identity, as with su(8).

PAM_DELETE_CRED

This flag has no effect and always returns PAM_SUCCESS.

The following options are interpreted: debug

Provides syslog(3C) debugging information at the LOG_DEBUG level.

nowarn

Disables any warning messages.

ERRORS
Upon successful completion of pam_sm_setcred(), PAM_SUCCESS is returned. The following error codes are returned upon error: PAM_CRED_UNAVAIL

Underlying authentication service cannot retrieve user credentials

PAM_CRED_EXPIRED

User credentials have expired

PAM_USER_UNKNOWN

User is unknown to the authentication service

PAM_CRED_ERR

Failure in setting user credentials

PAM_BUF_ERR

Memory buffer error

PAM_SYSTEM_ERR

System error

The following values are returned from pam_sm_authenticate(): PAM_IGNORE

Ignores this module regardless of the control flag

ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Evolving
MT Level MT-Safe with exceptions
SEE ALSO
syslog (3C), libpam (3LIB), pam (3PAM), pam_sm_authenticate (3PAM), pam_sm_setcred (3PAM), pam.conf (5), project (5), attributes (7), pam_unix_auth (7), pam_unix_session (7), su (8)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

If this module is replaced, the audit context and credential may not be correctly configured.