PageRenderTime 445ms CodeModel.GetById 441ms app.highlight 1ms RepoModel.GetById 1ms app.codeStats 0ms

/security/group.conf

http://github.com/brinkman83/bashrc
Config | 99 lines | 91 code | 8 blank | 0 comment | 0 complexity | 5a6bd21801df034da8d64b407470e8f6 MD5 | raw file
 1#
 2# This is the configuration file for the pam_group module. 
 3#
 4
 5#
 6# *** Please note that giving group membership on a session basis is
 7# *** NOT inherently secure. If a user can create an executable that
 8# *** is setgid a group that they are infrequently given membership
 9# *** of, they can basically obtain group membership any time they
10# *** like. Example: games are allowed between the hours of 6pm and 6am
11# *** user joe logs in at 7pm writes a small C-program toplay.c that
12# *** invokes their favorite shell, compiles it and does
13# *** "chgrp play toplay; chmod g+s toplay". They are basically able
14# *** to play games any time... You have been warned. AGM
15#
16
17#
18# The syntax of the lines is as follows:
19#
20#       services;ttys;users;times;groups
21#
22# white space is ignored and lines maybe extended with '\\n' (escaped
23# newlines). From reading these comments, it is clear that
24# text following a '#' is ignored to the end of the line.
25#
26# the combination of individual users/terminals etc is a logic list
27# namely individual tokens that are optionally prefixed with '!' (logical
28# not) and separated with '&' (logical and) and '|' (logical or).
29#
30# services
31#       is a logic list of PAM service names that the rule applies to.
32#
33# ttys
34#       is a logic list of terminal names that this rule applies to.
35#
36# users
37#       is a logic list of users or a netgroup of users to whom this
38#       rule applies.
39#
40# NB. For these items the simple wildcard '*' may be used only once.
41#     With netgroups no wildcards or logic operators are allowed.
42#
43# times
44#       It is used to indicate "when" these groups are to be given to the
45#       user. The format here is a logic list of day/time-range
46#       entries the days are specified by a sequence of two character
47#       entries, MoTuSa for example is Monday Tuesday and Saturday. Note
48#       that repeated days are unset MoMo = no day, and MoWk = all weekdays
49#       bar Monday. The two character combinations accepted are
50#
51#               Mo Tu We Th Fr Sa Su Wk Wd Al
52#
53#       the last two being week-end days and all 7 days of the week
54#       respectively. As a final example, AlFr means all days except Friday.
55#
56#       Each day/time-range can be prefixed with a '!' to indicate "anything
57#       but"
58#
59#       The time-range part is two 24-hour times HHMM separated by a hyphen
60#       indicating the start and finish time (if the finish time is smaller
61#       than the start time it is deemed to apply on the following day).
62#
63# groups
64#	The (comma or space separated) list of groups that the user
65#	inherits membership of. These groups are added if the previous
66#	fields are satisfied by the user's request
67#
68# For a rule to be active, ALL of service+ttys+users must be satisfied
69# by the applying process.
70#
71
72#
73# Note, to get this to work as it is currently typed you need
74#
75# 1. to run an application as root
76# 2. add the following groups to the /etc/group file:
77#		floppy, play, sound
78#
79
80#
81# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
82# the user 'us' is given access to the floppy (through membership of
83# the floppy group)
84#
85
86#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
87
88#
89# another example: running 'xsh' on tty* (any ttyXXX device),
90# the user 'sword' is given access to games (through membership of
91# the sound and play group) after work hours.
92#
93
94#xsh; tty* ;sword;!Wk0900-1800;sound, play
95#xsh; tty* ;*;Al0900-1800;floppy
96
97#
98# End of group.conf file
99#