Sun Microsystems, Inc.
spacer | | |  
black dot
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z
Standards, Environments, and Macrospam_roles(5)


 pam_roles - Role Account Management PAM module for Solaris





The Role Account Management module for PAM, /usr/lib/security/, provides functionality for one PAM module: Account management. The is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file.

Role Account Management Module


The Role account management component provides a function to check for authorization to assume a role. It prevents direct logins to a role. It uses the user_attr(4) database to specify which users can assume which roles.

The following options may be passed to the Role Authentication service module:

syslog(3C) debugging information at LOG_DEBUG level.

If PAM_USER (see pam_set_item(3PAM)) is specified as type normal in the user_attr(4) database, the module returns PAM_IGNORE.

If PAM_RUSER (see pam_set_item(3PAM)) is not set, the uid of the process loading the module is used to determine PAM_RUSER.

The module returns success if the user_attr(4) entry for PAM_RUSER has an entry in the roles field for PAM_USER; otherwise it returns PAM_PERM_DENIED.

This module is generally stacked above the account management module The error messages indicating that roles cannot be logged into correctly are only issued if the user has entered the correct password.

Here are some sample entries from pam.conf(4) demonstrating the use of the module:
dtlogin account requisite /usr/lib/security/$ISA/
dtlogin account required /usr/lib/security/$ISA/
su account requisite /usr/lib/security/$ISA/
su account requisite /usr/lib/security/$ISA/
rlogin account requisite /usr/lib/security/$ISA/
rlogin account required /usr/lib/security/$ISA/

The dtlogin program invokes PAM_RUSER is the username corresponding to the uid of the dtlogin process, which is 0. The user_attr entry for root user (uid 0) is empty, so all role logins are prevented through dtlogin. The same rule applies to login.

The su program invokes PAM_RUSER is the username of the userid of the shell that invokes su. A user needs the appropriate entry in the roles list in user_attr(4) to be able to su to another user.

In the example above, the rlogin program invokes the module. The module checks for PAM_RUSER and determines whether the role being assumed, PAM_RUSER, is in the roles list of the userattr entry for PAM_RUSER. If it is in the roles list, the module returns PAM_SUCCESS; otherwise it returns PAM_PERM_DENIED.



keylogin(1), libpam(3LIB), pam(3PAM), pam_acct_mgmt(3PAM), pam_setcred(3PAM), pam_set_item(3PAM), syslog(3C), pam.conf(4), user_attr(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)



The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

The pam_unix(5) module might not be supported in a future release. Similar functionality is provided by pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).

SunOS 5.9Go To TopLast Changed 11 Dec 2001

Copyright 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.