man-pages/man8/pam_wheel.8.html
2021-03-31 01:06:50 +01:00

217 lines
4.1 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of PAM_WHEEL</TITLE>
</HEAD><BODY>
<H1>PAM_WHEEL</H1>
Section: Linux-PAM Manual (8)<BR>Updated: 05/18/2017<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
pam_wheel - Only permit root access to members of group wheel
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<DL COMPACT>
<DT id="1">
<B>pam_wheel.so</B> [debug] [deny] [group=<I>name</I>] [root_only] [trust]
</DL>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>
<P>
<DD>The pam_wheel PAM module is used to enforce the so-called
<I>wheel</I>
group. By default it permits root access to the system if the applicant user is a member of the
<I>wheel</I>
group. If no group with this name exist, the module is using the group with the group-ID
<B>0</B>.
<A NAME="lbAE">&nbsp;</A>
<H2>OPTIONS</H2>
<P>
<B>debug</B>
<DL COMPACT><DT id="2"><DD>
Print debug information.
</DL>
<P>
<B>deny</B>
<DL COMPACT><DT id="3"><DD>
Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the
<B>group</B>
option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless
<B>trust</B>
was also specified, in which case we return PAM_SUCCESS).
</DL>
<P>
<B>group=</B><B></B><I>name</I>
<DL COMPACT><DT id="4"><DD>
Instead of checking the wheel or GID 0 groups, use the
<B></B><I>name</I>
group to perform the authentication.
</DL>
<P>
<B>root_only</B>
<DL COMPACT><DT id="5"><DD>
The check for wheel membership is done only when the target user UID is 0.
</DL>
<P>
<B>trust</B>
<DL COMPACT><DT id="6"><DD>
The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>MODULE TYPES PROVIDED</H2>
<P>
The
<B>auth</B>
and
<B>account</B>
module types are provided.
<A NAME="lbAG">&nbsp;</A>
<H2>RETURN VALUES</H2>
<P>
PAM_AUTH_ERR
<DL COMPACT><DT id="7"><DD>
Authentication failure.
</DL>
<P>
PAM_BUF_ERR
<DL COMPACT><DT id="8"><DD>
Memory buffer error.
</DL>
<P>
PAM_IGNORE
<DL COMPACT><DT id="9"><DD>
The return value should be ignored by PAM dispatch.
</DL>
<P>
PAM_PERM_DENY
<DL COMPACT><DT id="10"><DD>
Permission denied.
</DL>
<P>
PAM_SERVICE_ERR
<DL COMPACT><DT id="11"><DD>
Cannot determine the user name.
</DL>
<P>
PAM_SUCCESS
<DL COMPACT><DT id="12"><DD>
Success.
</DL>
<P>
PAM_USER_UNKNOWN
<DL COMPACT><DT id="13"><DD>
User not known.
</DL>
<A NAME="lbAH">&nbsp;</A>
<H2>EXAMPLES</H2>
<P>
The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants.
<P>
<DL COMPACT><DT id="14"><DD>
<PRE>
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so
</PRE>
</DL>
<P>
<A NAME="lbAI">&nbsp;</A>
<H2>SEE ALSO</H2>
<P>
<B><A HREF="/cgi-bin/man/man2html?5+pam.conf">pam.conf</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?5+pam.d">pam.d</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?7+pam">pam</A></B>(7)
<A NAME="lbAJ">&nbsp;</A>
<H2>AUTHOR</H2>
<P>
pam_wheel was written by Cristian Gafton &lt;<A HREF="mailto:gafton@redhat.com">gafton@redhat.com</A>&gt;.
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="15"><A HREF="#lbAB">NAME</A><DD>
<DT id="16"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="17"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="18"><A HREF="#lbAE">OPTIONS</A><DD>
<DT id="19"><A HREF="#lbAF">MODULE TYPES PROVIDED</A><DD>
<DT id="20"><A HREF="#lbAG">RETURN VALUES</A><DD>
<DT id="21"><A HREF="#lbAH">EXAMPLES</A><DD>
<DT id="22"><A HREF="#lbAI">SEE ALSO</A><DD>
<DT id="23"><A HREF="#lbAJ">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:15 GMT, March 31, 2021
</BODY>
</HTML>