{ "mode": "man", "parameter": "PAM_LISTFILE", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/PAM_LISTFILE/8/json", "generated": "2026-06-13T22:55:57Z", "synopsis": "pamlistfile.so item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny]\nfile=/path/filename onerr=[succeed|fail] [apply=[user|@group]] [quiet]", "sections": { "NAME": { "content": "pamlistfile - deny or allow services based on an arbitrary file\n", "subsections": [] }, "SYNOPSIS": { "content": "pamlistfile.so item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny]\nfile=/path/filename onerr=[succeed|fail] [apply=[user|@group]] [quiet]\n", "subsections": [] }, "DESCRIPTION": { "content": "pamlistfile is a PAM module which provides a way to deny or allow services based on an\narbitrary file.\n\nThe module gets the item of the type specified -- user specifies the username, PAMUSER; tty\nspecifies the name of the terminal over which the request has been made, PAMTTY; rhost\nspecifies the name of the remote host (if any) from which the request was made, PAMRHOST;\nand ruser specifies the name of the remote user (if available) who made the request,\nPAMRUSER -- and looks for an instance of that item in the file=filename. filename contains\none line per item listed. If the item is found, then if sense=allow, PAMSUCCESS is returned,\ncausing the authorization request to succeed; else if sense=deny, PAMAUTHERR is returned,\ncausing the authorization request to fail.\n\nIf an error is encountered (for instance, if filename does not exist, or a poorly-constructed\nargument is encountered), then if onerr=succeed, PAMSUCCESS is returned, otherwise if\nonerr=fail, PAMAUTHERR or PAMSERVICEERR (as appropriate) will be returned.\n\nAn additional argument, apply=, can be used to restrict the application of the above to a\nspecific user (apply=username) or a given group (apply=@groupname). This added restriction is\nonly meaningful when used with the tty, rhost and shell items.\n\nBesides this last one, all arguments should be specified; do not count on any default\nbehavior.\n\nNo credentials are awarded by this module.\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "item=[tty|user|rhost|ruser|group|shell]", "content": "What is listed in the file and should be checked for.\n" }, { "name": "sense=[allow|deny]", "content": "Action to take if found in file, if the item is NOT found in the file, then the opposite\naction is requested.\n\nfile=/path/filename\nFile containing one item per line. The file needs to be a plain file and not world\nwritable.\n" }, { "name": "onerr=[succeed|fail]", "content": "What to do if something weird happens like being unable to open the file.\n\napply=[user|@group]\nRestrict the user class for which the restriction apply. Note that with\nitem=[user|ruser|group] this does not make sense, but for item=[tty|rhost|shell] it have\na meaning.\n" }, { "name": "quiet", "content": "Do not treat service refusals or missing list files as errors that need to be logged.\n" } ] }, "MODULE TYPES PROVIDED": { "content": "All module types (auth, account, password and session) are provided.\n", "subsections": [] }, "RETURN VALUES": { "content": "PAMAUTHERR\nAuthentication failure.\n\nPAMBUFERR\nMemory buffer error.\n\nPAMIGNORE\nThe rule does not apply to the apply option.\n\nPAMSERVICEERR\nError in service module.\n\nPAMSUCCESS\nSuccess.\n", "subsections": [] }, "EXAMPLES": { "content": "Classic 'ftpusers' authentication can be implemented with this entry in /etc/pam.d/ftpd:\n\n#\n# deny ftp-access to users listed in the /etc/ftpusers file\n#\nauth required pamlistfile.so \\\nonerr=succeed item=user sense=deny file=/etc/ftpusers\n\n\nNote, users listed in /etc/ftpusers file are (counterintuitively) not allowed access to the\nftp service.\n\nTo allow login access only for certain users, you can use a /etc/pam.d/login entry like this:\n\n#\n# permit login to users listed in /etc/loginusers\n#\nauth required pamlistfile.so \\\nonerr=fail item=user sense=allow file=/etc/loginusers\n\n\nFor this example to work, all users who are allowed to use the login service should be listed\nin the file /etc/loginusers. Unless you are explicitly trying to lock out root, make sure\nthat when you do this, you leave a way for root to log in, either by listing root in\n/etc/loginusers, or by listing a user who is able to su to the root account.\n", "subsections": [] }, "SEE ALSO": { "content": "pam.conf(5), pam.d(5), pam(7)\n", "subsections": [] }, "AUTHOR": { "content": "pamlistfile was written by Michael K. Johnson and Elliot Lee\n.\n\n\n\nLinux-PAM Manual 06/08/2020 PAMLISTFILE(8)", "subsections": [] } }, "summary": "pamlistfile - deny or allow services based on an arbitrary file", "flags": [], "examples": [ "Classic 'ftpusers' authentication can be implemented with this entry in /etc/pam.d/ftpd:", "# deny ftp-access to users listed in the /etc/ftpusers file", "auth required pamlistfile.so \\", "onerr=succeed item=user sense=deny file=/etc/ftpusers", "Note, users listed in /etc/ftpusers file are (counterintuitively) not allowed access to the", "ftp service.", "To allow login access only for certain users, you can use a /etc/pam.d/login entry like this:", "# permit login to users listed in /etc/loginusers", "auth required pamlistfile.so \\", "onerr=fail item=user sense=allow file=/etc/loginusers", "For this example to work, all users who are allowed to use the login service should be listed", "in the file /etc/loginusers. Unless you are explicitly trying to lock out root, make sure", "that when you do this, you leave a way for root to log in, either by listing root in", "/etc/loginusers, or by listing a user who is able to su to the root account." ], "see_also": [ { "name": "pam.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/pam.conf/5/json" }, { "name": "pam.d", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/pam.d/5/json" }, { "name": "pam", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/pam/7/json" } ] }