pam_authz.5 (2010 09)
p
pam_authz(5) pam_authz(5)
+ Grants access to all the users in the database.
+@name Grants access to all members of the network group name.
+name Grants access to user name.
+@name:any_non_NULL_string
Denies access to all members of the network group name.
+name:* Denies access to user name.
-@name Denies access to all members of the network group name.
-name Denies access to user name.
Please refer to passwd (4) for a sample
/etc/passwd file.
When an
access policy file is loaded, pam_sm_acct_mgmt()
would use it to help determine
which users may login. Each access rule in the
access policy file will be evaluated until an
authorative rule is found. An authorative rule is the first access rule that matches user’s information.
pam_sm_acct_mgmt()
returns differnt PAM return codes based on the definition of the authorative
rule. If an authorative rule is not found, users will be denied to access the resource.
Access rules are the basic elements of an access policy. A "policy" is the collection of these different sets of
access rules in a given order. An access rule consists of three fields.
action
:type :object
where the following means:
action The action field defines the access permission if an access rule evaluated to be true. The possi-
ble values in this field:
allow Login authorization is granted.
required
If the rule does not evaluate to be true, processing will stop and access will be
denied. If the rule evaluates to be true, processing will continue by evaluating the
next rule in the policy file. Access will be granted based on evaluation of the
remaining rules. If a required rule is the last rule in the policy file, it must evalu-
ate to be true for access to be granted.
deny Login authorization is restricted.
<pam_code>
One of the following meaningful PAM return codes can be specified in the <action>
field, the PAM return codes are character strings:
PAM_SUCCESS
PAM_PERM_DENIED
PAM_MAXTRIES
PAM_AUTH_ERR
PAM_NEW_AUTHTOK_REQD
PAM_AUTHTOKEN_REQD
PAM_USER_UNKNOWN
PAM_ACCT_EXPIRED
PAM_AUTHTOK_EXPIRED
For example, if the PAM_AUTHZ policy rule indicates that an account has been
locked out or a password has expired, PAM_AUTHZ can return an appropriate
PAM error code instead of a general "deny" error code.
2 Hewlett-Packard Company − 2 − HP-UX 11i v3: June 2010 Web Release