The Role account management component provides a function to check for authorization to assume a role. It prevents direct logins to a role. It uses the user_attr(4)
database to specify which users can assume which roles.
The following options may be passed to the Role Authentication service module:
- debug
-
syslog(3C) debugging information at LOG_DEBUG level.
If PAM_USER (see pam_set_item(3PAM)) is specified as type normal in the user_attr(4) database, the module returns PAM_IGNORE.
If PAM_RUSER (see pam_set_item(3PAM)) is not set, the uid of the process loading the module is used to determine PAM_RUSER.
The module returns success if the user_attr(4) entry for PAM_RUSER has an entry in the roles field for PAM_USER; otherwise
it returns PAM_PERM_DENIED.
This module is generally stacked above the account management module pam_unix.so.1. The error messages indicating that roles cannot be logged into correctly are only issued if the user has entered the correct password.
Here are some sample entries from pam.conf(4) demonstrating the use of the pam_roles.so.1 module:
|
dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
#
su account requisite /usr/lib/security/$ISA/pam_roles.so.1
su account requisite /usr/lib/security/$ISA/pam_roles.so.1
#
rlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
rlogin account required /usr/lib/security/$ISA/pam_unix.so.1
#
|
The dtlogin program invokes pam_roles.so.1. PAM_RUSER is the username corresponding to the uid of the dtlogin process, which is 0. The user_attr entry for root user (uid 0)
is empty, so all role logins are prevented through dtlogin. The same rule applies to login.
The su program invokes pam_roles.so.1. PAM_RUSER is the username of the userid of the shell that invokes su. A user needs the appropriate entry in the roles list in user_attr(4) to be able to su to another user.
In the example above, the rlogin program invokes the pam_roles.so.1 module. The module checks for PAM_RUSER and determines whether the role being assumed, PAM_RUSER, is in the roles list of the userattr entry for PAM_RUSER. If it is in the roles list, the module returns PAM_SUCCESS; otherwise it returns PAM_PERM_DENIED.
|