PAM_GROUP
Section: Linux-PAM Manual (8)Updated: 06/16/2009
Index Return to Main Contents
pam_group - PAM module for group access
Synopsis
- pam_group.so
DESCRIPTION
By default rules for group memberships are taken from config file FC/etc/security/group.confF[].
This module's usefulness relies on the file-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a setgid binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file-systems that the user has access to are so significant, is the fact that when a system is mounted nosuid the user is unable to create or execute such a binary file. For this module to provide any level of security, all file-systems that the user has write access to should be mounted nosuid.
The pam_group module functions in parallel with the FC/etc/groupF[] file. If the user is granted any groups based on the behavior of this module, they are granted in addition to those entries FC/etc/groupF[] (or equivalent).
OPTIONS
This module does not recognise any options.
MODULE TYPES PROVIDED
Only the auth module type is provided.
RETURN VALUES
PAM_SUCCESS
- group membership was granted.
PAM_ABORT
- Not all relevant data could be gotten.
PAM_BUF_ERR
- Memory buffer error.
PAM_CRED_ERR
- Group membership was not granted.
PAM_IGNORE
-
pam_sm_authenticate was called which does nothing.
PAM_USER_UNKNOWN
- The user is not known to the system.
FILES
FC/etc/security/group.confF[]
- Default configuration file
SEE ALSO
group.conf(5), pam.d(5), pam(8).
AUTHORS
pam_group was written by Andrew G. Morgan <morgan@kernel.org>.
Index
This document was created by man2html, using the manual pages.
Time: 05:34:28 GMT, December 24, 2015