eXtended Allow-Deny list

Interested in taking over this project? Just send me a message

Description
Author
Configuration file
Examples
Data file
Module parameters
PAM integration
Download



Description

XAD is a Linux-PAM module. If you want to find more about Linux-PAM visit PAM home page. XAD is used for authentication. The great thing about this module is that is very easy to configure.

Author

XAD was made by Adrian Ber. You can visit the author homepage. XAD is under LGPL license. Here you can find an article on XAD.



Configuration file

The configuration file contains only one condition. The condition can be of two types: basic and composed. The composed condition contains one or more conditions separated by logical operators as 'and' and 'or'. The basic condition has the following form:

[!] [allow|deny] <pam-item> <relational-operator> <value>
The conditions can be enclosed by paranthesis to specify a priority. At this moment the logical operators doesn't have any priority, but can be simulated with paranthesis.

Examples:

(alow username match regexp(r.*t)) or (allow uid == 1)
allows user with names that begins with 'r' and ends with 't', such as 'root' or 'robot' or 'rat' and user with uid 1
(alow username == "limited") and (allow freeram >= 50)
allows user with name "limited" when the RAM is free in a percent bigger than 50
( ( (groupname=="shift1" and hour >= 6 and hour < 14) or (groupname=="shift2" and hour >= 14 and hour < 22) or (groupname=="shift2" and hour >= 22 and hour < 6) ) and (weekday != 6) and (weekday != 0) ) or (groupname == "root")
A company that has three shifts and allows employees only on their shift and not in weekends. The administrators are always allowed.
(groupname == "year1" and weekday == 3 and hour >= 16 and hour < 18) or (groupname == "year2" and weekday == 4 and hour >= 12 and hour < 14) or ... or loadavg1 < ? or username == "root"
In a school students are allowed to login if the machine isn't too loaded or if they have classes.
(weekday >= 1 and weekday <= 5 and hour >= 20 and hour < 7) or (weekday == 6) or (weekday == 0) or (month == 12 and day == 25) /* Christmas */ or (month == 12 and day == 13) /* New Year's Eve */ or (month == 5 and day == 1) /* Labor day */
Users can access service just in week 20:00 - 7:00, weekends and hollidays



Data file

To speed up things XAD parses the configuration file and save the condition into an auxiliary data file using an internal format. The next time when will be invoked XAD will check if the configuration file has modified since the last "compilation" and if so will parse it again and will save again the condition into the internal format. If not the condition will be loaded from the auxiliary file. If you want to force XAD to reread this configuration file instead of the auxiliary data file you can delete the auxiliary data file or use the touch command on the configuration file (see man page for more details on touch).



Module parameters

The XAD module accepts the following parameters:
conffile=<conffile> the absolute path to the configuration file, if not specified then will be /etc/xad.conf
datafile=<datafile> the absolute path to the auxiliary data file, where the "compiled" configuration file is saved; if not specified will be calculated from the configuration file path as it follows:
  • if the configuration file ends with .conf the "conf" particle will be replaced by "dat";
  • if the configuration file doesn't end with .conf the "dat" particle will be added to the end of the configuration file path;
onerror=allow|denythe permission for this module if any error occurs (the configuration file isn't found or cannot be readed, the configuration file generates a parse error, the auxiliary data file cannot be written etc.)



PAM integration

To integrate XAD into PAM system you must add to which PAM service you want to use this authentication module a line like this

auth required /lib/security/libxad.so conffile=/etc/xad.conf datafile=/etc/xad.dat onerror=allow
and then modify the configuration file /etc/xad.conf as you like.

The condition loaded from the configuration file (or auxiliary data file) is checked against the PAM environment and the module returns a value to inform PAM if the module authenticated or not the user.



Download You can download XAD from SourceForge: http://sourceforge.net/projects/xadpam


SourceForge.net Logo