'\" t

.\"     Title: pam_wheel

.\"    Author: [see the "AUTHOR" section]

.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>

.\"      Date: 05/18/2017

.\"    Manual: Linux-PAM Manual

.\"    Source: Linux-PAM Manual

.\"  Language: English

.\"

.TH "PAM_WHEEL" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual"

.\" -----------------------------------------------------------------

.\" * Define some portability stuff

.\" -----------------------------------------------------------------

.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.\" http://bugs.debian.org/507673

.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html

.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.ie \n(.g .ds Aq \(aq

.el       .ds Aq '

.\" -----------------------------------------------------------------

.\" * set default formatting

.\" -----------------------------------------------------------------

.\" disable hyphenation

.nh

.\" disable justification (adjust text to left margin only)

.ad l

.\" -----------------------------------------------------------------

.\" * MAIN CONTENT STARTS HERE *

.\" -----------------------------------------------------------------

.SH "NAME"

pam_wheel \- Only permit root access to members of group wheel

.SH "SYNOPSIS"

.HP \w'\fBpam_wheel\&.so\fR\ 'u

\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]

.SH "DESCRIPTION"

.PP

The pam_wheel PAM module is used to enforce the so\-called

\fIwheel\fR

group\&. By default it permits root access to the system if the applicant user is a member of the

\fIwheel\fR

group\&. If no group with this name exist, the module is using the group with the group\-ID

\fB0\fR\&.

.SH "OPTIONS"

.PP

\fBdebug\fR

.RS 4

Print debug information\&.

.RE

.PP

\fBdeny\fR

.RS 4

Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the

\fBgroup\fR

option), deny access\&. Conversely, if the user is not in the group, return PAM_IGNORE (unless

\fBtrust\fR

was also specified, in which case we return PAM_SUCCESS)\&.

.RE

.PP

\fBgroup=\fR\fB\fIname\fR\fR

.RS 4

Instead of checking the wheel or GID 0 groups, use the

\fB\fIname\fR\fR

group to perform the authentication\&.

.RE

.PP

\fBroot_only\fR

.RS 4

The check for wheel membership is done only when the target user UID is 0\&.

.RE

.PP

\fBtrust\fR

.RS 4

The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&.

.RE

.PP

\fBuse_uid\fR

.RS 4

The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&.

.RE

.SH "MODULE TYPES PROVIDED"

.PP

The

\fBauth\fR

and

\fBaccount\fR

module types are provided\&.

.SH "RETURN VALUES"

.PP

PAM_AUTH_ERR

.RS 4

Authentication failure\&.

.RE

.PP

PAM_BUF_ERR

.RS 4

Memory buffer error\&.

.RE

.PP

PAM_IGNORE

.RS 4

The return value should be ignored by PAM dispatch\&.

.RE

.PP

PAM_PERM_DENY

.RS 4

Permission denied\&.

.RE

.PP

PAM_SERVICE_ERR

.RS 4

Cannot determine the user name\&.

.RE

.PP

PAM_SUCCESS

.RS 4

Success\&.

.RE

.PP

PAM_USER_UNKNOWN

.RS 4

User not known\&.

.RE

.SH "EXAMPLES"

.PP

The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\&.

.sp

.if n \{\

.RS 4

.\}

.nf

su      auth     sufficient     pam_rootok\&.so

su      auth     required       pam_wheel\&.so

su      auth     required       pam_unix\&.so

.fi

.if n \{\

.RE

.\}

.sp

.SH "SEE ALSO"

.PP

\fBpam.conf\fR(5),

\fBpam.d\fR(5),

\fBpam\fR(8)

.SH "AUTHOR"

.PP

pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&.