blob: 6f44b8454a0a14ef4ccd68917e44825292ccda58 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<refentry id="pam_rootok">
<refmeta>
<refentrytitle>pam_rootok</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv id="pam_rootok-name">
<refname>pam_rootok</refname>
<refpurpose>Gain only root access</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis id="pam_rootok-cmdsynopsis">
<command>pam_rootok.so</command>
<arg choice="opt">
debug
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id="pam_rootok-description">
<title>DESCRIPTION</title>
<para>
pam_rootok is a PAM module that authenticates the user if their
<emphasis>UID</emphasis> is <emphasis>0</emphasis>.
Applications that are created setuid-root generally retain the
<emphasis>UID</emphasis> of the user but run with the authority
of an enhanced effective-UID. It is the real <emphasis>UID</emphasis>
that is checked.
</para>
</refsect1>
<refsect1 id="pam_rootok-options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>
<option>debug</option>
</term>
<listitem>
<para>
Print debug information.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="pam_rootok-types">
<title>MODULE TYPES PROVIDED</title>
<para>
The <option>auth</option>, <option>acct</option> and
<option>password</option> module types are provided.
</para>
</refsect1>
<refsect1 id='pam_rootok-return_values'>
<title>RETURN VALUES</title>
<variablelist>
<varlistentry>
<term>PAM_SUCCESS</term>
<listitem>
<para>
The <emphasis>UID</emphasis> is <emphasis>0</emphasis>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_AUTH_ERR</term>
<listitem>
<para>
The <emphasis>UID</emphasis> is <emphasis remap='B'>not</emphasis>
<emphasis>0</emphasis>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='pam_rootok-examples'>
<title>EXAMPLES</title>
<para>
In the case of the <citerefentry>
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
</citerefentry> application the historical usage is to
permit the superuser to adopt the identity of a lesser user
without the use of a password. To obtain this behavior with PAM
the following pair of lines are needed for the corresponding entry
in the <filename>/etc/pam.d/su</filename> configuration file:
<programlisting>
# su authentication. Root is granted access by default.
auth sufficient pam_rootok.so
auth required pam_unix.so
</programlisting>
</para>
</refsect1>
<refsect1 id='pam_rootok-see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 id='pam_rootok-author'>
<title>AUTHOR</title>
<para>
pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>.
</para>
</refsect1>
</refentry>
|
