Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam_succeed_if(8) [linux man page]

PAM_SUCCEED_IF(8)						     Linux-PAM							 PAM_SUCCEED_IF(8)

NAME
pam_succeed_if - test account characteristics SYNOPSIS
pam_succeed_if.so [flag...] [condition...] DESCRIPTION
pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated. One use is to select whether to load other modules based on this test. The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met. OPTIONS
The following flags are supported: debug Turns on debugging messages sent to syslog. use_uid Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated. quiet Don't log failure or success to the system log. quiet_fail Don't log failure to the system log. quiet_success Don't log success to the system log. audit Log unknown users to the system log. Conditions are three words: a field, a test, and a value to test for. Available fields are user, uid, gid, shell, home and service: field < number Field has a value numerically less than number. field <= number Field has a value numerically less than or equal to number. field eq number Field has a value numerically equal to number. field >= number Field has a value numerically greater than or equal to number. field > number Field has a value numerically greater than number. field ne number Field has a value numerically different from number. field = string Field exactly matches the given string. field != string Field does not match the given string. field =~ glob Field matches the given glob. field !~ glob Field does not match the given glob. field in item:item:... Field is contained in the list of items separated by colons. field notin item:item:... Field is not contained in the list of items separated by colons. user ingroup group User is in given group. user notingroup group User is not in given group. user innetgr netgroup (user,host) is in given netgroup. user notinnetgr group (user,host) is not in given netgroup. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided. RETURN VALUES
PAM_SUCCESS The condition was true. PAM_AUTH_ERR The condition was false. PAM_SERVICE_ERR A service error occurred or the arguments can't be parsed correctly. EXAMPLES
To emulate the behaviour of pam_wheel, except there is no fallback to group 0: auth required pam_succeed_if.so quiet user ingroup wheel Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules. type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 type required othermodule.so arguments... SEE ALSO
glob(7), pam(7) AUTHOR
Nalin Dahyabhai <nalin@redhat.com> Linux-PAM 06/04/2011 PAM_SUCCEED_IF(8)

Check Out this Related Man Page

PAM_WHEEL(8)							 Linux-PAM Manual						      PAM_WHEEL(8)

NAME
pam_wheel - Only permit root access to members of group wheel SYNOPSIS
pam_wheel.so [debug] [deny] [group=name] [root_only] [trust] [use_uid] DESCRIPTION
The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits root access to the system if the applicant user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0. OPTIONS
debug Print debug information. deny Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the group option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in which case we return PAM_SUCCESS). group=name Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication. root_only The check for wheel membership is done only. trust The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd). use_uid The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example). MODULE TYPES PROVIDED
The auth and account module types are provided. RETURN VALUES
PAM_AUTH_ERR Authentication failure. PAM_BUF_ERR Memory buffer error. PAM_IGNORE The return value should be ignored by PAM dispatch. PAM_PERM_DENY Permission denied. PAM_SERVICE_ERR Cannot determine the user name. PAM_SUCCESS Success. PAM_USER_UNKNOWN User not known. EXAMPLES
The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants. su auth sufficient pam_rootok.so su auth required pam_wheel.so su auth required pam_unix.so SEE ALSO
pam.conf(5), pam.d(5), pam(8) AUTHOR
pam_wheel was written by Cristian Gafton <gafton@redhat.com>. Linux-PAM Manual 09/19/2013 PAM_WHEEL(8)
Man Page