123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106 |
- #
- # This is the configuration file for the pam_group module.
- #
- #
- # *** Please note that giving group membership on a session basis is
- # *** NOT inherently secure. If a user can create an executable that
- # *** is setgid a group that they are infrequently given membership
- # *** of, they can basically obtain group membership any time they
- # *** like. Example: games are allowed between the hours of 6pm and 6am
- # *** user joe logs in at 7pm writes a small C-program toplay.c that
- # *** invokes their favorite shell, compiles it and does
- # *** "chgrp play toplay; chmod g+s toplay". They are basically able
- # *** to play games any time... You have been warned. AGM
- #
- #
- # The syntax of the lines is as follows:
- #
- # services;ttys;users;times;groups
- #
- # white space is ignored and lines maybe extended with '\\n' (escaped
- # newlines). From reading these comments, it is clear that
- # text following a '#' is ignored to the end of the line.
- #
- # the combination of individual users/terminals etc is a logic list
- # namely individual tokens that are optionally prefixed with '!' (logical
- # not) and separated with '&' (logical and) and '|' (logical or).
- #
- # services
- # is a logic list of PAM service names that the rule applies to.
- #
- # ttys
- # is a logic list of terminal names that this rule applies to.
- #
- # users
- # is a logic list of users or a netgroup of users to whom this
- # rule applies.
- #
- # NB. For these items the simple wildcard '*' may be used only once.
- # With netgroups no wildcards or logic operators are allowed.
- #
- # times
- # It is used to indicate "when" these groups are to be given to the
- # user. The format here is a logic list of day/time-range
- # entries the days are specified by a sequence of two character
- # entries, MoTuSa for example is Monday Tuesday and Saturday. Note
- # that repeated days are unset MoMo = no day, and MoWk = all weekdays
- # bar Monday. The two character combinations accepted are
- #
- # Mo Tu We Th Fr Sa Su Wk Wd Al
- #
- # the last two being week-end days and all 7 days of the week
- # respectively. As a final example, AlFr means all days except Friday.
- #
- # Each day/time-range can be prefixed with a '!' to indicate "anything
- # but"
- #
- # The time-range part is two 24-hour times HHMM separated by a hyphen
- # indicating the start and finish time (if the finish time is smaller
- # than the start time it is deemed to apply on the following day).
- #
- # groups
- # The (comma or space separated) list of groups that the user
- # inherits membership of. These groups are added if the previous
- # fields are satisfied by the user's request
- #
- # For a rule to be active, ALL of service+ttys+users must be satisfied
- # by the applying process.
- #
- #
- # Note, to get this to work as it is currently typed you need
- #
- # 1. to run an application as root
- # 2. add the following groups to the /etc/group file:
- # floppy, play, sound
- #
- #
- # Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
- # the user 'us' is given access to the floppy (through membership of
- # the floppy group)
- #
- #xsh;tty*&!ttyp*;us;Al0000-2400;floppy
- #
- # another example: running 'xsh' on tty* (any ttyXXX device),
- # the user 'sword' is given access to games (through membership of
- # the sound and play group) after work hours.
- #
- #xsh; tty* ;sword;!Wk0900-1800;sound, play
- #xsh; tty* ;*;Al0900-1800;floppy
- #
- # yet another example: any member of the group 'admin' running
- # 'xsh' on tty*, is granted access (at any time) to the group 'plugdev'
- #
- #xsh; tty* ;%admin;Al0000-2400;plugdev
- #
- # End of group.conf file
- #
|