man-pages/man8/pam_listfile.8.html
2021-03-31 01:06:50 +01:00

296 lines
6.3 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of PAM_LISTFILE</TITLE>
</HEAD><BODY>
<H1>PAM_LISTFILE</H1>
Section: Linux-PAM Manual (8)<BR>Updated: 05/18/2017<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
pam_listfile - deny or allow services based on an arbitrary file
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<DL COMPACT>
<DT id="1">
<B>pam_listfile.so</B> item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=<I>/path/filename</I> onerr=[succeed|fail] [apply=[<I>user</I>|<I>@group</I>]] [quiet]
</DL>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>
<P>
<DD>pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file.
<P>
The module gets the
<B>item</B>
of the type specified --
<I>user</I>
specifies the username,
<I>PAM_USER</I>; tty specifies the name of the terminal over which the request has been made,
<I>PAM_TTY</I>; rhost specifies the name of the remote host (if any) from which the request was made,
<I>PAM_RHOST</I>; and ruser specifies the name of the remote user (if available) who made the request,
<I>PAM_RUSER</I>
-- and looks for an instance of that item in the
<B>file=</B><B></B><I>filename</I>.
filename
contains one line per item listed. If the item is found, then if
<B>sense=</B><B></B><I>allow</I>,
<I>PAM_SUCCESS</I>
is returned, causing the authorization request to succeed; else if
<B>sense=</B><B></B><I>deny</I>,
<I>PAM_AUTH_ERR</I>
is returned, causing the authorization request to fail.
<P>
If an error is encountered (for instance, if
filename
does not exist, or a poorly-constructed argument is encountered), then if
<I>onerr=succeed</I>,
<I>PAM_SUCCESS</I>
is returned, otherwise if
<I>onerr=fail</I>,
<I>PAM_AUTH_ERR</I>
or
<I>PAM_SERVICE_ERR</I>
(as appropriate) will be returned.
<P>
An additional argument,
<B>apply=</B>, can be used to restrict the application of the above to a specific user (<B>apply=</B><B></B><I>username</I>) or a given group (<B>apply=</B><B></B><I>@groupname</I>). This added restriction is only meaningful when used with the
<I>tty</I>,
<I>rhost</I>
and
<I>shell</I>
items.
<P>
Besides this last one, all arguments should be specified; do not count on any default behavior.
<P>
No credentials are awarded by this module.
<A NAME="lbAE">&nbsp;</A>
<H2>OPTIONS</H2>
<P>
<P>
<B>item=[tty|user|rhost|ruser|group|shell]</B>
<DL COMPACT><DT id="2"><DD>
What is listed in the file and should be checked for.
</DL>
<P>
<B>sense=[allow|deny]</B>
<DL COMPACT><DT id="3"><DD>
Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.
</DL>
<P>
<B>file=</B><B></B><I>/path/filename</I>
<DL COMPACT><DT id="4"><DD>
File containing one item per line. The file needs to be a plain file and not world writable.
</DL>
<P>
<B>onerr=[succeed|fail]</B>
<DL COMPACT><DT id="5"><DD>
What to do if something weird happens like being unable to open the file.
</DL>
<P>
<B>apply=[</B><B></B><I>user</I><B>|</B><B></B><I>@group</I><B>]</B>
<DL COMPACT><DT id="6"><DD>
Restrict the user class for which the restriction apply. Note that with
<B>item=[user|ruser|group]</B>
this does not make sense, but for
<B>item=[tty|rhost|shell]</B>
it have a meaning.
</DL>
<P>
<B>quiet</B>
<DL COMPACT><DT id="7"><DD>
Do not treat service refusals or missing list files as errors that need to be logged.
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>MODULE TYPES PROVIDED</H2>
<P>
All module types (<B>auth</B>,
<B>account</B>,
<B>password</B>
and
<B>session</B>) are provided.
<A NAME="lbAG">&nbsp;</A>
<H2>RETURN VALUES</H2>
<P>
<P>
PAM_AUTH_ERR
<DL COMPACT><DT id="8"><DD>
Authentication failure.
</DL>
<P>
PAM_BUF_ERR
<DL COMPACT><DT id="9"><DD>
Memory buffer error.
</DL>
<P>
PAM_IGNORE
<DL COMPACT><DT id="10"><DD>
The rule does not apply to the
<B>apply</B>
option.
</DL>
<P>
PAM_SERVICE_ERR
<DL COMPACT><DT id="11"><DD>
Error in service module.
</DL>
<P>
PAM_SUCCESS
<DL COMPACT><DT id="12"><DD>
Success.
</DL>
<A NAME="lbAH">&nbsp;</A>
<H2>EXAMPLES</H2>
<P>
Classic 'ftpusers' authentication can be implemented with this entry in
/etc/pam.d/ftpd:
<P>
<DL COMPACT><DT id="13"><DD>
<PRE>
#
# deny ftp-access to users listed in the /etc/ftpusers file
#
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers
</PRE>
</DL>
<P>
Note, users listed in
/etc/ftpusers
file are (counterintuitively)
<I>not</I>
allowed access to the ftp service.
<P>
To allow login access only for certain users, you can use a
/etc/pam.d/login
entry like this:
<P>
<DL COMPACT><DT id="14"><DD>
<PRE>
#
# permit login to users listed in /etc/loginusers
#
auth required pam_listfile.so \
onerr=fail item=user sense=allow file=/etc/loginusers
</PRE>
</DL>
<P>
For this example to work, all users who are allowed to use the login service should be listed in the file
/etc/loginusers. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in
/etc/loginusers, or by listing a user who is able to
<I>su</I>
to the root account.
<A NAME="lbAI">&nbsp;</A>
<H2>SEE ALSO</H2>
<P>
<B><A HREF="/cgi-bin/man/man2html?5+pam.conf">pam.conf</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?5+pam.d">pam.d</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?7+pam">pam</A></B>(7)
<A NAME="lbAJ">&nbsp;</A>
<H2>AUTHOR</H2>
<P>
pam_listfile was written by Michael K. Johnson &lt;<A HREF="mailto:johnsonm@redhat.com">johnsonm@redhat.com</A>&gt; and Elliot Lee &lt;<A HREF="mailto:sopwith@cuc.edu">sopwith@cuc.edu</A>&gt;.
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="15"><A HREF="#lbAB">NAME</A><DD>
<DT id="16"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="17"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="18"><A HREF="#lbAE">OPTIONS</A><DD>
<DT id="19"><A HREF="#lbAF">MODULE TYPES PROVIDED</A><DD>
<DT id="20"><A HREF="#lbAG">RETURN VALUES</A><DD>
<DT id="21"><A HREF="#lbAH">EXAMPLES</A><DD>
<DT id="22"><A HREF="#lbAI">SEE ALSO</A><DD>
<DT id="23"><A HREF="#lbAJ">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:14 GMT, March 31, 2021
</BODY>
</HTML>