test account characteristics
' pam_succeed_if.so 'u pam_succeed_if.so [ flag ...][ condition ...]
pam_succeed_if .so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of other PAM items . One use is to select whether to load other modules based on this test .
The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met .
The following flag sare supported:
debug Turns on debugging messages sent to syslog .
use_uid Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated .
quiet Don (Aqt log failure or success to the system log .
quiet_fail Don (Aqt log failure to the system log .
quiet_success Don (Aqt log success to the system log .
audit Log unknown users to the system log .
Condition sare three words: a field, a test, and a value to test for .
Available fields are user , uid , gid , shell , home , ruser , rhost , tty and service :
field< number Field has a value numerically less than number .
field<= number Field has a value numerically less than or equal to number .
fieldeq number Field has a value numerically equal to number .
field>= number Field has a value numerically greater than or equal to number .
field> number Field has a value numerically greater than number .
fieldne number Field has a value numerically different from number .
field= string Field exactly matches the given string .
field!= string Field does not match the given string .
field=~ glob Field matches the given glob .
field!~ glob Field does not match the given glob .
fieldin item:item: . . . Field is contained in the list of items separated by colons .
fieldnotin item:item: . . . Field is not contained in the list of items separated by colons .
useringroup group User is in given group .
usernotingroup group User is not in given group .
userinnetgr netgroup (user,host) is in given netgroup .
usernotinnetgr group (user,host) is not in given netgroup .
All module types ( account , auth , password and session )are provided .
PAM_SUCCESS The condition was true .
PAM_AUTH_ERR The condition was false .
PAM_SERVICE_ERR A service error occurred or the arguments can (Aqt be parsed correctly .
To emulate the behaviour of pam_wheel ,except there is no fallback to group 0:.RS 4
auth required pam_succeed_if .so quiet user ingroup wheel
Given that the type matches, only loads the othermodule rule if the UID is over 500 . Adjust the number after default to skip several rules . .RS 4
type [default=1 success=ignore] pam_succeed_if .so quiet uid > 500 type required othermodule .so arguments . . .
Nalin Dahyabhai <nalin@redhat .com>