1 files changed, 47 insertions, 16 deletions

diff --git a/usr/src/man/man5/pam_list.5 b/usr/src/man/man5/pam_list.5
index 47c3b6d934..78228ce076 100644
--- a/usr/src/man/man5/pam_list.5
+++ b/usr/src/man/man5/pam_list.5
@@ -3,24 +3,23 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with
 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH PAM_LIST 5 "April 9, 2016"
+.TH PAM_LIST 5 "April 22, 2020"
 .SH NAME
 pam_list \- PAM account management module for UNIX
 .SH SYNOPSIS
-.LP
 .nf
  pam_list.so.1
 .fi
 
 .SH DESCRIPTION
-.LP
 The \fBpam_list\fR module implements \fBpam_sm_acct_mgmt\fR(3PAM), which
 provides  functionality to the PAM account management stack.  The module
 provides functions to validate  that  the  user's account  is  valid on this
-host based on a list of users and/or netgroups in the given file. The users and
-netgroups are separated by newline character. Netgroups are specified with
-character '@' as prefix before name of netgroup in the list. The maximum line
-length is 1023 characters.
+host based on a list of users, groups, and/or netgroups in the given file. The users,
+groups, and netgroups are separated by newline character. Groups are specified
+with character '%' and netgroups are specified with character '@' as prefix
+before name of the group/netgroup in the list. The maximum line length is 1023
+characters.
 .sp
 .LP
 The username is the value of \fBPAM_USER\fR. The host is the value of
@@ -48,8 +47,8 @@ The following options can be passed to the module:
 \fB\fBallow=\fR\fR
 .ad
 .RS 19n
-The full pathname to a file of allowed users and/or netgroups. Only one of
-\fBallow=\fR or \fBdeny=\fR can be specified.
+The full pathname to a file of allowed users, groups, and/or netgroups.
+Only one of \fBallow=\fR or \fBdeny=\fR can be specified.
 .RE
 
 .sp
@@ -67,8 +66,8 @@ Activate \fBcompat\fR mode.
 \fB\fBdeny=\fR\fR
 .ad
 .RS 19n
-The full pathname to a file of denied users and/or netgroups. Only one of
-\fBdeny=\fR or \fBallow=\fR can be specified.
+The full pathname to a file of denied users, groups, and/or netgroups.
+Only one of \fBdeny=\fR or \fBallow=\fR can be specified.
 .RE
 
 .sp
@@ -84,6 +83,15 @@ Provide \fBsyslog\fR(3C) debugging information at the \fBLOG_AUTH\fR |
 .sp
 .ne 2
 .na
+\fB\fBgroup\fR\fR
+.ad
+.RS 19n
+The module should perform group membership matches for the username.
+.RE
+
+.sp
+.ne 2
+.na
 \fB\fBuser\fR\fR
 .ad
 .RS 19n
@@ -128,7 +136,6 @@ The user and hostname must be in the same netgroup.
 .RE
 
 .SH ERRORS
-.LP
 The following error values are returned:
 .sp
 .ne 2
@@ -186,7 +193,6 @@ No account is present for the user
 .RE
 
 .SH EXAMPLES
-.LP
 \fBExample 1 \fRUsing \fBpam_list\fR in default mode
 .sp
 .LP
@@ -227,7 +233,7 @@ In the case of \fBdefault\fR mode or \fBcompat\fR mode, the important lines in
 .nf
 other   account requisite       pam_roles.so.1
 other   account required        pam_unix_account.so.1
-other   account required        pam_list.so.1 allow=etc/user.allow
+other   account required        pam_list.so.1 allow=/etc/users.allow
 .fi
 .in -2
 
@@ -244,8 +250,34 @@ remoteloginname
 .fi
 .in -2
 
-.SH ATTRIBUTES
 .LP
+\fBExample 3 \fRUsing \fBpam_list\fR with allow file to allow
+members of the 'admins' group access.
+.sp
+.LP
+\fB/etc/pam.conf\fR modification looks like:
+
+.sp
+.in +2
+.nf
+other   account requisite       pam_roles.so.1
+other   account required        pam_unix_account.so.1
+other   account required        pam_list.so.1 group allow=/etc/users.allow
+.fi
+.in -2
+
+.sp
+.LP
+\fB/etc/users.allow\fR contains:
+.sp
+.in +2
+.nf
+root
+%admins
+.fi
+.in -2
+
+.SH ATTRIBUTES
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
 
@@ -266,7 +298,6 @@ MT-Level	MT-Safe with exceptions
 The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the
 multithreaded application uses its own PAM handle.
 .SH SEE ALSO
-.LP
 \fBpam\fR(3PAM), \fBpam_authenticate\fR(3PAM), \fBpam_sm_acct_mgmt\fR(3PAM),
 \fBsyslog\fR(3C), \fBlibpam\fR(3LIB), \fBnsswitch.conf\fR(4),
 \fBpam.conf\fR(4), \fBattributes\fR(5)