pam_wheel
Cristian Gafton <gafton@sorosis.ro>
Author.
authentication
Requires libpwdb.
Only permit root access to members of the wheel (gid=0
) group.
debug
;
use_uid
;
trust
;
deny
;
group=XXXX
This module is used to enforce the so-called wheel group. By default,
it permits root access to the system if the applicant user is a member
of the wheel
group (better described as the group with group-id
0
).
The action of the module may be modified from this default by one or
more of the following flags in the /etc/pam.conf
file.
debug
-
Supply more debugging information to syslog(3)
.
use_id
-
This option modifies the behavior of the module by using the current
uid
of the process and not the getlogin(3)
name of the user.
This option is useful for being able to jump from one account to
another, for example with 'su'.
trust
-
This option instructs the module to return PAM_SUCCESS
should it
find the user applying for root privilege is a member of the wheel
group. The default action is to return PAM_IGNORE
in this
situation. By using the trust
option it is possible to arrange
for wheel
-group members to become root without typing a
password. USE WITH CARE.
deny
-
This is used to reverse the logic of the module's behavior.
If the user is trying to get uid=0
access and is a member of the wheel
group, deny access (for the wheel group, this is perhaps nonsense!):
it is intended for use in conjunction with the group=
argument...
group=XXXX
-
Instead of checking the gid=0
group, use the user's XXXX
group membership for the authentication. Here, XXXX
is the name
of the group and not its numeric identifier.
To restrict access to superuser status to the members of the
wheel
group, use the following entries in your configuration
file:
#
# root gains access by default (rootok), only wheel members can become
# root (wheel) but Unix authenticate non-root applicants.
#
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix_auth.so