diff options
Diffstat (limited to 'Linux-PAM/modules/pam_wheel/README')
-rw-r--r-- | Linux-PAM/modules/pam_wheel/README | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/Linux-PAM/modules/pam_wheel/README b/Linux-PAM/modules/pam_wheel/README index 336bb31e..2cd156c0 100644 --- a/Linux-PAM/modules/pam_wheel/README +++ b/Linux-PAM/modules/pam_wheel/README @@ -1,17 +1,17 @@ pam_wheel: - only permit root authentication too members of wheel group + only permit root authentication to members of wheel group RECOGNIZED ARGUMENTS: - debug write a message to syslog indicating success or + debug Write a message to syslog indicating success or failure. - use_uid the check for wheel membership will be done against + use_uid The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to - another for example) - - trust the pam_wheel module will return PAM_SUCCESS instead + another for example). + + trust The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without @@ -21,13 +21,19 @@ RECOGNIZED ARGUMENTS: is trying to get UID 0 access and is a member of the wheel group, deny access (well, kind of nonsense, but for use in conjunction with 'group' argument... :-) + Conversely, if the user is not in the group, return + PAM_IGNORE (unless 'trust' was also specified, in + which case we return PAM_SUCCESS). + + group=xxxx Instead of checking the wheel or GID 0 groups, use + the xxxx group to perform the authentification. - group=xxxx Instead of checking the GID 0 group, use the xxxx - group to perform the authentification. + root_only The check for wheel membership is done only + if the uid of requested account is 0. MODULE SERVICES PROVIDED: - auth _authetication and _setcred (blank) + auth _authentication, _setcred (blank) and _acct_mgmt AUTHOR: - Cristian Gafton <gafton@sorosis.ro> + Cristian Gafton <gafton@redhat.com> |