                    pam_group — PAM module for group access

   ══════════════════════════════════════════════════════════════════════════

DESCRIPTION

   The pam_group PAM module does not authenticate the user, but instead it
   grants group memberships (in the credential setting phase of the
   authentication module) to the user. Such memberships are based on the
   service they are applying for.

   By default rules for group memberships are taken from config file
   /etc/security/group.conf.

   If /etc/security/group.conf does not exist,
   %vendordir%/security/group.conf is used.

   This module's usefulness relies on the file-systems accessible to the
   user. The point being that once granted the membership of a group, the
   user may attempt to create a setgid binary with a restricted group
   ownership. Later, when the user is not given membership to this group,
   they can recover group membership with the precompiled binary. The reason
   that the file-systems that the user has access to are so significant, is
   the fact that when a system is mounted nosuid the user is unable to create
   or execute such a binary file. For this module to provide any level of
   security, all file-systems that the user has write access to should be
   mounted nosuid.

   The pam_group module functions in parallel with the /etc/group file. If
   the user is granted any groups based on the behavior of this module, they
   are granted in addition to those entries /etc/group (or equivalent).

EXAMPLES

   These are some example lines which might be specified in
   /etc/security/group.conf.

   Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access
   to the floppy (through membership of the floppy group)

 xsh;tty*&!ttyp*;us;Al0000-2400;floppy

   Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and
   'shield' are given access to games (through membership of the floppy
   group) after work hours.

 xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound
 xsh; tty* ;*;Al0900-1800;floppy


   Any member of the group 'admin' running 'xsh' on tty*, is granted access
   (at any time) to the group 'plugdev'

 xsh; tty* ;%admin;Al0000-2400;plugdev

INITIAL
BEFORE_HTML
BEFORE_HEAD
IN_HEAD
IN_HEAD
GENERIC_RCDATA
GENERIC_RCDATA
GENERIC_RCDATA
GENERIC_RCDATA
IN_HEAD
IN_HEAD
AFTER_HEAD
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
AFTER_BODY
AFTER_AFTER_BODY
AFTER_AFTER_BODY
