1pam_list(5)           Standards, Environments, and Macros          pam_list(5)
2
3
4

NAME

6       pam_list - PAM account management module for UNIX
7

SYNOPSIS

9        pam_list.so.1
10
11

DESCRIPTION

13       The  pam_list  module implements pam_sm_acct_mgmt(3PAM), which provides
14       functionality to the PAM account management stack.  The module provides
15       functions  to  validate   that   the  user's account  is  valid on this
16       host based on a list of users and/or netgroups in the given  file.  The
17       users  and  netgroups are separated by newline character. Netgroups are
18       specified with character '@' as prefix before name of netgroup  in  the
19       list. The maximum line lenght is 1023 characters.
20
21
22       The  username  is  the  value  of  PAM_USER.  The  host is the value of
23       PAM_RHOST or, if PAM_RHOST is not set, the value of  the  localhost  as
24       returned by gethostname(3C) is used.
25
26
27       If  neither  of  the  allow, deny, or compat options are specified, the
28       module will look for +/- entries in the  local  /etc/passwd  file.   If
29       this style is used, nsswitch.conf(4) must not be configured with compat
30       for the passwd database. If no relevant +/- entry exists for the  user,
31       pam_list is not participating in result.
32
33
34       If compat option is specified then the module will look for +/- entries
35       in the local /etc/passwd file. Other  entries  in  this  file  will  be
36       counted as + entries. If no relevant entry exits for the user, pam_list
37       will deny the access.
38
39
40       The following options can be passed to the module:
41
42       allow=             The full pathname to a file of allowed users  and/or
43                          netgroups. Only one of allow= or deny= can be speci‐
44                          fied.
45
46
47       compat             Activate compat mode.
48
49
50       deny=              The full pathname to a file of denied  users  and/or
51                          netgroups. Only one of deny= or allow= can be speci‐
52                          fied.
53
54
55       debug              Provide  syslog(3C)  debugging  information  at  the
56                          LOG_AUTH | LOG_DEBUG level.
57
58
59       user               The  module  should only perform netgroup matches on
60                          the username. This is the default option.
61
62
63       nouser             The username should not  be  used  in  the  netgroup
64                          match.
65
66
67       host               Only the host should be used in netgroup matches.
68
69
70       nohost             The hostname should not be used in netgroup matches.
71
72
73       user_host_exact    The user and hostname must be in the same netgroup.
74
75

ERRORS

77       The following error values are returned:
78
79       PAM_SERVICE_ERR     An  invalid  set of module options was given in the
80                           pam.conf(4) for this module, or  the  user/netgroup
81                           file could not be opened.
82
83
84       PAM_BUF_ERR         A memory buffer error occurred.
85
86
87       PAM_IGNORE          The  module  is ignored, as it is not participating
88                           in the result.
89
90
91       PAM_PERM_DENIED     The user is not on the allow list or is on the deny
92                           list.
93
94
95       PAM_SUCCESS         The account is valid for use at this time.
96
97
98       PAM_USER_UNKNOWN    No account is present for the user
99
100

EXAMPLES

102       Example 1 Using pam_list in default mode
103
104
105       /etc/pam.conf modification looks like:
106
107
108         other   account requisite       pam_roles.so.1
109         other   account required        pam_unix_account.so.1
110         other   account required        pam_list.so.1
111
112
113
114       In  the  case  of  default  mode or compat mode, the important lines in
115       /etc/passwd appear as follows:
116
117
118         +loginname     - user is approved
119         -loginname     - user is disapproved
120         +@netgroup     - netgroup members are approved
121         -@netgroup     - netgroup members are disapproved
122
123
124       Example 2 Using pam_list with allow file
125
126
127       /etc/pam.conf modification looks like:
128
129
130         other   account requisite       pam_roles.so.1
131         other   account required        pam_unix_account.so.1
132         other   account required        pam_list.so.1 allow=etc/user.allow
133
134
135
136       /etc/users.allow contains:
137
138         root
139         localloginname
140         remoteloginname
141         @netgroup
142
143

ATTRIBUTES

145       See attributes(5) for descriptions of the following attributes:
146
147
148
149
150       ┌─────────────────────────────┬─────────────────────────────┐
151       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
152       ├─────────────────────────────┼─────────────────────────────┤
153       │Interface Stability          │Committed                    │
154       ├─────────────────────────────┼─────────────────────────────┤
155       │MT-Level                     │MT-Safe with exceptions      │
156       └─────────────────────────────┴─────────────────────────────┘
157
158
159       The interfaces in libpam(3LIB) are MT-Safe only if each  thread  within
160       the multithreaded application uses its own PAM handle.
161

SEE ALSO

163       pam(3PAM),  pam_authenticate(3PAM), pam_sm_acct_mgmt(3PAM), syslog(3C),
164       libpam(3LIB), nsswitch.conf(4), pam.conf(4), attributes(5)
165
166
167
168SunOS 5.11                        26 Mar 2009                      pam_list(5)
Impressum