pam_roles(5) [sunos man page]

pam_roles(5)						Standards, Environments, and Macros					      pam_roles(5)

NAME

       pam_roles - Solaris Roles account management module

SYNOPSIS

       pam_roles.so.1

DESCRIPTION

       The  pam_roles module implements pam_sm_acct_mgmt(3PAM). It provides functionality to verify that a user is authorized to assume a role. It
       also prevents direct logins to a role. The user_attr(4) database is used to determine which users can assume which roles.

       The PAM items PAM_USER and    PAM_RUSER are used to determine the outcome of this module. PAM_USER represents the new identity being  veri-
       fied.  PAM_RUSER,  if  set,  represents the user asserting a new identity. If PAM_RUSER is not set, the real user ID of the calling service
       implies that the user is asserting a new identity. Notice that root can never have roles.

       This module is generally stacked above the pam_unix_account(5) module.

       The following options are interpreted:

       debug	       Provides syslog(3C) debugging information at the LOG_DEBUG level.

ERRORS

       The following values are returned:

       PAM_IGNORE	       If the type of the new user identity (PAM_USER) is "normal". Or, if the type of the new user identity is "role" and
			       the user asserting the new identity (PAM_RUSER) has the new identity  name in its list or roles.

       PAM_USER_UNKNOWN        No account is present for user.

       PAM_PERM_DENIED	       If  the type of the new user identity (PAM_USER) is "role" and the user asserting the new identity (PAM_RUSER) does
			       not have the new identity name in its list of roles.

EXAMPLES

       Example 1: Using the pam_roles.so.1 module

       Here are sample entries from pam.conf(4) demonstrating the use of the pam_roles.so.1 module:

       cron account required pam_unix_account.so.1
       #
       other account requisite pam_roles.so.1
       other account required pam_unix_account.so.1
       #

       The cron service does not invoke pam_roles.so.1. Delayed jobs are independent of role assumption. All other services verify that roles can-
       not  directly  login.  The "su" service (covered by the "other" service entry) verifies that if the new user is a role, the calling user is
       authorized for that role.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+
       |MT Level		     |MT-Safe with exceptions	   |
       +-----------------------------+-----------------------------+

SEE ALSO

       roles(1), su(1M), libpam(3LIB), pam(3PAM), pam_acct_mgmt(3PAM), pam_setcred(3PAM), pam_set_item(3PAM), pam_sm_acct_mgmt(3PAM),  syslog(3C),
       pam.conf(4),	user_attr(4),	 attributes(5),    pam_authtok_check(5),    pam_authtok_get(5),    pam_authtok_store(5),    pam_dhkeys(5),
       pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

NOTES

       The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

       This module should never be stacked alone. It never returns PAM_SUCCESS, as it never makes a positive decision.

SunOS 5.10							    9 Mar 2004							      pam_roles(5)