PAM_ROLES(7) Standards, Environments, and Macros PAM_ROLES(7)
NAME
pam_roles - Roles account management module
SYNOPSIS
pam_roles.so.1
DESCRIPTION
The
pam_roles module implements
pam_sm_acct_mgmt(3PAM). It provides
functionality to verify that a user is authorized to assume a role.
It also prevents direct logins to a role. The
user_attr(5) database
is used to determine which users can assume which roles.
The
PAM items
PAM_USER,
PAM_AUSER, and
PAM_RHOST are used to
determine the outcome of this module.
PAM_USER represents the new
identity being verified.
PAM_AUSER, if set, represents the user
asserting a new identity. If
PAM_AUSER is not set, the real user
ID of the calling service implies that the user is asserting a new
identity. Notice that root can never have roles.
This module is generally stacked above the
pam_unix_account(7) module.
The following options are interpreted:
allow_remote Allows a remote service to specify the user to enter
as a role.
debug Provides
syslog(3C) debugging information at the
LOG_DEBUG level.
ERRORS
The following values are returned:
PAM_IGNORE If the type of the new user identity (
PAM_USER)
is "
normal". Or, if the type of the new user
identity is "
role" and the user asserting the new
identity (
PAM_AUSER) has the new identity name in
its list of roles.
PAM_USER_UNKNOWN No account is present for user.
PAM_PERM_DENIED If the type of the new user identity (
PAM_USER)
is "
role" and the user asserting the new identity
(
PAM_AUSER) does not have the new identity name
in its list of roles.
EXAMPLES
Example 1: Using the pam_roles.so.1 Module
The following are sample entries from
pam.conf(5). These entries
demonstrate the use of the
pam_roles.so.1 module:
cron account required pam_unix_account.so.1
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
The
cron service does not invoke
pam_roles.so.1. Delayed jobs are
independent of role assumption. All other services verify that roles
cannot directly login. The "
su" service (covered by the "
other"
service entry) verifies that if the new user is a role, the calling
user is authorized for that role.
Example 2: Allowing Remote Roles
Remote roles should only be allowed from remote services that can be
trusted to provide an accurate
PAM_AUSER name. This trust is a
function of the protocol (such as
sshd-hostbased).
The following is a sample entry for a
pam.conf(5) file. It
demonstrates the use of
pam_roles configuration for remote roles for
the
sshd-hostbased service.
sshd-hostbased account requisite pam_roles.so.1 allow_remote
sshd-hostbased account required pam_unix_account.so.1
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Evolving |
+--------------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+--------------------+-------------------------+
SEE ALSO
roles(1),
syslog(3C),
libpam(3LIB),
pam(3PAM),
pam_acct_mgmt(3PAM),
pam_set_item(3PAM),
pam_setcred(3PAM),
pam_sm_acct_mgmt(3PAM),
pam.conf(5),
user_attr(5),
attributes(7),
pam_authtok_check(7),
pam_authtok_get(7),
pam_authtok_store(7),
pam_dhkeys(7),
pam_passwd_auth(7),
pam_unix_account(7),
pam_unix_auth(7),
pam_unix_session(7),
sshd(8),
su(8)NOTES
The interfaces in
libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own
PAM handle.
This module should never be stacked alone. It never returns
PAM_SUCCESS, as it never makes a positive decision.
The
allow_remote option should only be specified for services that
are trusted to correctly identify the remote user (that is,
sshd- hostbased).
PAM_AUSER has replaced
PAM_RUSER whose definition is limited to the
rlogin/
rsh untrusted remote user name. See
pam_set_item(3PAM).
August 19, 2023 PAM_ROLES(7)
