{ "content": [ { "type": "text", "text": "# pam_group (man)\n\n## NAME\n\npamgroup - PAM module for group access\n\n## SYNOPSIS\n\npamgroup.so\n\n## DESCRIPTION\n\nThe pamgroup PAM module does not authenticate the user, but instead it grants group\nmemberships (in the credential setting phase of the authentication module) to the user. Such\nmemberships are based on the service they are applying for.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **OPTIONS**\n- **MODULE TYPES PROVIDED**\n- **RETURN VALUES**\n- **FILES**\n- **SEE ALSO**\n- **AUTHORS**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "pam_group", "section": "", "mode": "man", "summary": "pamgroup - PAM module for group access", "synopsis": "pamgroup.so", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [], "see_also": [ { "name": "group.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/group.conf/5/json" }, { "name": "pam.d", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/pam.d/5/json" }, { "name": "pam", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/pam/7/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 19, "subsections": [] }, { "name": "OPTIONS", "lines": 2, "subsections": [] }, { "name": "MODULE TYPES PROVIDED", "lines": 2, "subsections": [] }, { "name": "RETURN VALUES", "lines": 18, "subsections": [] }, { "name": "FILES", "lines": 3, "subsections": [] }, { "name": "SEE ALSO", "lines": 2, "subsections": [] }, { "name": "AUTHORS", "lines": 5, "subsections": [] } ], "sections": { "NAME": { "content": "pamgroup - PAM module for group access\n", "subsections": [] }, "SYNOPSIS": { "content": "pamgroup.so\n", "subsections": [] }, "DESCRIPTION": { "content": "The pamgroup PAM module does not authenticate the user, but instead it grants group\nmemberships (in the credential setting phase of the authentication module) to the user. Such\nmemberships are based on the service they are applying for.\n\nBy default rules for group memberships are taken from config file /etc/security/group.conf.\n\nThis module's usefulness relies on the file-systems accessible to the user. The point being\nthat once granted the membership of a group, the user may attempt to create a setgid binary\nwith a restricted group ownership. Later, when the user is not given membership to this\ngroup, they can recover group membership with the precompiled binary. The reason that the\nfile-systems that the user has access to are so significant, is the fact that when a system\nis mounted nosuid the user is unable to create or execute such a binary file. For this module\nto provide any level of security, all file-systems that the user has write access to should\nbe mounted nosuid.\n\nThe pamgroup module functions in parallel with the /etc/group file. If the user is granted\nany groups based on the behavior of this module, they are granted in addition to those\nentries /etc/group (or equivalent).\n", "subsections": [] }, "OPTIONS": { "content": "This module does not recognise any options.\n", "subsections": [] }, "MODULE TYPES PROVIDED": { "content": "Only the auth module type is provided.\n", "subsections": [] }, "RETURN VALUES": { "content": "PAMSUCCESS\ngroup membership was granted.\n\nPAMABORT\nNot all relevant data could be gotten.\n\nPAMBUFERR\nMemory buffer error.\n\nPAMCREDERR\nGroup membership was not granted.\n\nPAMIGNORE\npamsmauthenticate was called which does nothing.\n\nPAMUSERUNKNOWN\nThe user is not known to the system.\n", "subsections": [] }, "FILES": { "content": "/etc/security/group.conf\nDefault configuration file\n", "subsections": [] }, "SEE ALSO": { "content": "group.conf(5), pam.d(5), pam(7).\n", "subsections": [] }, "AUTHORS": { "content": "pamgroup was written by Andrew G. Morgan .\n\n\n\nLinux-PAM Manual 06/08/2020 PAMGROUP(8)", "subsections": [] } } } }