diff options
Diffstat (limited to 'modules/pam_wheel/pam_wheel.8')
-rw-r--r-- | modules/pam_wheel/pam_wheel.8 | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8 new file mode 100644 index 00000000..f1c63dac --- /dev/null +++ b/modules/pam_wheel/pam_wheel.8 @@ -0,0 +1,127 @@ +.\" Title: pam_wheel +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/> +.\" Date: 04/16/2008 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" +.TH "PAM_WHEEL" "8" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_wheel - Only permit root access to members of group wheel +.SH "SYNOPSIS" +.HP 13 +\fBpam_wheel\.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] +.SH "DESCRIPTION" +.PP +The pam_wheel PAM module is used to enforce the so\-called +\fIwheel\fR +group\. By default it permits root access to the system if the applicant user is a member of the +\fIwheel\fR +group\. If no group with this name exist, the module is using the group with the group\-ID +\fB0\fR\. +.SH "OPTIONS" +.PP +\fBdebug\fR +.RS 4 +Print debug information\. +.RE +.PP +\fBdeny\fR +.RS 4 +Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the +\fBgroup\fR +option), deny access\. Conversely, if the user is not in the group, return PAM_IGNORE (unless +\fBtrust\fR +was also specified, in which case we return PAM_SUCCESS)\. +.RE +.PP +\fBgroup=\fR\fB\fIname\fR\fR +.RS 4 +Instead of checking the wheel or GID 0 groups, use the +\fB\fIname\fR\fR +group to perform the authentication\. +.RE +.PP +\fBroot_only\fR +.RS 4 +The check for wheel membership is done only\. +.RE +.PP +\fBtrust\fR +.RS 4 +The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\. +.RE +.PP +\fBuse_uid\fR +.RS 4 +The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\. +.RE +.SH "MODULE SERVICES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +services are supported\. +.SH "RETURN VALUES" +.PP +PAM_AUTH_ERR +.RS 4 +Authentication failure\. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\. +.RE +.PP +PAM_IGNORE +.RS 4 +The return value should be ignored by PAM dispatch\. +.RE +.PP +PAM_PERM_DENY +.RS 4 +Permission denied\. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +Cannot determine the user name\. +.RE +.PP +PAM_SUCCESS +.RS 4 +Success\. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User not known\. +.RE +.SH "EXAMPLES" +.PP +The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\. +.sp +.RS 4 +.nf +su auth sufficient pam_rootok\.so +su auth required pam_wheel\.so +su auth required pam_unix\.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_wheel was written by Cristian Gafton <gafton@redhat\.com>\. |