Diffstat (limited to 'modules/pam_wheel/README')
1 files changed, 59 insertions, 37 deletions
diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README
index 2cd156c0..db118205 100644
@@ -1,39 +1,61 @@
+pam_wheel — Only permit root access to members of group wheel
- only permit root authentication to members of wheel group
- debug Write a message to syslog indicating success or
- use_uid The check for wheel membership will be done against
- the current uid instead of the original one
- (useful when jumping with su from one account to
- another for example).
- trust The pam_wheel module will return PAM_SUCCESS instead
- of PAM_IGNORE if the user is a member of the wheel
- group (thus with a little play stacking the modules
- the wheel members may be able to su to root without
- being prompted for a passwd).
- deny Reverse the sense of the auth operation: if the user
- is trying to get UID 0 access and is a member of the
- wheel group, deny access (well, kind of nonsense, but
- for use in conjunction with 'group' argument... :-)
- Conversely, if the user is not in the group, return
- PAM_IGNORE (unless 'trust' was also specified, in
- which case we return PAM_SUCCESS).
- group=xxxx Instead of checking the wheel or GID 0 groups, use
- the xxxx group to perform the authentification.
- root_only The check for wheel membership is done only
- if the uid of requested account is 0.
-MODULE SERVICES PROVIDED:
- auth _authentication, _setcred (blank) and _acct_mgmt
- Cristian Gafton <email@example.com>
+The pam_wheel PAM module is used to enforce the so-called wheel group. By
+default it permits root access to the system if the applicant user is a member
+of the wheel group. If no group with this name exist, the module is using the
+group with the group-ID 0.
+ Print debug information.
+ Reverse the sense of the auth operation: if the user is trying to get UID 0
+ access and is a member of the wheel group (or the group of the group
+ option), deny access. Conversely, if the user is not in the group, return
+ PAM_IGNORE (unless trust was also specified, in which case we return
+ Instead of checking the wheel or GID 0 groups, use the name group to
+ perform the authentification.
+ The check for wheel membership is done only.
+ The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the
+ user is a member of the wheel group (thus with a little play stacking the
+ modules the wheel members may be able to su to root without being prompted
+ for a passwd).
+ The check for wheel membership will be done against the current uid instead
+ of the original one (useful when jumping with su from one account to
+ another for example).
+The root account gains access by default (rootok), only wheel members can
+become root (wheel) but Unix authenticate non-root applicants.
+su auth sufficient pam_rootok.so
+su auth required pam_wheel.so
+su auth required pam_unix.so
+pam_wheel was written by Cristian Gafton <firstname.lastname@example.org>.