1pam_roles(5)          Standards, Environments, and Macros         pam_roles(5)
2
3
4

NAME

6       pam_roles - Solaris Roles account management module
7

SYNOPSIS

9       pam_roles.so.1
10
11

DESCRIPTION

13       The  pam_roles  module  implements  pam_sm_acct_mgmt(3PAM). It provides
14       functionality to verify that a user is authorized to assume a role.  It
15       also  prevents  direct  logins  to a role. The user_attr(4) database is
16       used to determine which users can assume which roles.
17
18
19       The PAM items PAM_USER and PAM_AUSER, and PAM_RHOST are used to  deter‐
20       mine  the  outcome of this module. PAM_USER represents the new identity
21       being verified. PAM_AUSER, if set, represents the user asserting a  new
22       identity. If PAM_AUSER is not set, the real user ID of the calling ser‐
23       vice implies that the user is asserting a  new  identity.  Notice  that
24       root can never have roles.
25
26
27       This module is generally stacked above the pam_unix_account(5) module.
28
29
30       The following options are interpreted:
31
32       allow_remote    Allows a remote service to specify the user to enter as
33                       a role.
34
35
36       debug           Provides  syslog(3C)  debugging  information   at   the
37                       LOG_DEBUG level.
38
39

ERRORS

41       The following values are returned:
42
43       PAM_IGNORE          If  the type of the new user identity (PAM_USER) is
44                           "normal". Or, if the type of the new user  identity
45                           is  "role"  and the user asserting the new identity
46                           (PAM_AUSER) has the new identity name in  its  list
47                           of roles.
48
49
50       PAM_USER_UNKNOWN    No account is present for user.
51
52
53       PAM_PERM_DENIED     If  the type of the new user identity (PAM_USER) is
54                           "role" and the  user  asserting  the  new  identity
55                           (PAM_AUSER)  does not have the new identity name in
56                           its list of roles.
57
58

EXAMPLES

60       Example 1 Using the pam_roles.so.1 Module
61
62
63       The following are sample entries from pam.conf(4). These entries demon‐
64       strate the use of the pam_roles.so.1 module:
65
66
67         cron account required pam_unix_account.so.1
68         #
69         other account requisite pam_roles.so.1
70         other account required pam_unix_account.so.1
71         #
72
73
74
75
76       The cron service does not invoke pam_roles.so.1. Delayed jobs are inde‐
77       pendent of role assumption. All other services verify that roles cannot
78       directly login. The "su" service (covered by the "other" service entry)
79       verifies that if the new user is a role, the calling user is authorized
80       for that role.
81
82
83       Example 2 Allowing Remote Roles
84
85
86       Remote  roles  should  only be allowed from remote services that can be
87       trusted to provide an accurate PAM_AUSERname. This trust is a  function
88       of the protocol (such as sshd-hostbased).
89
90
91
92       The following is a sample entry for a pam.conf(4) file. It demonstrates
93       the use of pam_roles configuration for remote roles for the  sshd-host‐
94       based service.
95
96
97         sshd-hostbased account requisite pam_roles.so.1 allow_remote
98         sshd-hostbased account required pam_unix_account
99
100
101

ATTRIBUTES

103       See attributes(5) for descriptions of the following attributes:
104
105
106
107
108       ┌─────────────────────────────┬─────────────────────────────┐
109       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
110       ├─────────────────────────────┼─────────────────────────────┤
111       │Interface Stability          │Evolving                     │
112       ├─────────────────────────────┼─────────────────────────────┤
113       │MT Level                     │MT-Safe with exceptions      │
114       └─────────────────────────────┴─────────────────────────────┘
115

SEE ALSO

117       roles(1),      sshd(1M),      su(1M),      libpam(3LIB),     pam(3PAM),
118       pam_acct_mgmt(3PAM),       pam_setcred(3PAM),       pam_set_item(3PAM),
119       pam_sm_acct_mgmt(3PAM),    syslog(3C),    pam.conf(4),    user_attr(4),
120       attributes(5),  pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
121       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
122       pam_unix_auth(5), pam_unix_session(5)
123

NOTES

125       The interfaces in libpam(3LIB) are MT-Safe only if each  thread  within
126       the multi-threaded application uses its own PAM handle.
127
128
129       This  module  should  never be stacked alone. It never returns PAM_SUC‐
130       CESS, as it never makes a positive decision.
131
132
133       The allow_remote option should only be specified for services that  are
134       trusted  to  correctly  identify  the  remote user (that is, sshd-host‐
135       based).
136
137
138       PAM_AUSER has replaced PAM_RUSER whose definition  is  limited  to  the
139       rlogin/rsh untrusted remote user name. See pam_set_item(3PAM).
140
141
142
143SunOS 5.11                        6 Mar 2007                      pam_roles(5)
Impressum