PIM - pluggable identification modules


[u:|g:] [<options>] <plugin name> [<plugin arguments>]


This manual page documents the PIM services configuration file format. General information about PIM is available in the section 7 of the manual.


A PIM service configuration file is a set of directives PIM will follow in turn when trying to perform an identification. Blank lines and lines whose first non blank character is a hash are ignored. Other lines are directives.

The format of such a directive is the following:

[u:|g:] [{<options>}] <plugin name> [<plugin arguments>]

If the line begins with u:, then the directive only applies to user management operations (getpwnam, getpwuid, getpwent, setpwent, endpwent calls). If it begins with g:, then the directive only applies to group management operations (getgrnam, getgrgid, getgrent, setgrent, endgrent calls). Otherwise, the directive applies to both types of operations.

Then, a comma separated list of options may be enclosed in brackets (see the OPTIONS section for a list of available options).

Then comes the plugin name. Currently, it is the path to the plugin .so file. It may be a complete path, otherwise, the file will be looked for in the plugins directory (/lib/pim), whose value may be specified in the PIM_MODULES environment variable. How the plugin performs its management operations depends exclusively on the module and is specified in its documentation.

At last, comes a module-specific arguments string, that will modify the module's behaviour.


When performing an identification, PIM uses each directive in the order in which they appear in the configuration file. Whenever a plugin finds an entry for the requested item (username, user id, group name, or group id), PIM sends the result back to the application. If the plugin does not find the requested item, then the following plugin, as defined in the configuration file is called. If an errors occurs in a plugin, the lookup is immediately stopped.

This behaviour may be modified with the options field. Currently available options are:



As in most cases, PIM services will be security sensitive, administrators should be aware that someone who is able to modify their configuration is in most cases able to compromise the system's security policy.


The following PIM service configuration file will provide the same functionality than traditional Unix systems (identification through /etc/passwd and /etc/group):

u: pim_unix_user /etc/passwd
g: pim_unix_group /etc/group

Lines may be added to this file, so that the root user will always be able to identify itself, and the wheel group will always exist, this yields:

u: {mayfail} pim_unix_user /etc/passwd
g: {mayfail} pim_unix_group /etc/group
u: {errorhandler} pim_dumb_user root:x:0:0:wheel:/root:/bin/sh
g: {errorhandler} pim_dumb_group wheel:x:0:

Or, one may want to override /etc/passwd settings for the foobar user, which yields:

u: {overridable} pim_unix_user /etc/passwd
u: pim_dumb_user foobar:x:12:42:foogroup:/foohome:/fooshell
g: pim_unix_group /etc/group


The length of a line in the configuration files is currently limited to 8191 characters.


pim(7), pim(3)


Brieuc "BBP" Jeunhomme (<bbp@via.ecp.fr>)