Determines the type that should be associated with the user and switches to it if a
security policy is loaded.
Syntax:
facility control_flag pam_mac.so [verbose] [config=path] [allow_no_policy]
Options:
- verbose
- Perform additional logging.
- config=path
- Read the user-to-type mapping from path instead of
/etc/pam_mac_users.
- allow_no_policy
- Allow the pam_mac module to be used when no security policy is loaded. If no policy is
loaded, the module does not switch types and does not need to be removed.
Description:
Security policy relies on the use of types. Use the pam_mac module
to switch the type associated with a user's shell at the time they log in to a
system. The module determines the type that should be associated with the user and
switches to it by calling procmgr_set_type_id. If the type change
fails, the module returns an error and the session is terminated. The
pam_mac module operates post-authentication, during the
session creation stage.
Note: Without this module, if you log in through ssh,
telnet or anything similar under an active security policy,
the type ID associated with your shell will be the same as that of the parent
service, sshd or telnetd.
The pam_mac module requires a configuration file to map user names
to type names. By default, the module looks for the file in
/etc/pam_mac_users. You can change the filepath with the
module's config option. The configuration file must be owned by
root and have no group or world write access, and the types must be defined in the
security policy.
The security policy may require additional lines to support the pam_mac
configuration file and should take into consideration what might happen if the
abilities for all types in the configuration file are combined.
Note: The PAM module syntax does not stand alone and is contained within the context of
the PAM configuration command. See the
Security
Developer's Guide for more information about system authentication,
configuring PAM, facilities, control flags, examples, and how QNX Neutrino uses the OpenPAM framework.
Example:
Each line of the
pam_mac configuration file
contains a user name, followed by a colon and a specific type, for example:
root:user_root_t
user1:user_user1_t
user2:user_user2_t
The
server process through which you are logging in (for example,
sshd) requires the ability to switch to all of the types
appearing in the pam_mac configuration
file:
allow sshd_t self:ability {
settypeid:user_root_t,user_user1_t,user_user2_t
};
Note: Giving
sshd the ability to switch to these types is similar, from a
security point of view, to giving sshd the union of the
capabilities of all these types.
Service category:
This module belongs to the session PAM service category.
Exit status:
If no policy is loaded, the pam_mac module returns
success if the allow_no_policy option has been specified; otherwise, it
returns failure.
If a policy has been loaded, it returns failure if:
- The pam_mac configuration file is not accessible.
- The pam_mac configuration file is not owned by root, or has group or
world write access.
- The user is not contained in the configuration file.
- The type corresponding to the user is not defined by the default security policy
file, /proc/boot/secpol.bin.
- The call to switch types to the type associated with the user fails.
Otherwise, it returns success.