pam_succeed_if - test account characteristics

       Nalin Dahyabhai <nalin@redhat.com>

Linux-PAM                                          07/03/2025                                  PAM_SUCCEED_IF(8)

       pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account
       belonging to the user being authenticated or values of other PAM items. One use is to select whether to
       load other modules based on this test.

       The module should be given one or more conditions as module arguments, and authentication will succeed
       only if all of the conditions are met.

       To emulate the behaviour of pam_wheel, except there is no fallback to group 0 being only approximated by
       checking also the root group membership:

           auth required pam_succeed_if.so quiet user ingroup wheel:root

       Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number
       after default to skip several rules.

           type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
           type required othermodule.so arguments...

       All module types (account, auth, password and session) are provided.

       pam_succeed_if - test account characteristics

       The following flags are supported:

       debug
           Turns on debugging messages sent to syslog.

       use_uid
           Evaluate conditions using the account of the user whose UID the application is running under instead
           of the user being authenticated.

       quiet
           Don't log failure or success to the system log.

       quiet_fail
           Don't log failure to the system log.

       quiet_success
           Don't log success to the system log.

       audit
           Log unknown users to the system log.

       Conditions are three words: a field, a test, and a value to test for.

       Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service:

       field < number
           Field has a value numerically less than number.

       field <= number
           Field has a value numerically less than or equal to number.

       field eq number
           Field has a value numerically equal to number.

       field >= number
           Field has a value numerically greater than or equal to number.

       field > number
           Field has a value numerically greater than number.

       field ne number
           Field has a value numerically different from number.

       field = string
           Field exactly matches the given string.

       field != string
           Field does not match the given string.

       field =~ glob
           Field matches the given glob.

       field !~ glob
           Field does not match the given glob.

       field in item:item:...
           Field is contained in the list of items separated by colons.

       field notin item:item:...
           Field is not contained in the list of items separated by colons.

       user ingroup group[:group:....]
           User is in given group(s).

       user notingroup group[:group:....]
           User is not in given group(s).

       user innetgr netgroup
           (user,host) is in given netgroup.

       user notinnetgr group
           (user,host) is not in given netgroup.

       PAM_SUCCESS
           The condition was true.

       PAM_AUTH_ERR
           The condition was false.

       PAM_SERVICE_ERR
           A service error occurred or the arguments can't be parsed correctly.

glob(7), pam(7)

pam_succeed_if.so [flag...] [condition...]