pam_group

This is a PAM module, not a standalone command. Its usage is within PAM configuration files (e.g., /etc/pam.d/login, /etc/pam.d/sshd).

type control pam_group.so [options]

allow_groups=group1[,group2,...]
    Specifies a comma-separated list of groups. If the authenticating user is a member of any of these groups, the module succeeds. This is generally used with a required or sufficient control flag.

deny_groups=group1[,group2,...]
    Specifies a comma-separated list of groups. If the authenticating user is a member of any of these groups, the module fails and denies access. This is commonly used with a required control flag.

allow
    Deprecated. Use allow_groups. This option read group names from the default configuration file (/etc/security/group.conf).

deny
    Deprecated. Use deny_groups. This option read group names from the default configuration file (/etc/security/group.conf).

conf=/path/to/file
    Specifies an alternative configuration file to load group settings from, instead of the default /etc/security/group.conf. This file typically contains rules in the format service;ttys;users;groups;times.

file=/path/to/file
    A synonym for the conf= option.

debug
    Causes the module to write debug information to the system log (syslog). Useful for troubleshooting.

non_interactive
    Prevents the module from attempting to prompt the user for any input.

quiet
    Suppresses syslog messages on success. Only messages on failure or errors are logged.

pam_group is a Pluggable Authentication Module (PAM) that controls user access based on their membership in specified groups. It is typically configured within /etc/pam.d/ service files (e.g., login, sshd, sudo) to enforce access policies during authentication or session management. This module allows system administrators to define which groups are permitted or denied access to a particular service. For instance, you can configure it to allow only members of the "wheel" group to use the su command or to deny access to a service for users belonging to a "guest" group. When invoked, pam_group checks the user's supplementary group memberships against the allow_groups or deny_groups directives. If the user's groups match the specified criteria, the module either succeeds or fails, influencing the overall PAM stack's decision.

• pam_group only checks supplementary group memberships. It does not consider the user's primary group unless that primary group is also listed as a supplementary group.
• The order of PAM modules in the stack is critical. If pam_group is placed after a module that already authenticates the user, its denial might be ignored, or its allowance might be redundant.
• Using allow or deny (without _groups) relies on the /etc/security/group.conf file, which has a more complex syntax involving service, TTY, user, group, and time fields. For simple group checks, allow_groups and deny_groups are preferred.
• Misconfiguration can lead to users being locked out of systems or services. Always test changes thoroughly in a controlled environment.

When the conf= or file= options are used, or the deprecated allow/deny options are specified, pam_group looks for rules in /etc/security/group.conf. This file uses a specific format to define access rules, often including conditions based on the service, TTY, user, group, and time of day. This provides more granular control than simple allow_groups/deny_groups directives.

The control field in a PAM configuration line (e.g., required, sufficient, optional, requisite) dictates how pam_group's success or failure affects the overall PAM stack. For instance, required means the module must succeed, but failure doesn't immediately stop the stack. requisite means the module must succeed, and failure immediately aborts the stack. sufficient means if it succeeds, the stack immediately returns success unless a preceding requisite module failed. Understanding these flags is crucial for effective PAM configuration.

PAM (Pluggable Authentication Modules) was developed in the mid-1990s by Sun Microsystems, aiming to provide a flexible framework for authentication services. This allowed system administrators to choose and stack various authentication mechanisms without recompiling applications. pam_group is one of the foundational modules provided within the Linux-PAM (PAM for Linux) project, which became a standard component of most Linux distributions. Its purpose of enforcing group-based access control reflects a fundamental security requirement that has been present since the early days of multi-user Unix-like systems. The evolution of pam_group has primarily involved refinements in its configuration options (like the introduction of allow_groups and deny_groups for clearer inline configuration) and improved robustness.

pam(8), pam.conf(5), pam_succeed_if(8), pam_access(8), group(5), id(1)