|eXtended Allow-Deny list|
XAD is a Linux-PAM module. If you want to find more about Linux-PAM
visit PAM home page.
XAD is used for authentication. The great thing about this module is
that is very easy to configure.
XAD was made by Adrian Ber.
You can visit the author homepage.
XAD is under LGPL license.
you can find an article on XAD.
The configuration file contains only one condition. The condition can be of two types: basic and composed. The composed condition contains one or more conditions separated by logical operators as 'and' and 'or'. The basic condition has the following form:
[!] [allow|deny] <pam-item> <relational-operator> <value>
!is the logical operator
notthat means this condition must be negated;
allow|denytells if the module must allow or deny access according to this condition; if not present allow is implied;
<pam-item>represent the item in the PAM environment that is checked against the given value; can be one of the following:
|username||the user name that requested authentication|
|groupname||the group name of the user that requested authentication|
|uid||the user id that requested authentication|
|gid||the group id of the user that requested authentication|
|ruser||the remote user|
|rhost||the remote host|
|service||the PAM service|
|shell||the user shell|
|freeram||the percent of free RAM from the total RAM|
|freeswap||the percent of free swap memory from the total swap memory|
|loadavg1||the system load average for 1 minute|
|loadavg5||the system load average for 5 minutes|
|loadavg15||the system load average for 15 minutes|
<relational-operator>is the relational operator that the pam item must fulfill for the given condition; can be one of the following: >, <, >=, <=, ==, != with their known means and 'match' for matching regular expressions; for regular expressions == has the same meaning as match;
<value>the value that must be checked for the pam item; can be one of the following:
|integer||contains only digits|
|double||contains two groups of digits separated by |
|string||a string enclosed by |
|regexp||a regular expression that has the syntax
(alow username match regexp(r.*t)) or (allow uid == 1)
(alow username == "limited") and (allow freeram >= 50)
( ( (groupname=="shift1" and hour >= 6 and hour < 14) or (groupname=="shift2" and hour >= 14 and hour < 22) or (groupname=="shift2" and hour >= 22 and hour < 6) ) and (weekday != 6) and (weekday != 0) ) or (groupname == "root")
(groupname == "year1" and weekday == 3 and hour >= 16 and hour < 18) or (groupname == "year2" and weekday == 4 and hour >= 12 and hour < 14) or ... or loadavg1 < ? or username == "root"
(weekday >= 1 and weekday <= 5 and hour >= 20 and hour < 7) or (weekday == 6) or (weekday == 0) or (month == 12 and day == 25) /* Christmas */ or (month == 12 and day == 13) /* New Year's Eve */ or (month == 5 and day == 1) /* Labor day */
To speed up things XAD parses the configuration file and save the condition
into an auxiliary data file using an internal format.
The next time when will be invoked XAD will check if the configuration
file has modified since the last "compilation" and if so will
parse it again and will save again the condition into the internal format. If not
the condition will be loaded from the auxiliary file. If you want to force
XAD to reread this configuration file instead of the auxiliary data file you can
delete the auxiliary data file or use the touch command on the configuration
file (see man page for more details on touch).
The XAD module accepts the following parameters:
|conffile=<conffile>||the absolute path to the configuration file, if not specified then will be /etc/xad.conf|
|datafile=<datafile>||the absolute path to the auxiliary data file,
where the "compiled" configuration file is saved;
if not specified will be calculated from the configuration file path
as it follows:
|onerror=allow|deny||the permission for this module if any error occurs (the configuration file isn't found or cannot be readed, the configuration file generates a parse error, the auxiliary data file cannot be written etc.)|
To integrate XAD into PAM system you must add to which PAM service you want to use this authentication module a line like this
and then modify the configuration file /etc/xad.conf as you like.
auth required /lib/security/libxad.so conffile=/etc/xad.conf datafile=/etc/xad.dat onerror=allow
The condition loaded from the configuration file (or auxiliary data file)
is checked against the PAM environment and the module returns a value
to inform PAM if the module authenticated or not the user.