pam_roles(5)
NAME
pam_roles - Role Account Management PAM module for Solaris
SYNOPSIS
/usr/lib/security/pam_roles.so.1
DESCRIPTION
The Role Account Management module for PAM,
/usr/lib/security/pam_roles.so.1, provides functionality for
one PAM module: Account management. The pam_roles.so.1 is a
shared object that can be dynamically loaded to provide the
necessary functionality upon demand. Its path is specified
in the PAM configuration file.
Role Account Management Module
The Role account management component provides a function to
check for authorization to assume a role. It prevents direct
logins to a role. It uses the user_attr(4) database to
specify which users can assume which roles.
The following options may be passed to the Role Authentica-
tion service module:
debug syslog(3C) debugging information at LOG_DEBUG
level.
If PAM_USER (see pam_set_item(3PAM)) is specified as type
normal in the user_attr(4) database, the module returns
PAM_IGNORE.
If PAM_RUSER (see pam_set_item(3PAM)) is not set, the uid of
the process loading the module is used to determine
PAM_RUSER.
The module returns success if the user_attr(4) entry for
PAM_RUSER has an entry in the roles field for PAM_USER; oth-
erwise it returns PAM_PERM_DENIED.
This module is generally stacked above the account manage-
ment module pam_unix.so.1. The error messages indicating
that roles cannot be logged into correctly are only issued
if the user has entered the correct password.
Here are some sample entries from pam.conf(4) demonstrating
the use of the pam_roles.so.1 module:
dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
#
su account requisite /usr/lib/security/$ISA/pam_roles.so.1
su account requisite /usr/lib/security/$ISA/pam_roles.so.1
#
rlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
rlogin account required /usr/lib/security/$ISA/pam_unix.so.1
#
The dtlogin program invokes pam_roles.so.1. PAM_RUSER is the
username corresponding to the uid of the dtlogin process,
which is 0. The user_attr entry for root user (uid 0) is
empty, so all role logins are prevented through dtlogin. The
same rule applies to login.
The su program invokes pam_roles.so.1. PAM_RUSER is the
username of the userid of the shell that invokes su. A user
needs the appropriate entry in the roles list in
user_attr(4) to be able to su to another user.
In the example above, the rlogin program invokes the
pam_roles.so.1 module. The module checks for PAM_RUSER and
determines whether the role being assumed, PAM_RUSER, is in
the roles list of the userattr entry for PAM_RUSER. If it is
in the roles list, the module returns PAM_SUCCESS; otherwise
it returns PAM_PERM_DENIED.
SEE ALSO
keylogin(1), libpam(3LIB), pam(3PAM), pam_acct_mgmt(3PAM),
pam_setcred(3PAM), pam_set_item(3PAM), syslog(3C),
pam.conf(4), user_attr(4), attributes(5),
pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix(5), pam_unix_account(5), pam_unix_auth(5),
pam_unix_session(5)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each
thread within the multi-threaded application uses its own
PAM handle.
The pam_unix(5) module might not be supported in a future
release. Similar functionality is provided by
pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix_account(5), pam_unix_auth(5), and
pam_unix_session(5).
Man(1) output converted with
man2html