PAM_UNIX_CRED(7) Standards, Environments, and Macros PAM_UNIX_CRED(7)
NAME
pam_unix_cred - PAM user credential module for UNIX
SYNOPSIS
pam_unix_cred.so.1DESCRIPTION
The
pam_unix_cred module implements
pam_sm_setcred(3PAM). It provides
functions that establish user credential information. It is a module
separate from the
pam_unix_auth(7) module to allow replacement of the
authentication functionality independently from the credential
functionality.
The
pam_unix_cred module must always be stacked along with whatever
authentication module is used to ensure correct credential setting.
Authentication service modules must implement both
pam_sm_authenticate() and
pam_sm_setcred().
pam_sm_authenticate() in this module always returns
PAM_IGNORE.
pam_sm_setcred() initializes the user's project, privilege sets and
initializes or updates the user's audit context if it hasn't already been
initialized. The following flags may be set in the flags field:
PAM_ESTABLISH_CRED PAM_REFRESH_CRED PAM_REINITIALIZE_CRED Initializes the user's project to the project specified in
PAM_RESOURCE, or if
PAM_RESOURCE is not specified, to the user's
default project. Establishes the user's privilege sets.
If the audit context is not already initialized and auditing is
configured, these flags cause the context to be initialized to that
of the user specified in
PAM_AUSER (if any) merged with the user
specified in
PAM_USER and host specified in
PAM_RHOST. If
PAM_RHOST is not specified,
PAM_TTY specifies the local terminal name.
Attributing audit to
PAM_AUSER and merging
PAM_USER is required for
correctly attributing auditing when the system entry is performed by
another user that can be identified as trustworthy.
If the audit context is already initialized, the
PAM_REINITIALIZE_CRED flag merges the current audit context with that
of the user specified in
PAM_USER.
PAM_REINITIALIZE_CRED is useful
when a user is assuming a new identity, as with
su(8).
PAM_DELETE_CRED This flag has no effect and always returns
PAM_SUCCESS.
The following options are interpreted:
debug Provides
syslog(3C) debugging information at the
LOG_DEBUG level.
nowarn Disables any warning messages.
ERRORS
Upon successful completion of
pam_sm_setcred(),
PAM_SUCCESS is returned.
The following error codes are returned upon error:
PAM_CRED_UNAVAIL Underlying authentication service cannot retrieve
user credentials
PAM_CRED_EXPIRED User credentials have expired
PAM_USER_UNKNOWN User is unknown to the authentication service
PAM_CRED_ERR Failure in setting user credentials
PAM_BUF_ERR Memory buffer error
PAM_SYSTEM_ERR System error
The following values are returned from
pam_sm_authenticate():
PAM_IGNORE Ignores this module regardless of the control flag
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Evolving |
+--------------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+--------------------+-------------------------+
SEE ALSO
syslog(3C),
libpam(3LIB),
pam(3PAM),
pam_sm_authenticate(3PAM),
pam_sm_setcred(3PAM),
pam.conf(5),
project(5),
attributes(7),
pam_unix_auth(7),
pam_unix_session(7),
su(8)NOTES
The interfaces in
libpam(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own
PAM handle.
If this module is replaced, the audit context and credential may not be
correctly configured.
August 19, 2023
PAM_UNIX_CRED(7)