296 lines
6.3 KiB
HTML
296 lines
6.3 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of PAM_LISTFILE</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>PAM_LISTFILE</H1>
|
|
Section: Linux-PAM Manual (8)<BR>Updated: 05/18/2017<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
pam_listfile - deny or allow services based on an arbitrary file
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="1">
|
|
<B>pam_listfile.so</B> item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=<I>/path/filename</I> onerr=[succeed|fail] [apply=[<I>user</I>|<I>@group</I>]] [quiet]
|
|
</DL>
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<P>
|
|
|
|
<DD>pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file.
|
|
<P>
|
|
|
|
The module gets the
|
|
<B>item</B>
|
|
of the type specified --
|
|
<I>user</I>
|
|
specifies the username,
|
|
<I>PAM_USER</I>; tty specifies the name of the terminal over which the request has been made,
|
|
<I>PAM_TTY</I>; rhost specifies the name of the remote host (if any) from which the request was made,
|
|
<I>PAM_RHOST</I>; and ruser specifies the name of the remote user (if available) who made the request,
|
|
<I>PAM_RUSER</I>
|
|
-- and looks for an instance of that item in the
|
|
<B>file=</B><B></B><I>filename</I>.
|
|
filename
|
|
contains one line per item listed. If the item is found, then if
|
|
<B>sense=</B><B></B><I>allow</I>,
|
|
<I>PAM_SUCCESS</I>
|
|
is returned, causing the authorization request to succeed; else if
|
|
<B>sense=</B><B></B><I>deny</I>,
|
|
<I>PAM_AUTH_ERR</I>
|
|
is returned, causing the authorization request to fail.
|
|
<P>
|
|
|
|
If an error is encountered (for instance, if
|
|
filename
|
|
does not exist, or a poorly-constructed argument is encountered), then if
|
|
<I>onerr=succeed</I>,
|
|
<I>PAM_SUCCESS</I>
|
|
is returned, otherwise if
|
|
<I>onerr=fail</I>,
|
|
<I>PAM_AUTH_ERR</I>
|
|
or
|
|
<I>PAM_SERVICE_ERR</I>
|
|
(as appropriate) will be returned.
|
|
<P>
|
|
|
|
An additional argument,
|
|
<B>apply=</B>, can be used to restrict the application of the above to a specific user (<B>apply=</B><B></B><I>username</I>) or a given group (<B>apply=</B><B></B><I>@groupname</I>). This added restriction is only meaningful when used with the
|
|
<I>tty</I>,
|
|
<I>rhost</I>
|
|
and
|
|
<I>shell</I>
|
|
items.
|
|
<P>
|
|
|
|
Besides this last one, all arguments should be specified; do not count on any default behavior.
|
|
<P>
|
|
|
|
No credentials are awarded by this module.
|
|
<A NAME="lbAE"> </A>
|
|
<H2>OPTIONS</H2>
|
|
|
|
<P>
|
|
|
|
<P>
|
|
|
|
<B>item=[tty|user|rhost|ruser|group|shell]</B>
|
|
<DL COMPACT><DT id="2"><DD>
|
|
What is listed in the file and should be checked for.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>sense=[allow|deny]</B>
|
|
<DL COMPACT><DT id="3"><DD>
|
|
Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>file=</B><B></B><I>/path/filename</I>
|
|
<DL COMPACT><DT id="4"><DD>
|
|
File containing one item per line. The file needs to be a plain file and not world writable.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>onerr=[succeed|fail]</B>
|
|
<DL COMPACT><DT id="5"><DD>
|
|
What to do if something weird happens like being unable to open the file.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>apply=[</B><B></B><I>user</I><B>|</B><B></B><I>@group</I><B>]</B>
|
|
<DL COMPACT><DT id="6"><DD>
|
|
Restrict the user class for which the restriction apply. Note that with
|
|
<B>item=[user|ruser|group]</B>
|
|
this does not make sense, but for
|
|
<B>item=[tty|rhost|shell]</B>
|
|
it have a meaning.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>quiet</B>
|
|
<DL COMPACT><DT id="7"><DD>
|
|
Do not treat service refusals or missing list files as errors that need to be logged.
|
|
</DL>
|
|
|
|
<A NAME="lbAF"> </A>
|
|
<H2>MODULE TYPES PROVIDED</H2>
|
|
|
|
<P>
|
|
|
|
All module types (<B>auth</B>,
|
|
<B>account</B>,
|
|
<B>password</B>
|
|
and
|
|
<B>session</B>) are provided.
|
|
<A NAME="lbAG"> </A>
|
|
<H2>RETURN VALUES</H2>
|
|
|
|
<P>
|
|
|
|
<P>
|
|
|
|
PAM_AUTH_ERR
|
|
<DL COMPACT><DT id="8"><DD>
|
|
Authentication failure.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
PAM_BUF_ERR
|
|
<DL COMPACT><DT id="9"><DD>
|
|
Memory buffer error.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
PAM_IGNORE
|
|
<DL COMPACT><DT id="10"><DD>
|
|
The rule does not apply to the
|
|
<B>apply</B>
|
|
option.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
PAM_SERVICE_ERR
|
|
<DL COMPACT><DT id="11"><DD>
|
|
Error in service module.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
PAM_SUCCESS
|
|
<DL COMPACT><DT id="12"><DD>
|
|
Success.
|
|
</DL>
|
|
|
|
<A NAME="lbAH"> </A>
|
|
<H2>EXAMPLES</H2>
|
|
|
|
<P>
|
|
|
|
Classic 'ftpusers' authentication can be implemented with this entry in
|
|
/etc/pam.d/ftpd:
|
|
<P>
|
|
<DL COMPACT><DT id="13"><DD>
|
|
|
|
|
|
|
|
<PRE>
|
|
#
|
|
# deny ftp-access to users listed in the /etc/ftpusers file
|
|
#
|
|
auth required pam_listfile.so \
|
|
onerr=succeed item=user sense=deny file=/etc/ftpusers
|
|
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
|
|
|
|
|
|
<P>
|
|
Note, users listed in
|
|
/etc/ftpusers
|
|
file are (counterintuitively)
|
|
<I>not</I>
|
|
allowed access to the ftp service.
|
|
<P>
|
|
|
|
To allow login access only for certain users, you can use a
|
|
/etc/pam.d/login
|
|
entry like this:
|
|
<P>
|
|
<DL COMPACT><DT id="14"><DD>
|
|
|
|
|
|
|
|
<PRE>
|
|
#
|
|
# permit login to users listed in /etc/loginusers
|
|
#
|
|
auth required pam_listfile.so \
|
|
onerr=fail item=user sense=allow file=/etc/loginusers
|
|
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
|
|
|
|
|
|
<P>
|
|
For this example to work, all users who are allowed to use the login service should be listed in the file
|
|
/etc/loginusers. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in
|
|
/etc/loginusers, or by listing a user who is able to
|
|
<I>su</I>
|
|
to the root account.
|
|
<A NAME="lbAI"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<P>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?5+pam.conf">pam.conf</A></B>(5),
|
|
<B><A HREF="/cgi-bin/man/man2html?5+pam.d">pam.d</A></B>(5),
|
|
<B><A HREF="/cgi-bin/man/man2html?7+pam">pam</A></B>(7)
|
|
<A NAME="lbAJ"> </A>
|
|
<H2>AUTHOR</H2>
|
|
|
|
<P>
|
|
|
|
pam_listfile was written by Michael K. Johnson <<A HREF="mailto:johnsonm@redhat.com">johnsonm@redhat.com</A>> and Elliot Lee <<A HREF="mailto:sopwith@cuc.edu">sopwith@cuc.edu</A>>.
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="15"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="16"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="17"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT id="18"><A HREF="#lbAE">OPTIONS</A><DD>
|
|
<DT id="19"><A HREF="#lbAF">MODULE TYPES PROVIDED</A><DD>
|
|
<DT id="20"><A HREF="#lbAG">RETURN VALUES</A><DD>
|
|
<DT id="21"><A HREF="#lbAH">EXAMPLES</A><DD>
|
|
<DT id="22"><A HREF="#lbAI">SEE ALSO</A><DD>
|
|
<DT id="23"><A HREF="#lbAJ">AUTHOR</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:14 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|