Previous Next Contents

6.6 The group access module

Synopsis

Module Name:

pam_group

Author:

Andrew G. Morgan <morgan@parc.power.net>

Maintainer:

Author.

Management groups provided:

authentication

Cryptographically sensitive:

Security rating:

Sensitive to setgid status of file-systems accessible to users.

Clean code base:

System dependencies:

Requires an /etc/security/group.conf file. Can be compiled with or without libpwdb.

Network aware:

Only through correctly set PAM_TTY item.

Overview of module

This module provides group-settings based on the user's name and the terminal they are requesting a given service from. It takes note of the time of day.

Authentication component

Recognized arguments:

Description:

This module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. The group memberships are listed in text form in the /etc/security/group.conf file.

Examples/suggested usage:

For this module to function correctly there must be a correctly formatted /etc/security/groups.conf file present. The format of this file is as follows. Group memberships are given based on the service application satisfying any combination of lines in the configuration file. Each line (barring comments which are preceded by `#' marks) has the following syntax:

services   ;   ttys   ;   users   ;   times   ;   groups
Here the first four fields share the syntax of the pam_time configuration file; /etc/security/pam_time.conf, and the last field, the groups field, is a comma (or space) separated list of the text-names of a selection of groups. If the users application for service satisfies the first four fields, the user is granted membership of the listed groups.

As stated in above this module's usefulness relies on the file-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a setgid binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file-systems that the user has access to are so significant, is the fact that when a system is mounted nosuid the user is unable to create or execute such a binary file. For this module to provide any level of security, all file-systems that the user has write access to should be mounted nosuid.

The pam_group module fuctions in parallel with the /etc/group file. If the user is granted any groups based on the behavior of this module, they are granted in addition to those entries /etc/group (or equivalent).


Previous Next Contents