2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
5 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH PAM_LIST 5 "Mar 26, 2009"
8 pam_list \- PAM account management module for UNIX
18 The \fBpam_list\fR module implements \fBpam_sm_acct_mgmt\fR(3PAM), which
19 provides functionality to the PAM account management stack. The module
20 provides functions to validate that the user's account is valid on this
21 host based on a list of users and/or netgroups in the given file. The users and
22 netgroups are separated by newline character. Netgroups are specified with
23 character '@' as prefix before name of netgroup in the list. The maximum line
24 lenght is 1023 characters.
27 The username is the value of \fBPAM_USER\fR. The host is the value of
28 \fBPAM_RHOST\fR or, if \fBPAM_RHOST\fR is not set, the value of the localhost
29 as returned by \fBgethostname\fR(3C) is used.
32 If neither of the \fBallow\fR, \fBdeny\fR, or \fBcompat\fR options are
33 specified, the module will look for +/- entries in the local \fB/etc/passwd\fR
34 file. If this style is used, \fBnsswitch.conf\fR(4) must not be configured
35 with \fBcompat\fR for the \fBpasswd\fR database. If no relevant +/- entry
36 exists for the user, \fBpam_list\fR is not participating in result.
39 If \fBcompat\fR option is specified then the module will look for +/- entries
40 in the local \fB/etc/passwd\fR file. Other entries in this file will be counted
41 as + entries. If no relevant entry exits for the user, \fBpam_list\fR will deny
45 The following options can be passed to the module:
52 The full pathname to a file of allowed users and/or netgroups. Only one of
53 \fBallow=\fR or \fBdeny=\fR can be specified.
62 Activate \fBcompat\fR mode.
71 The full pathname to a file of denied users and/or netgroups. Only one of
72 \fBdeny=\fR or \fBallow=\fR can be specified.
81 Provide \fBsyslog\fR(3C) debugging information at the \fBLOG_AUTH\fR |
82 \fBLOG_DEBUG\fR level.
91 The module should only perform netgroup matches on the username. This is the
101 The username should not be used in the netgroup match.
110 Only the host should be used in netgroup matches.
119 The hostname should not be used in netgroup matches.
125 \fB\fBuser_host_exact\fR\fR
128 The user and hostname must be in the same netgroup.
134 The following error values are returned:
138 \fB\fBPAM_SERVICE_ERR\fR\fR
141 An invalid set of module options was given in the \fBpam.conf\fR(4) for this
142 module, or the \fBuser/netgroup\fR file could not be opened.
148 \fB\fBPAM_BUF_ERR\fR\fR
151 A memory buffer error occurred.
157 \fB\fBPAM_IGNORE\fR\fR
160 The module is ignored, as it is not participating in the result.
166 \fB\fBPAM_PERM_DENIED\fR\fR
169 The user is not on the allow list or is on the deny list.
175 \fB\fBPAM_SUCCESS\fR\fR
178 The account is valid for use at this time.
184 \fB\fBPAM_USER_UNKNOWN\fR\fR
187 No account is present for the user
192 \fBExample 1 \fRUsing \fBpam_list\fR in default mode
195 \fB/etc/pam.conf\fR modification looks like:
200 other account requisite pam_roles.so.1
201 other account required pam_unix_account.so.1
202 other account required pam_list.so.1
208 In the case of \fBdefault\fR mode or \fBcompat\fR mode, the important lines in
209 \fB/etc/passwd\fR appear as follows:
214 +loginname - user is approved
215 -loginname - user is disapproved
216 +@netgroup - netgroup members are approved
217 -@netgroup - netgroup members are disapproved
222 \fBExample 2 \fRUsing \fBpam_list\fR with allow file
225 \fB/etc/pam.conf\fR modification looks like:
230 other account requisite pam_roles.so.1
231 other account required pam_unix_account.so.1
232 other account required pam_list.so.1 allow=etc/user.allow
238 \fB/etc/users.allow\fR contains:
252 See \fBattributes\fR(5) for descriptions of the following attributes:
260 ATTRIBUTE TYPE ATTRIBUTE VALUE
262 Interface Stability Committed
264 MT-Level MT-Safe with exceptions
269 The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the
270 multithreaded application uses its own PAM handle.
274 \fBpam\fR(3PAM), \fBpam_authenticate\fR(3PAM), \fBpam_sm_acct_mgmt\fR(3PAM),
275 \fBsyslog\fR(3C), \fBlibpam\fR(3LIB), \fBnsswitch.conf\fR(4),
276 \fBpam.conf\fR(4), \fBattributes\fR(5)