Hi,
I don't want to be pushy but I sent this in
a ways back and have had no response.
Is there something else I need to do besides
send the patch to the list?
Thanks.
On 09/01/2014 11:21:17 AM, Karl O. Pinc wrote:
From: "Karl O. Pinc" <kop(a)meme.com>
* modules/pam_access/access.conf.5.xml
* modules/pam_access/pam_access.8.xml
Signed-off-by: Karl O. Pinc <kop(a)meme.com>
---
modules/pam_access/access.conf.5.xml | 40
+++++++++++++++++++++++++++-------
modules/pam_access/pam_access.8.xml | 5 +++--
2 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/modules/pam_access/access.conf.5.xml
b/modules/pam_access/access.conf.5.xml
index a4d3419..d686d92 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -21,8 +21,12 @@
<para>
The <filename>/etc/security/access.conf</filename> file
specifies
(<replaceable>user/group</replaceable>,
<replaceable>host</replaceable>),
- (<replaceable>user/group</replaceable>,
<replaceable>network/netmask</replaceable>) or
- (<replaceable>user/group</replaceable>,
<replaceable>tty</replaceable>)
+ (<replaceable>user/group</replaceable>,
<replaceable>network/netmask</replaceable>),
+ (<replaceable>user/group</replaceable>,
<replaceable>tty</replaceable>),
+ (<replaceable>user/group</replaceable>,
+ <replaceable>X-$DISPLAY-value</replaceable>), or
+ (<replaceable>user/group</replaceable>,
+ <replaceable>pam-service-name</replaceable>)
combinations for which a login will be either accepted or
refused.
</para>
<para>
@@ -33,7 +37,14 @@
combination, or, in case of non-networked logins, the first
entry
that matches the
(<replaceable>user/group</replaceable>,
<replaceable>tty</replaceable>)
- combination. The permissions field of that table entry
determines
+ combination, or in the case of non-networked logins without a
+ tty, the first entry that matches the
+ (<replaceable>user/group</replaceable>,
+ <replaceable>X-$DISPLAY-value</replaceable>) or
+ (<replaceable>user/group</replaceable>,
+ <replaceable>pam-service-name/</replaceable>)
+ combination. The permissions field of that table entry
+ determines
whether the login will be accepted or refused.
</para>
@@ -65,14 +76,27 @@
<para>
The third field, the <replaceable>origins</replaceable>
field, should be a list of one or more tty names (for
non-networked
- logins), host names, domain names (begin with "."), host
addresses,
+ logins), X <varname>$DISPLAY</varname> values or PAM service
+ names (for non-networked logins without a tty), host names,
+ domain names (begin with "."), host addresses,
internet network numbers (end with "."), internet network
addresses
with network mask (where network mask can be a decimal number
or an
internet address also), <emphasis>ALL</emphasis> (which always
matches)
- or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis>
- keyword matches if and only if the
<emphasis>PAM_RHOST</emphasis> is
- not set and <origin> field is thus set from
- <emphasis>PAM_TTY</emphasis> or
<emphasis>PAM_SERVICE</emphasis>".
+ or <emphasis>LOCAL</emphasis>. The
<emphasis>LOCAL</emphasis>
+ keyword matches if and only if
+ <citerefentry><refentrytitle>pam_get_item</
refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ when called with an <parameter>item_type</parameter> of
+ <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code>
or
an
+ empty string (and therefore the
+ <replaceable>origins</replaceable> field is compared against
the
+ return value of
+ <citerefentry><refentrytitle>pam_get_item</
refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ called with an <parameter>item_type</parameter> of
+ <emphasis>PAM_TTY</emphasis> or, absent that,
+ <emphasis>PAM_SERVICE</emphasis>).
+ </para>
+
+ <para>
If supported by the system you can use
<emphasis>@netgroupname</emphasis> in host or user patterns.
The
<emphasis>@@netgroupname</emphasis> syntax is supported in the
user
diff --git a/modules/pam_access/pam_access.8.xml
b/modules/pam_access/pam_access.8.xml
index 710e2e7..c629a9f 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
@@ -50,7 +50,8 @@
The pam_access PAM module is mainly for access management.
It provides logdaemon style login access control based on
login
names, host or domain names, internet addresses or network
numbers,
- or on terminal line names in case of non-networked logins.
+ or on terminal line names, X <varname>$DISPLAY</varname>
values,
+ or PAM service names in case of non-networked logins.
</para>
<para>
By default rules for access management are taken from config
file
@@ -59,7 +60,7 @@
</para>
<para>
If Linux PAM is compiled with audit support the module will
report
- when it denies access based on origin (host or tty).
+ when it denies access based on origin (host, tty, etc.).
</para>
</refsect1>
--
1.7.10.4
Karl <kop(a)meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein