blob: aaecc1a54166e2b4eac7743ca7761a9ef22e93db (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
.\" Title: pam_wheel
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
.\" Date: 06/09/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
pam_wheel \- Only permit root access to members of group wheel
.SH "SYNOPSIS"
.HP 13
\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
.SH "DESCRIPTION"
.PP
The pam_wheel PAM module is used to enforce the so\-called
\fIwheel\fR
group. By default it permits root access to the system if the applicant user is a member of the
\fIwheel\fR
group. If no group with this name exist, the module is using the group with the group\-ID
\fB0\fR.
.SH "OPTIONS"
.TP 3n
\fBdebug\fR
Print debug information.
.TP 3n
\fBdeny\fR
Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the
\fBgroup\fR
option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless
\fBtrust\fR
was also specified, in which case we return PAM_SUCCESS).
.TP 3n
\fBgroup=\fR\fB\fIname\fR\fR
Instead of checking the wheel or GID 0 groups, use the
\fB\fIname\fR\fR
group to perform the authentification.
.TP 3n
\fBroot_only\fR
The check for wheel membership is done only.
.TP 3n
\fBtrust\fR
The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).
.TP 3n
\fBuse_uid\fR
The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example).
.SH "MODULE SERVICES PROVIDED"
.PP
The
\fBauth\fR
and
\fBaccount\fR
services are supported.
.SH "RETURN VALUES"
.TP 3n
PAM_AUTH_ERR
Authentication failure.
.TP 3n
PAM_BUF_ERR
Memory buffer error.
.TP 3n
PAM_IGNORE
The return value should be ignored by PAM dispatch.
.TP 3n
PAM_PERM_DENY
Permission denied.
.TP 3n
PAM_SERVICE_ERR
Cannot determine the user name.
.TP 3n
PAM_SUCCESS
Success.
.TP 3n
PAM_USER_UNKNOWN
User not known.
.SH "EXAMPLES"
.PP
The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants.
.sp
.RS 3n
.nf
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so
.fi
.RE
.sp
.SH "SEE ALSO"
.PP
\fBpam.conf\fR(5),
\fBpam.d\fR(8),
\fBpam\fR(8)
.SH "AUTHOR"
.PP
pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
|
