PAM module for group access


' 'u


The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user . Such memberships are based on the service they are applying for .

By default rules for group memberships are taken from config file /etc/security/group .conf .

This module (Aqs usefulness relies on the file -systems accessible to the user . The point being that once granted the membership of a group, the user may attempt to create a setgid binary with a restricted group ownership . Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary . The reason that the file -systems that the user has access to are so significant, is the fact that when a system is mounted nosuid the user is unable to create or execute such a binary file . For this module to provide any level of security, all file -systems that the user has write access to should be mounted nosuid .

The pam_group module functions in parallel with the /etc/group file . If the user is granted any groups based on the behavior of this module, they are granted inaddition to those entries /etc/group (or equivalent) .


This module does not recognise any options .


Only the auth module type is provided .


PAM_SUCCESS group membership was granted .

PAM_ABORT Not all relevant data could be gotten .

PAM_BUF_ERR Memory buffer error .

PAM_CRED_ERR Group membership was not granted .

PAM_IGNORE pam_sm_authenticate was called which does nothing .

PAM_USER_UNKNOWN The user is not known to the system .


/etc/security/group .conf Default configuration file


pam_group was written by Andrew G . Morgan <morgan@kernel .org> .


group.conf(5), pam.d(5), pam(8).

Copied to clipboard
free 100$ digital ocean credit