--- pam_list.orig.5 Wed Oct 29 12:57:45 2008 +++ pam_list.new.5 Wed Nov 5 17:50:56 2008 @@ -1,198 +1,203 @@ Standards, Environments, and Macros pam_list(5) NAME pam_list - PAM account management module for UNIX SYNOPSIS pam_list.so.1 DESCRIPTION The pam_list module implements pam_sm_acct_mgmt(3PAM), which provides functionality to the PAM account management stack. The module provides functions to validate that the user's account is valid on this host based on a list of users and/or netgroups in the given file. The users and netgroups are separated by newline character. Netgroups are specified with character '@' as prefix before name of netgroup in the list. The maximum line lenght is 1023 characters. The username is the value of PAM_USER. The host is the value of PAM_RHOST or, if PAM_RHOST is not set, the value of the localhost as returned by gethostname(3C) is used. - If neither of the allow or deny options are specified then + If neither of the allow or deny or compat options are specified then the module will look for +/- entries in the local /etc/passwd file. If this style is used, nsswitch.conf(4) must not be configured with compat for the passwd database. If no relevant +/- entry exists for the user, pam_list is not participating in result. + If compat option is specified then the module will look for + +/- entries in the local /etc/passwd file. Other entries in + this file will be counted as + entries. If no relevant entry + exits for the user, pam_list will deny the access. The following options can be passed to the module: allow= The full pathname to a file of allowed users and/or netgroups. Only one of allow= or deny= can be specified. deny= The full pathname to a file of denied users and/or netgroups. Only one of deny= or allow= can be specified. debug Provide syslog(3C) debugging information at the LOG_AUTH | LOG_DEBUG level. user The module should only perform netgroup matches on the username. This is the default option. SunOS 5.11 Last change: 9 Aug 2007 1 Standards, Environments, and Macros pam_list(5) nouser The username should not be used in the netgroup match. host Only the host should be used in netgroup matches. nohost The hostname should not be used in net- group matches. user_host_exact The user and hostname must be in the same netgroup. + compat Activate compat mode ERRORS The following error values are returned: PAM_SERVICE_ERR An invalid set of module options was given in the pam.conf(4) for this module, or the user/netgroup file could not be opened. PAM_BUF_ERR A memory buffer error occurred. PAM_IGNORE The module is ignored, as it is not par- ticipating in the result. PAM_PERM_DENIED The user is not on the allow list or is on the deny list. PAM_SUCCESS The account is valid for use at this time. PAM_USER_UNKNOWN No account is present for the user ATTRIBUTES See attributes(5) for descriptions of the following attri- butes: SunOS 5.11 Last change: 9 Aug 2007 2 Standards, Environments, and Macros pam_list(5) ____________________________________________________________ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | |______________________________|______________________________| | Interface Stability | Committed | |______________________________|______________________________| | MT-Level | MT-Safe with exceptions | |______________________________|______________________________| The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multithreaded application uses its own PAM handle. SEE ALSO pam(3PAM), pam_authenticate(3PAM), pam_sm_acct_mgmt(3PAM), syslog(3C), libpam(3LIB), nsswitch.conf(4), pam.conf(4), attributes(5) SunOS 5.11 Last change: 9 Aug 2007 3