<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<refentry id="pam_loginuid">
<refmeta>
<refentrytitle>pam_loginuid</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv id="pam_loginuid-name">
<refname>pam_loginuid</refname>
<refpurpose>Record user's login uid to the process attribute</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis id="pam_loginuid-cmdsynopsis">
<command>pam_loginuid.so</command>
<arg choice="opt">
require_auditd
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id="pam_loginuid-description">
<title>DESCRIPTION</title>
<para>
The pam_loginuid module sets the loginuid process attribute for the
process that was authenticated. This is necessary for applications
to be correctly audited. This PAM module should only be used for entry
point applications like: login, sshd, gdm, vsftpd, crond and atd.
There are probably other entry point applications besides these.
You should not use it for applications like sudo or su as that
defeats the purpose by changing the loginuid to the account they just
switched to.
</para>
</refsect1>
<refsect1 id="pam_loginuid-options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>
<option>require_auditd</option>
</term>
<listitem>
<para>
This option, when given, will cause this module to query
the audit daemon status and deny logins if it is not running.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="pam_loginuid-types">
<title>MODULE TYPES PROVIDED</title>
<para>
Only the <option>session</option> module type is provided.
</para>
</refsect1>
<refsect1 id='pam_loginuid-return_values'>
<title>RETURN VALUES</title>
<para>
<variablelist>
<varlistentry>
<term>PAM_SUCCESS</term>
<listitem>
<para>
The loginuid value is set and auditd is running if check requested.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_IGNORE</term>
<listitem>
<para>
The /proc/self/loginuid file is not present on the system or the
login process runs inside uid namespace and kernel does not support
overwriting loginuid.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_SESSION_ERR</term>
<listitem>
<para>
Any other error prevented setting loginuid or auditd is not running.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 id='pam_loginuid-examples'>
<title>EXAMPLES</title>
<programlisting>
#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
</programlisting>
</refsect1>
<refsect1 id='pam_loginuid-see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>auditd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 id='pam_loginuid-author'>
<title>AUTHOR</title>
<para>
pam_loginuid was written by Steve Grubb <sgrubb@redhat.com>
</para>
</refsect1>
</refentry>