pam_group
Andrew G. Morgan <morgan@parc.power.net>
Author.
authentication
Sensitive to setgid status of file-systems accessible to users.
Requires an /etc/security/group.conf
file. Can be compiled
with or without libpwdb
.
Only through correctly set PAM_TTY
item.
This module provides group-settings based on the user's name and the terminal they are requesting a given service from. It takes note of the time of day.
This module does not authenticate the user, but instead it grants
group memberships (in the credential setting phase of the
authentication module) to the user. Such memberships are based on the
service they are applying for. The group memberships are listed in
text form in the /etc/security/group.conf
file.
For this module to function correctly there must be a correctly
formatted /etc/security/groups.conf
file present. The format
of this file is as follows. Group memberships are given based on the
service application satisfying any combination of lines in the
configuration file. Each line (barring comments which are preceded by
`#
' marks) has the following
syntax:
services ; ttys ; users ; times ; groups
Here the first four fields share the syntax of the pam_time
configuration file; /etc/security/pam_time.conf
, and the last
field, the groups
field, is a comma (or space) separated list of
the text-names of a selection of groups. If the users application for
service satisfies the first four fields, the user is granted membership
of the listed groups.
As stated in above this module's usefulness relies on the file-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a setgid binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file-systems that the user has access to are so significant, is the fact that when a system is mounted nosuid the user is unable to create or execute such a binary file. For this module to provide any level of security, all file-systems that the user has write access to should be mounted nosuid.
The pam_group
module fuctions in parallel with the
/etc/group
file. If the user is granted any groups based on
the behavior of this module, they are granted in addition to
those entries /etc/group
(or equivalent).