1.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
3.\" All rights reserved.
4.\"
5.\" Portions of this software were developed for the FreeBSD Project by
6.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
7.\" Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
8.\" ("CBOSS"), as part of the DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\" 3. The name of the author may not be used to endorse or promote
19.\"    products derived from this software without specific prior written
20.\"    permission.
21.\"
22.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32.\" SUCH DAMAGE.
33.\"
34.Dd July 19, 2014
35.Dt PAM_GROUP 8
36.Os
37.Sh NAME
38.Nm pam_group
39.Nd Group PAM module
40.Sh SYNOPSIS
41.Op Ar service-name
42.Ar module-type
43.Ar control-flag
44.Pa pam_group
45.Op Ar arguments
46.Sh DESCRIPTION
47The group service module for PAM accepts or rejects users based on
48their membership in a particular file group.
49.Nm pam_group
50provides functionality for two PAM categories: authentication and
51account management.
52In terms of the module-type parameter, they are the ``auth'' and
53``account'' features.
54.Pp
55The following options may be passed to the
56.Nm
57module:
58.Bl -tag -width ".Cm fail_safe"
59.It Cm deny
60Reverse the meaning of the test, i.e., reject the applicant if and only
61if he or she is a member of the specified group.
62This can be useful to exclude certain groups of users from certain
63services.
64.It Cm fail_safe
65If the specified group does not exist, or has no members, act as if
66it does exist and the applicant is a member.
67.It Cm group Ns = Ns Ar groupname
68Specify the name of the group to check.
69The default is
70.Dq Li wheel .
71.It Cm luser
72Accept or reject based on the target user's group membership.
73.It Cm root_only
74Skip this module entirely if the target account is not the superuser
75account.
76.It Cm ruser
77Accept or reject based on the supplicant's group membership.
78This is the default.
79.El
80.Pp
81Note that the
82.Cm luser
83and
84.Cm ruser
85options are mutually exclusive, and that
86.Nm
87will fail if both are specified.
88.Sh SEE ALSO
89.Xr pam.conf 5 ,
90.Xr pam 3
91.Sh AUTHORS
92The
93.Nm
94module and this manual page were developed for the
95.Fx
96Project by
97ThinkSec AS and NAI Labs, the Security Research Division of Network
98Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
99.Pq Dq CBOSS ,
100as part of the DARPA CHATS research program.
101