2 $Id: pam_wheel.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp morgan $
4 This file was written by Andrew G. Morgan <morgan@parc.power.net>
5 from notes provided by Cristian Gafton.
8 <sect1>The wheel module
15 <tag><bf>Module Name:</bf></tag>
18 <tag><bf>Author:</bf></tag>
19 Cristian Gafton <gafton@redhat.com>
21 <tag><bf>Maintainer:</bf></tag>
24 <tag><bf>Management groups provided:</bf></tag>
27 <tag><bf>Cryptographically sensitive:</bf></tag>
29 <tag><bf>Security rating:</bf></tag>
31 <tag><bf>Clean code base:</bf></tag>
33 <tag><bf>System dependencies:</bf></tag>
36 <tag><bf>Network aware:</bf></tag>
40 <sect2>Overview of module
43 Only permit root access to members of the wheel (<tt/gid=0/) group.
45 <sect2>Authentication component
50 <tag><bf>Recognized arguments:</bf></tag>
57 <tag><bf>Description:</bf></tag>
59 This module is used to enforce the so-called wheel group. By default,
60 it permits root access to the system if the applicant user is a member
61 of the <tt/wheel/ group (better described as the group with group-id
65 The action of the module may be modified from this default by one or
66 more of the following flags in the <tt>/etc/pam.conf</tt> file.
70 Supply more debugging information to <tt/syslog(3)/.
74 This option modifies the behavior of the module by using the current
75 <tt/uid/ of the process and not the <tt/getlogin(3)/ name of the user.
76 This option is useful for being able to jump from one account to
77 another, for example with 'su'.
81 This option instructs the module to return <tt/PAM_SUCCESS/ should it
82 find the user applying for root privilege is a member of the wheel
83 group. The default action is to return <tt/PAM_IGNORE/ in this
84 situation. By using the <tt/trust/ option it is possible to arrange
85 for <tt/wheel/-group members to become root without typing a
86 password. <bf/USE WITH CARE/.
90 This is used to reverse the logic of the module's behavior.
91 If the user is trying to get <tt/uid=0/ access and is a member of the wheel
92 group, deny access (for the wheel group, this is perhaps nonsense!):
93 it is intended for use in conjunction with the <tt/group=/ argument...
97 Instead of checking the <tt/gid=0/ group, use the user's <tt/XXXX/
98 group membership for the authentication. Here, <tt/XXXX/ is the name
99 of the group and <bf/not/ its numeric identifier.
103 <tag><bf>Examples/suggested usage:</bf></tag>
105 To restrict access to superuser status to the members of the
106 <tt/wheel/ group, use the following entries in your configuration
111 # root gains access by default (rootok), only wheel members can
112 # become root (wheel) but Unix authenticate non-root applicants.
114 su auth sufficient pam_rootok.so
115 su auth required pam_wheel.so
116 su auth required pam_unix_auth.so
123 End of sgml insert for this module.