|
Packit Service |
b29381 |
'\" t
|
|
Packit Service |
b29381 |
.\" Title: pam_wheel
|
|
Packit Service |
b29381 |
.\" Author: [see the "AUTHOR" section]
|
|
Packit Service |
b29381 |
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
|
Packit Service |
b29381 |
.\" Date: 05/18/2017
|
|
Packit Service |
b29381 |
.\" Manual: Linux-PAM Manual
|
|
Packit Service |
b29381 |
.\" Source: Linux-PAM Manual
|
|
Packit Service |
b29381 |
.\" Language: English
|
|
Packit Service |
b29381 |
.\"
|
|
Packit Service |
b29381 |
.TH "PAM_WHEEL" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual"
|
|
Packit Service |
b29381 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
b29381 |
.\" * Define some portability stuff
|
|
Packit Service |
b29381 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
b29381 |
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit Service |
b29381 |
.\" http://bugs.debian.org/507673
|
|
Packit Service |
b29381 |
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
|
|
Packit Service |
b29381 |
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit Service |
b29381 |
.ie \n(.g .ds Aq \(aq
|
|
Packit Service |
b29381 |
.el .ds Aq '
|
|
Packit Service |
b29381 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
b29381 |
.\" * set default formatting
|
|
Packit Service |
b29381 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
b29381 |
.\" disable hyphenation
|
|
Packit Service |
b29381 |
.nh
|
|
Packit Service |
b29381 |
.\" disable justification (adjust text to left margin only)
|
|
Packit Service |
b29381 |
.ad l
|
|
Packit Service |
b29381 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
b29381 |
.\" * MAIN CONTENT STARTS HERE *
|
|
Packit Service |
b29381 |
.\" -----------------------------------------------------------------
|
|
Packit Service |
b29381 |
.SH "NAME"
|
|
Packit Service |
b29381 |
pam_wheel \- Only permit root access to members of group wheel
|
|
Packit Service |
b29381 |
.SH "SYNOPSIS"
|
|
Packit Service |
b29381 |
.HP \w'\fBpam_wheel\&.so\fR\ 'u
|
|
Packit Service |
b29381 |
\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
|
|
Packit Service |
b29381 |
.SH "DESCRIPTION"
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
The pam_wheel PAM module is used to enforce the so\-called
|
|
Packit Service |
b29381 |
\fIwheel\fR
|
|
Packit Service |
b29381 |
group\&. By default it permits root access to the system if the applicant user is a member of the
|
|
Packit Service |
b29381 |
\fIwheel\fR
|
|
Packit Service |
b29381 |
group\&. If no group with this name exist, the module is using the group with the group\-ID
|
|
Packit Service |
b29381 |
\fB0\fR\&.
|
|
Packit Service |
b29381 |
.SH "OPTIONS"
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
\fBdebug\fR
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
Print debug information\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
\fBdeny\fR
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the
|
|
Packit Service |
b29381 |
\fBgroup\fR
|
|
Packit Service |
b29381 |
option), deny access\&. Conversely, if the user is not in the group, return PAM_IGNORE (unless
|
|
Packit Service |
b29381 |
\fBtrust\fR
|
|
Packit Service |
b29381 |
was also specified, in which case we return PAM_SUCCESS)\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
\fBgroup=\fR\fB\fIname\fR\fR
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
Instead of checking the wheel or GID 0 groups, use the
|
|
Packit Service |
b29381 |
\fB\fIname\fR\fR
|
|
Packit Service |
b29381 |
group to perform the authentication\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
\fBroot_only\fR
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
The check for wheel membership is done only when the target user UID is 0\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
\fBtrust\fR
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
\fBuse_uid\fR
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.SH "MODULE TYPES PROVIDED"
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
The
|
|
Packit Service |
b29381 |
\fBauth\fR
|
|
Packit Service |
b29381 |
and
|
|
Packit Service |
b29381 |
\fBaccount\fR
|
|
Packit Service |
b29381 |
module types are provided\&.
|
|
Packit Service |
b29381 |
.SH "RETURN VALUES"
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
PAM_AUTH_ERR
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
Authentication failure\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
PAM_BUF_ERR
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
Memory buffer error\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
PAM_IGNORE
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
The return value should be ignored by PAM dispatch\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
PAM_PERM_DENY
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
Permission denied\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
PAM_SERVICE_ERR
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
Cannot determine the user name\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
PAM_SUCCESS
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
Success\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
PAM_USER_UNKNOWN
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
User not known\&.
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.SH "EXAMPLES"
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\&.
|
|
Packit Service |
b29381 |
.sp
|
|
Packit Service |
b29381 |
.if n \{\
|
|
Packit Service |
b29381 |
.RS 4
|
|
Packit Service |
b29381 |
.\}
|
|
Packit Service |
b29381 |
.nf
|
|
Packit Service |
b29381 |
su auth sufficient pam_rootok\&.so
|
|
Packit Service |
b29381 |
su auth required pam_wheel\&.so
|
|
Packit Service |
b29381 |
su auth required pam_unix\&.so
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
.fi
|
|
Packit Service |
b29381 |
.if n \{\
|
|
Packit Service |
b29381 |
.RE
|
|
Packit Service |
b29381 |
.\}
|
|
Packit Service |
b29381 |
.sp
|
|
Packit Service |
b29381 |
.SH "SEE ALSO"
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
\fBpam.conf\fR(5),
|
|
Packit Service |
b29381 |
\fBpam.d\fR(5),
|
|
Packit Service |
b29381 |
\fBpam\fR(8)
|
|
Packit Service |
b29381 |
.SH "AUTHOR"
|
|
Packit Service |
b29381 |
.PP
|
|
Packit Service |
b29381 |
pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&.
|