1.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
3.\" All rights reserved.
4.\"
5.\" Portions of this software were developed for the FreeBSD Project by
6.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
7.\" Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
8.\" ("CBOSS"), as part of the DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\" 3. The name of the author may not be used to endorse or promote
19.\"    products derived from this software without specific prior written
20.\"    permission.
21.\"
22.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32.\" SUCH DAMAGE.
33.\"
34.\" $FreeBSD: head/lib/libpam/modules/pam_group/pam_group.8 268890 2014-07-19 21:04:21Z des $
35.\"
36.Dd July 24, 2018
37.Dt PAM_GROUP 8
38.Os
39.Sh NAME
40.Nm pam_group
41.Nd Group PAM module
42.Sh SYNOPSIS
43.Op Ar service-name
44.Ar module-type
45.Ar control-flag
46.Pa pam_group
47.Op Ar arguments
48.Sh DESCRIPTION
49The group service module for PAM accepts or rejects users based on
50their membership in a particular file group.
51.Nm
52provides functionality for two PAM categories: authentication and
53account management.
54In terms of the module-type parameter, they are the
55.Dq auth
56and
57.Dq account
58features.
59.Pp
60The following options may be passed to the
61.Nm
62module:
63.Bl -tag -width ".Cm fail_safe"
64.It Cm deny
65Reverse the meaning of the test, i.e., reject the applicant if and only
66if he or she is a member of the specified group.
67This can be useful to exclude certain groups of users from certain
68services.
69.It Cm fail_safe
70If the specified group does not exist, or has no members, act as if
71it does exist and the applicant is a member.
72.It Cm group Ns = Ns Ar groupname
73Specify the name of the group to check.
74The default is
75.Dq Li wheel .
76.It Cm luser
77Accept or reject based on the target user's group membership.
78.It Cm root_only
79Skip this module entirely if the target account is not the superuser
80account.
81.It Cm ruser
82Accept or reject based on the supplicant's group membership.
83This is the default.
84.El
85.Pp
86Note that the
87.Cm luser
88and
89.Cm ruser
90options are mutually exclusive, and that
91.Nm
92will fail if both are specified.
93.Sh SEE ALSO
94.Xr pam 3 ,
95.Xr pam.conf 5
96.Sh AUTHORS
97The
98.Nm
99module and this manual page were developed for the
100.Fx
101Project by
102ThinkSec AS and NAI Labs, the Security Research Division of Network
103Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
104.Pq Dq CBOSS ,
105as part of the DARPA CHATS research program.
106