pam_roles(5) Standards, Environments, and Macros pam_roles(5)
NAME
pam_roles - Solaris Roles account management module
SYNOPSIS
pam_roles.so.1
DESCRIPTION
The pam_roles module implements pam_sm_acct_mgmt(3PAM). It provides functionality to verify that a user is authorized to assume a role. It
also prevents direct logins to a role. The user_attr(4) database is used to determine which users can assume which roles.
The PAM items PAM_USER and PAM_AUSER, and PAM_RHOST are used to determine the outcome of this module. PAM_USER represents the new identity
being verified. PAM_AUSER, if set, represents the user asserting a new identity. If PAM_AUSER is not set, the real user ID of the calling
service implies that the user is asserting a new identity. Notice that root can never have roles.
This module is generally stacked above the pam_unix_account(5) module.
The following options are interpreted:
allow_remote Allows a remote service to specify the user to enter as a role.
debug Provides syslog(3C) debugging information at the LOG_DEBUG level.
ERRORS
The following values are returned:
PAM_IGNORE If the type of the new user identity (PAM_USER) is "normal". Or, if the type of the new user identity is "role" and the
user asserting the new identity (PAM_AUSER) has the new identity name in its list of roles.
PAM_USER_UNKNOWN No account is present for user.
PAM_PERM_DENIED If the type of the new user identity (PAM_USER) is "role" and the user asserting the new identity (PAM_AUSER) does not
have the new identity name in its list of roles.
EXAMPLES
Example 1 Using the pam_roles.so.1 Module
The following are sample entries from pam.conf(4). These entries demonstrate the use of the pam_roles.so.1 module:
cron account required pam_unix_account.so.1
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
The cron service does not invoke pam_roles.so.1. Delayed jobs are independent of role assumption. All other services verify that roles can-
not directly login. The "su" service (covered by the "other" service entry) verifies that if the new user is a role, the calling user is
authorized for that role.
Example 2 Allowing Remote Roles
Remote roles should only be allowed from remote services that can be trusted to provide an accurate PAM_AUSERname. This trust is a function
of the protocol (such as sshd-hostbased).
The following is a sample entry for a pam.conf(4) file. It demonstrates the use of pam_roles configuration for remote roles for the sshd-
hostbased service.
sshd-hostbased account requisite pam_roles.so.1 allow_remote
sshd-hostbased account required pam_unix_account
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
|MT Level |MT-Safe with exceptions |
+-----------------------------+-----------------------------+
SEE ALSO
roles(1), sshd(1M), su(1M), libpam(3LIB), pam(3PAM), pam_acct_mgmt(3PAM), pam_setcred(3PAM), pam_set_item(3PAM), pam_sm_acct_mgmt(3PAM),
syslog(3C), pam.conf(4), user_attr(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.
This module should never be stacked alone. It never returns PAM_SUCCESS, as it never makes a positive decision.
The allow_remote option should only be specified for services that are trusted to correctly identify the remote user (that is, sshd-host-
based).
PAM_AUSER has replaced PAM_RUSER whose definition is limited to the rlogin/rsh untrusted remote user name. See pam_set_item(3PAM).
SunOS 5.11 6 Mar 2007 pam_roles(5)