pam_wheel8Linux-PAM Manualpam_wheelOnly permit root access to members of group wheelpam_wheel.so
debug
deny
group=name
root_only
trust
use_uid
DESCRIPTION
The pam_wheel PAM module is used to enforce the so-called
wheel group. By default it permits
access to the target user if the applicant user is a member of the
wheel group. If no group with this name exist,
the module is using the group with the group-ID
0.
OPTIONS
Print debug information.
Reverse the sense of the auth operation: if the user
is trying to get UID 0 access and is a member of the
wheel group (or the group of the option),
deny access. Conversely, if the user is not in the group, return
PAM_IGNORE (unless was also specified,
in which case we return PAM_SUCCESS).
Instead of checking the wheel or GID 0 groups, use
the group
to perform the authentication.
The check for wheel membership is done only when the target user
UID is 0.
The pam_wheel module will return PAM_SUCCESS instead
of PAM_IGNORE if the user is a member of the wheel group
(thus with a little play stacking the modules the wheel
members may be able to su to root without being prompted
for a passwd).
The check for wheel membership will be done against
the current uid instead of the original one (useful when
jumping with su from one account to another for example).
MODULE TYPES PROVIDED
The auth and
account module types are provided.
RETURN VALUESPAM_AUTH_ERR
Authentication failure.
PAM_BUF_ERR
Memory buffer error.
PAM_IGNORE
The return value should be ignored by PAM dispatch.
PAM_PERM_DENY
Permission denied.
PAM_SERVICE_ERR
Cannot determine the user name.
PAM_SUCCESS
Success.
PAM_USER_UNKNOWN
User not known.
EXAMPLES
The root account gains access by default (rootok), only wheel
members can become root (wheel) but Unix authenticate non-root
applicants.
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so
SEE ALSOpam.conf5,
pam.d5,
pam8AUTHOR
pam_wheel was written by Cristian Gafton <gafton@redhat.com>.