unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.9)
Page:
Section:
Apropos / Subsearch:
optional field



Standards, Environments, and Macros                  pam_roles(5)



NAME
     pam_roles - Role Account Management PAM module for Solaris

SYNOPSIS
     /usr/lib/security/pam_roles.so.1

DESCRIPTION
     The   Role    Account    Management    module    for    PAM,
     /usr/lib/security/pam_roles.so.1, provides functionality for
     one PAM module: Account management. The pam_roles.so.1 is  a
     shared  object that can be dynamically loaded to provide the
     necessary functionality upon demand. Its path  is  specified
     in the PAM configuration file.

  Role Account Management Module
     The Role account management component provides a function to
     check for authorization to assume a role. It prevents direct
     logins to a role.  It  uses  the  user_attr(4)  database  to
     specify which users can assume which roles.

     The following options may be passed to the Role  Authentica-
     tion service module:

          debug syslog(3C)  debugging  information  at  LOG_DEBUG
                level.


     If PAM_USER (see pam_set_item(3PAM)) is  specified  as  type
     normal  in  the  user_attr(4)  database,  the module returns
     PAM_IGNORE.

     If PAM_RUSER (see pam_set_item(3PAM)) is not set, the uid of
     the   process  loading  the  module  is  used  to  determine
     PAM_RUSER.

     The module returns success if  the  user_attr(4)  entry  for
     PAM_RUSER has an entry in the roles field for PAM_USER; oth-
     erwise it returns PAM_PERM_DENIED.

     This module is generally stacked above the  account  manage-
     ment  module  pam_unix.so.1.  The  error messages indicating
     that roles cannot be logged into correctly are  only  issued
     if the user has entered the correct password.

     Here are some sample entries from pam.conf(4)  demonstrating
     the use of the pam_roles.so.1 module:

     dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
     dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
     #
     su account requisite /usr/lib/security/$ISA/pam_roles.so.1
     su account requisite /usr/lib/security/$ISA/pam_roles.so.1



SunOS 5.9           Last change: 11 Dec 2001                    1






Standards, Environments, and Macros                  pam_roles(5)



     #
     rlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
     rlogin account required /usr/lib/security/$ISA/pam_unix.so.1
     #

     The dtlogin program invokes pam_roles.so.1. PAM_RUSER is the
     username  corresponding  to  the uid of the dtlogin process,
     which is 0. The user_attr entry for root  user  (uid  0)  is
     empty, so all role logins are prevented through dtlogin. The
     same rule applies to login.

     The su program  invokes  pam_roles.so.1.  PAM_RUSER  is  the
     username  of the userid of the shell that invokes su. A user
     needs  the  appropriate  entry  in   the   roles   list   in
     user_attr(4) to be able to su to another user.

     In  the  example  above,  the  rlogin  program  invokes  the
     pam_roles.so.1  module.  The module checks for PAM_RUSER and
     determines whether the role being assumed, PAM_RUSER, is  in
     the roles list of the userattr entry for PAM_RUSER. If it is
     in the roles list, the module returns PAM_SUCCESS; otherwise
     it returns PAM_PERM_DENIED.

SEE ALSO
     keylogin(1), libpam(3LIB),  pam(3PAM),  pam_acct_mgmt(3PAM),
     pam_setcred(3PAM),      pam_set_item(3PAM),      syslog(3C),
     pam.conf(4),          user_attr(4),           attributes(5),
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix(5),      pam_unix_account(5),     pam_unix_auth(5),
     pam_unix_session(5)

NOTES
     The interfaces in libpam(3LIB)  are  MT-Safe  only  if  each
     thread  within  the  multi-threaded application uses its own
     PAM handle.

     The pam_unix(5) module might not be supported  in  a  future
     release.    Similar    functionality    is    provided    by
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5),          pam_unix_auth(5),          and
     pam_unix_session(5).












SunOS 5.9           Last change: 11 Dec 2001                    2