NAME¶

pwaccessd, pwaccessd.service, pwaccessd.socket - manage passwd and shadow information

SYNOPSIS¶

pwaccessd.service

pwaccessd.socket

/usr/libexec/pwaccessd [OPTIONS]

DESCRIPTION¶

pwaccessd is a systemd(1) socket-activated service which provides account information in struct passwd and struct shadow format. It is capable of checking if a password or account has expired and verifies passwords.

By default, normal users only have access to their own passwd and shadow entries. The root user has access to all accounts. Specific users can be granted extended access via configuration.

OPTIONS¶

-s, --socket

-d, --debug

-v, --verbose

-?, --help

--version

VARLINK INTERFACES¶

The pwaccessd daemon exposes the following functionality via Varlink interfaces:

GetAccountName

GetUserRecord

GetGroupRecord

VerifyPassword

ExpiredCheck

CONFIGURATION¶

pwaccessd reads its configuration from pwaccessd.conf. It follows the UAPI Configuration Files Specification, meaning it searches for configuration files in directories such as /usr/share/account-utils/, /run/account-utils/, and /etc/account-utils/. Files in /etc/account-utils/ take precedence.

The configuration format is INI-style. The primary configuration key is allow. This key accepts a list of user accounts that are allowed to read all passwd and shadow entries, in addition to root.

The allow key can be defined within specific sections (groups) corresponding to the Varlink interface methods:

If the key is not found in the specific section, pwaccessd will fall back to looking in the [global] section.

Example 1. Example pwaccessd.conf

[global]
# Allow user 'admin' to perform all actions
allow = admin
[VerifyPassword]
# Allow 'auth-service' to verify passwords, overriding global
allow = auth-service


      

FILES¶

/usr/libexec/pwaccessd

/etc/account-utils/pwaccessd.conf

SEE ALSO¶

systemd(1), expiry(1), passwd(1), passwd(5), shadow(5), pam_unix_ng(8)