blob: bf19a9bab80865d3fcd31730d769272ef5d0a4bf (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
<!--
$Id: pam_wheel.sgml,v 1.1.1.1 2000/06/20 22:11:05 agmorgan Exp $
This file was written by Andrew G. Morgan <morgan@parc.power.net>
from notes provided by Cristian Gafton.
-->
<sect1>The wheel module
<sect2>Synopsis
<p>
<descrip>
<tag><bf>Module Name:</bf></tag>
<tt/pam_wheel/
<tag><bf>Author:</bf></tag>
Cristian Gafton <gafton@redhat.com>
<tag><bf>Maintainer:</bf></tag>
Author.
<tag><bf>Management groups provided:</bf></tag>
authentication
<tag><bf>Cryptographically sensitive:</bf></tag>
<tag><bf>Security rating:</bf></tag>
<tag><bf>Clean code base:</bf></tag>
<tag><bf>System dependencies:</bf></tag>
Requires libpwdb.
<tag><bf>Network aware:</bf></tag>
</descrip>
<sect2>Overview of module
<p>
Only permit root access to members of the wheel (<tt/gid=0/) group.
<sect2>Authentication component
<p>
<descrip>
<tag><bf>Recognized arguments:</bf></tag>
<tt/debug/;
<tt/use_uid/;
<tt/trust/;
<tt/deny/;
<tt/group=XXXX/
<tag><bf>Description:</bf></tag>
This module is used to enforce the so-called <em/wheel/ group. By
default, it permits root access to the system if the applicant user is
a member of the <tt/wheel/ group (first, the module checks for the
existence of a '<tt/wheel/' group. Otherwise the module defines the
group with group-id <tt/0/ to be the <em/wheel/ group).
<p>
The action of the module may be modified from this default by one or
more of the following flags in the <tt>/etc/pam.conf</tt> file.
<itemize>
<item>
<tt/debug/ -
Supply more debugging information to <tt/syslog(3)/.
<item>
<tt/use_uid/ -
This option modifies the behavior of the module by using the current
<tt/uid/ of the process and not the <tt/getlogin(3)/ name of the user.
This option is useful for being able to jump from one account to
another, for example with 'su'.
<item>
<tt/trust/ -
This option instructs the module to return <tt/PAM_SUCCESS/ should it
find the user applying for root privilege is a member of the wheel
group. The default action is to return <tt/PAM_IGNORE/ in this
situation. By using the <tt/trust/ option it is possible to arrange
for <tt/wheel/-group members to become root without typing a
password. <bf/USE WITH CARE/.
<item>
<tt/deny/ -
This is used to reverse the logic of the module's behavior.
If the user is trying to get <tt/uid=0/ access and is a member of the wheel
group, deny access (for the wheel group, this is perhaps nonsense!):
it is intended for use in conjunction with the <tt/group=/ argument...
<item>
<tt/group=XXXX/ -
Instead of checking the <tt/gid=0/ group, use the user's <tt/XXXX/
group membership for the authentication. Here, <tt/XXXX/ is the name
of the group and <bf/not/ its numeric identifier.
</itemize>
<tag><bf>Examples/suggested usage:</bf></tag>
To restrict access to superuser status to the members of the
<tt/wheel/ group, use the following entries in your configuration
file:
<tscreen>
<verb>
#
# root gains access by default (rootok), only wheel members can
# become root (wheel) but Unix authenticate non-root applicants.
#
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix_auth.so
</verb>
</tscreen>
</descrip>
<!--
End of sgml insert for this module.
-->
|