Rev 4 | Blame | Compare with Previous | Last modification | View Log | RSS feed
## This is the configuration file for the pam_group module.### *** Please note that giving group membership on a session basis is# *** NOT inherently secure. If a user can create an executable that# *** is setgid a group that they are infrequently given membership# *** of, they can basically obtain group membership any time they# *** like. Example: games are allowed between the hours of 6pm and 6am# *** user joe logs in at 7pm writes a small C-program toplay.c that# *** invokes their favorite shell, compiles it and does# *** "chgrp play toplay; chmod g+s toplay". They are basically able# *** to play games any time... You have been warned. AGM### The syntax of the lines is as follows:## services;ttys;users;times;groups## white space is ignored and lines maybe extended with '\\n' (escaped# newlines). From reading these comments, it is clear that# text following a '#' is ignored to the end of the line.## the combination of individual users/terminals etc is a logic list# namely individual tokens that are optionally prefixed with '!' (logical# not) and separated with '&' (logical and) and '|' (logical or).## services# is a logic list of PAM service names that the rule applies to.## ttys# is a logic list of terminal names that this rule applies to.## users# is a logic list of users or a netgroup of users to whom this# rule applies.## NB. For these items the simple wildcard '*' may be used only once.# With netgroups no wildcards or logic operators are allowed.## times# It is used to indicate "when" these groups are to be given to the# user. The format here is a logic list of day/time-range# entries the days are specified by a sequence of two character# entries, MoTuSa for example is Monday Tuesday and Saturday. Note# that repeated days are unset MoMo = no day, and MoWk = all weekdays# bar Monday. The two character combinations accepted are## Mo Tu We Th Fr Sa Su Wk Wd Al## the last two being week-end days and all 7 days of the week# respectively. As a final example, AlFr means all days except Friday.## Each day/time-range can be prefixed with a '!' to indicate "anything# but"## The time-range part is two 24-hour times HHMM separated by a hyphen# indicating the start and finish time (if the finish time is smaller# than the start time it is deemed to apply on the following day).## groups# The (comma or space separated) list of groups that the user# inherits membership of. These groups are added if the previous# fields are satisfied by the user's request## For a rule to be active, ALL of service+ttys+users must be satisfied# by the applying process.### Note, to get this to work as it is currently typed you need## 1. to run an application as root# 2. add the following groups to the /etc/group file:# floppy, play, sound### Here is a simple example: running 'xsh' on tty* (any ttyXXX device),# the user 'us' is given access to the floppy (through membership of# the floppy group)##xsh;tty*&!ttyp*;us;Al0000-2400;floppy## another example: running 'xsh' on tty* (any ttyXXX device),# the user 'sword' is given access to games (through membership of# the sound and play group) after work hours.##xsh; tty* ;sword;!Wk0900-1800;sound, play#xsh; tty* ;*;Al0900-1800;floppy## yet another example: any member of the group 'admin' running# 'xsh' on tty*, is granted access (at any time) to the group 'plugdev'##xsh; tty* ;%admin;Al0000-2400;plugdev## End of group.conf file#