Administering
PAM_AUTHZ Login Authorization Enhancement
unix_user
This option indicates that an administrator wants to control the login access by examining a user’s login name with a list of predefined users. If the login name matches one of the user names in the list, the authorization statement is evaluated to be true. The final access right is determined by evaluating the <action> field. An example of a unix_user type of access rule is as follows:
allow:unix_user:myuser1,myuser2,myuser3
If a myuser3 user attempts to login, the above access rule is evaluated to be true and the user is granted login access.
unix_group
This option specifies that an administrator wants to control the login access right using the user’s group membership. You can specify a list of group name in the <object> field. PAM_AUTH retrieves the group information of each listed group by querying the name services specified in nsswitch.conf. That means the group entries may come from any sources (files, nis, ldap, etc). If the login user belongs to any groups in the list, the access rule is evaluated to be true. Otherwise, the rule is skipped. An example of a unix_group access rule is shown as follows:
deny:unix_group:myunixgroup10,myunixgroup11,\
myunixgroup12
A user tries to login and he is a member of myunixgroup12. The rule is evaluated to be true and the <action> is applied. The user is restricted from access to the machine even with a valid password.
netgroup
This option specifies that the access permission is determined by the user’s netgroup membership. You must specify a list of netgroup name in the <object> field. If the user is a member of one of the netgroups specified in the netgroup list, then the access rule is
Chapter 4 | 115 |