{
    "content": [
        {
            "type": "text",
            "text": "# PAM_XAUTH(8) (man)\n\n**Summary:** pamxauth - PAM module to forward xauth keys between users\n\n**Synopsis:** pamxauth.so [debug] [xauthpath=/path/to/xauth] [systemuser=UID] [targetuser=UID]\n\n## Examples\n\n- `Add the following line to /etc/pam.d/su to forward xauth keys between users when calling su:`\n- `session  optional  pamxauth.so`\n\n## See Also\n\n- pam.conf(5)\n- pam.d(5)\n- pam(7)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (2 lines)\n- **DESCRIPTION** (32 lines)\n- **OPTIONS** (1 lines) — 1 subsections\n  - debug (14 lines)\n- **MODULE TYPES PROVIDED** (2 lines)\n- **RETURN VALUES** (15 lines)\n- **EXAMPLES** (6 lines)\n- **IMPLEMENTATION DETAILS** (13 lines)\n- **FILES** (6 lines)\n- **SEE ALSO** (2 lines)\n- **AUTHOR** (6 lines)\n\n## Full Content\n\n### NAME\n\npamxauth - PAM module to forward xauth keys between users\n\n### SYNOPSIS\n\npamxauth.so [debug] [xauthpath=/path/to/xauth] [systemuser=UID] [targetuser=UID]\n\n### DESCRIPTION\n\nThe pamxauth PAM module is designed to forward xauth keys (sometimes referred to as\n\"cookies\") between users.\n\nWithout pamxauth, when xauth is enabled and a user uses the su(1) command to assume another\nuser's privileges, that user is no longer able to access the original user's X display\nbecause the new user does not have the key needed to access the display. pamxauth solves the\nproblem by forwarding the key from the user running su (the source user) to the user whose\nidentity the source user is assuming (the target user) when the session is created, and\ndestroying the key when the session is torn down.\n\nThis means, for example, that when you run su(1) from an xterm session, you will be able to\nrun X programs without explicitly dealing with the xauth(1) xauth command or ~/.Xauthority\nfiles.\n\npamxauth will only forward keys if xauth can list a key connected to the $DISPLAY\nenvironment variable.\n\nPrimitive access control is provided by ~/.xauth/export in the invoking user's home directory\nand ~/.xauth/import in the target user's home directory.\n\nIf a user has a ~/.xauth/import file, the user will only receive cookies from users listed in\nthe file. If there is no ~/.xauth/import file, the user will accept cookies from any other\nuser.\n\nIf a user has a .xauth/export file, the user will only forward cookies to users listed in the\nfile. If there is no ~/.xauth/export file, and the invoking user is not root, the user will\nforward cookies to any other user. If there is no ~/.xauth/export file, and the invoking user\nis root, the user will not forward cookies to other users.\n\nBoth the import and export files support wildcards (such as *). Both the import and export\nfiles can be empty, signifying that no users are allowed.\n\n### OPTIONS\n\n#### debug\n\nPrint debug information.\n\nxauthpath=/path/to/xauth\nSpecify the path the xauth program (it is expected in /usr/X11R6/bin/xauth,\n/usr/bin/xauth, or /usr/bin/X11/xauth by default).\n\nsystemuser=UID\nSpecify the highest UID which will be assumed to belong to a \"system\" user. pamxauth\nwill refuse to forward credentials to users with UID less than or equal to this number,\nexcept for root and the \"targetuser\", if specified.\n\ntargetuser=UID\nSpecify a single target UID which is exempt from the systemuser check.\n\n### MODULE TYPES PROVIDED\n\nOnly the session type is provided.\n\n### RETURN VALUES\n\nPAMBUFERR\nMemory buffer error.\n\nPAMPERMDENIED\nPermission denied by import/export file.\n\nPAMSESSIONERR\nCannot determine user name, UID or access users home directory.\n\nPAMSUCCESS\nSuccess.\n\nPAMUSERUNKNOWN\nUser not known.\n\n### EXAMPLES\n\nAdd the following line to /etc/pam.d/su to forward xauth keys between users when calling su:\n\nsession  optional  pamxauth.so\n\n### IMPLEMENTATION DETAILS\n\npamxauth will work only if it is used from a setuid application in which the getuid() call\nreturns the id of the user running the application, and for which PAM can supply the name of\nthe account that the user is attempting to assume. The typical application of this type is\nsu(1). The application must call both pamopensession() and pamclosesession() with the\nruid set to the uid of the calling user and the euid set to root, and must have provided as\nthe PAMUSER item the name of the target user.\n\npamxauth calls xauth(1) as the source user to extract the key for $DISPLAY, then calls xauth\nas the target user to merge the key into the a temporary database and later remove the\ndatabase.\n\npamxauth cannot be told to not remove the keys when the session is closed.\n\n### FILES\n\n~/.xauth/import\nXXX\n\n~/.xauth/export\nXXX\n\n### SEE ALSO\n\npam.conf(5), pam.d(5), pam(7)\n\n### AUTHOR\n\npamxauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original version by\nMichael K. Johnson <johnsonm@redhat.com>.\n\n\n\nLinux-PAM Manual                             06/08/2020                                 PAMXAUTH(8)\n\n"
        }
    ],
    "structuredContent": {
        "command": "PAM_XAUTH",
        "section": "8",
        "mode": "man",
        "summary": "pamxauth - PAM module to forward xauth keys between users",
        "synopsis": "pamxauth.so [debug] [xauthpath=/path/to/xauth] [systemuser=UID] [targetuser=UID]",
        "flags": [],
        "examples": [
            "Add the following line to /etc/pam.d/su to forward xauth keys between users when calling su:",
            "session  optional  pamxauth.so"
        ],
        "see_also": [
            {
                "name": "pam.conf",
                "section": "5",
                "url": "https://www.chedong.com/phpMan.php/man/pam.conf/5/json"
            },
            {
                "name": "pam.d",
                "section": "5",
                "url": "https://www.chedong.com/phpMan.php/man/pam.d/5/json"
            },
            {
                "name": "pam",
                "section": "7",
                "url": "https://www.chedong.com/phpMan.php/man/pam/7/json"
            }
        ],
        "section_outline": [
            {
                "name": "NAME",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "SYNOPSIS",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "DESCRIPTION",
                "lines": 32,
                "subsections": []
            },
            {
                "name": "OPTIONS",
                "lines": 1,
                "subsections": [
                    {
                        "name": "debug",
                        "lines": 14
                    }
                ]
            },
            {
                "name": "MODULE TYPES PROVIDED",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "RETURN VALUES",
                "lines": 15,
                "subsections": []
            },
            {
                "name": "EXAMPLES",
                "lines": 6,
                "subsections": []
            },
            {
                "name": "IMPLEMENTATION DETAILS",
                "lines": 13,
                "subsections": []
            },
            {
                "name": "FILES",
                "lines": 6,
                "subsections": []
            },
            {
                "name": "SEE ALSO",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "AUTHOR",
                "lines": 6,
                "subsections": []
            }
        ]
    }
}