diff options
Diffstat (limited to 'modules/pam_wheel/README')
-rw-r--r-- | modules/pam_wheel/README | 96 |
1 files changed, 59 insertions, 37 deletions
diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README index 2cd156c0..db118205 100644 --- a/modules/pam_wheel/README +++ b/modules/pam_wheel/README @@ -1,39 +1,61 @@ +pam_wheel — Only permit root access to members of group wheel -pam_wheel: - only permit root authentication to members of wheel group - -RECOGNIZED ARGUMENTS: - debug Write a message to syslog indicating success or - failure. - - use_uid The check for wheel membership will be done against - the current uid instead of the original one - (useful when jumping with su from one account to - another for example). - - trust The pam_wheel module will return PAM_SUCCESS instead - of PAM_IGNORE if the user is a member of the wheel - group (thus with a little play stacking the modules - the wheel members may be able to su to root without - being prompted for a passwd). - - deny Reverse the sense of the auth operation: if the user - is trying to get UID 0 access and is a member of the - wheel group, deny access (well, kind of nonsense, but - for use in conjunction with 'group' argument... :-) - Conversely, if the user is not in the group, return - PAM_IGNORE (unless 'trust' was also specified, in - which case we return PAM_SUCCESS). - - group=xxxx Instead of checking the wheel or GID 0 groups, use - the xxxx group to perform the authentification. - - root_only The check for wheel membership is done only - if the uid of requested account is 0. - -MODULE SERVICES PROVIDED: - auth _authentication, _setcred (blank) and _acct_mgmt - -AUTHOR: - Cristian Gafton <gafton@redhat.com> +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_wheel PAM module is used to enforce the so-called wheel group. By +default it permits root access to the system if the applicant user is a member +of the wheel group. If no group with this name exist, the module is using the +group with the group-ID 0. + +OPTIONS + +debug + + Print debug information. + +deny + + Reverse the sense of the auth operation: if the user is trying to get UID 0 + access and is a member of the wheel group (or the group of the group + option), deny access. Conversely, if the user is not in the group, return + PAM_IGNORE (unless trust was also specified, in which case we return + PAM_SUCCESS). + +group=name + + Instead of checking the wheel or GID 0 groups, use the name group to + perform the authentification. + +root_only + + The check for wheel membership is done only. + +trust + + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the + user is a member of the wheel group (thus with a little play stacking the + modules the wheel members may be able to su to root without being prompted + for a passwd). + +use_uid + + The check for wheel membership will be done against the current uid instead + of the original one (useful when jumping with su from one account to + another for example). + +EXAMPLES + +The root account gains access by default (rootok), only wheel members can +become root (wheel) but Unix authenticate non-root applicants. + +su auth sufficient pam_rootok.so +su auth required pam_wheel.so +su auth required pam_unix.so + + +AUTHOR + +pam_wheel was written by Cristian Gafton <gafton@redhat.com>. |