Sun Microsystems, Inc.
spacerspacer
spacer   www.sun.com docs.sun.com | | |  
spacer
black dot
   
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z
    
 
Standards, Environments, and Macrospam_roles(5)

NAME

 pam_roles - Role Account Management PAM module for Solaris

SYNOPSIS

  
/usr/lib/security/pam_roles.so.1

DESCRIPTION

 

The Role Account Management module for PAM, /usr/lib/security/pam_roles.so.1, provides functionality for one PAM module: Account management. The pam_roles.so.1 is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file.

Role Account Management Module

 

The Role account management component provides a function to check for authorization to assume a role. It prevents direct logins to a role. It uses the user_attr(4) database to specify which users can assume which roles.

The following options may be passed to the Role Authentication service module:

debug
syslog(3C) debugging information at LOG_DEBUG level.

If PAM_USER (see pam_set_item(3PAM)) is specified as type normal in the user_attr(4) database, the module returns PAM_IGNORE.

If PAM_RUSER (see pam_set_item(3PAM)) is not set, the uid of the process loading the module is used to determine PAM_RUSER.

The module returns success if the user_attr(4) entry for PAM_RUSER has an entry in the roles field for PAM_USER; otherwise it returns PAM_PERM_DENIED.

This module is generally stacked above the account management module pam_unix.so.1. The error messages indicating that roles cannot be logged into correctly are only issued if the user has entered the correct password.

Here are some sample entries from pam.conf(4) demonstrating the use of the pam_roles.so.1 module:
  
dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
#
su account requisite /usr/lib/security/$ISA/pam_roles.so.1
su account requisite /usr/lib/security/$ISA/pam_roles.so.1
#
rlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
rlogin account required /usr/lib/security/$ISA/pam_unix.so.1
#

The dtlogin program invokes pam_roles.so.1. PAM_RUSER is the username corresponding to the uid of the dtlogin process, which is 0. The user_attr entry for root user (uid 0) is empty, so all role logins are prevented through dtlogin. The same rule applies to login.

The su program invokes pam_roles.so.1. PAM_RUSER is the username of the userid of the shell that invokes su. A user needs the appropriate entry in the roles list in user_attr(4) to be able to su to another user.

In the example above, the rlogin program invokes the pam_roles.so.1 module. The module checks for PAM_RUSER and determines whether the role being assumed, PAM_RUSER, is in the roles list of the userattr entry for PAM_RUSER. If it is in the roles list, the module returns PAM_SUCCESS; otherwise it returns PAM_PERM_DENIED.

SEE ALSO

 

keylogin(1), libpam(3LIB), pam(3PAM), pam_acct_mgmt(3PAM), pam_setcred(3PAM), pam_set_item(3PAM), syslog(3C), pam.conf(4), user_attr(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

NOTES

 

The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

The pam_unix(5) module might not be supported in a future release. Similar functionality is provided by pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).
SunOS 5.9Go To TopLast Changed 11 Dec 2001
 
      
      
Copyright 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.