Man page - pam_wheel(8)

Packages contains this manual

Package:  libpam-runtime
apt-get install libpam-runtime

Manuals in package:
• pam_wheel(8)
• sepermit.conf(5)
• pwhistory_helper(8)
• pam_selinux(8)
• pam_mkhomedir(8)
• pam_xauth(8)
• time.conf(5)
• pam_permit(8)
• pam_filter(8)
• pam_canonicalize_user(8)
• pam_usertype(8)
• pam_rhosts(8)
• pam_faildelay(8)
• unix_chkpwd(8)
• pwhistory.conf(5)
• pam_localuser(8)
• pam_mail(8)
• pam_deny(8)
• pam_keyinit(8)
• pam_userdb(8)
• pam_limits(8)
• pam_group(8)
• pam_rootok(8)
• pam_time(8)
• pam_sepermit(8)
• pam_access(8)
• pam_listfile(8)
• pam_warn(8)
• access.conf(5)
• pam_nologin(8)
• pam_tty_audit(8)
• pam_stress(8)
• pam_echo(8)
• pam_pwhistory(8)
• pam_ftp(8)
• pam_debug(8)
• environment(5)
• faillock(8)
• pam.d(5)
• pam_exec(8)
• pam_securetty(8)
• pam_faillock(8)
• pam_env(8)
• pam_timestamp_check(8)
• group.conf(5)
• pam_env.conf(5)
• pam_motd(8)
• mkhomedir_helper(8)
• pam_setquota(8)
• unix_update(8)
• pam.conf(5)
• pam_issue(8)
• pam_namespace(8)
• pam_shells(8)
• pam_umask(8)
• pam_unix(8)
• pam(7)
• namespace.conf(5)
• pam_timestamp(8)
• faillock.conf(5)
• pam_getenv(8)
• pam-auth-update(8)
• pam_succeed_if(8)
• pam_namespace_helper(8)
• limits.conf(5)
• pam_loginuid(8)
Documentations in package:
• libpam-runtime

Manual

PAM_WHEEL

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
MODULE TYPES PROVIDED
RETURN VALUES
EXAMPLES
SEE ALSO
AUTHOR

---

NAME

pam_wheel - Only permit root access to members of group wheel

SYNOPSIS

pam_wheel.so [debug] [deny] [group= name ] [root_only] [trust]

DESCRIPTION

The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits access to the target user if the applicant user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0 .

OPTIONS

debug

Print debug information.

deny

Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the group option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in which case we return PAM_SUCCESS).

group=name

Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication.

root_only

The check for wheel membership is done only when the target user UID is 0.

trust

The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).

MODULE TYPES PROVIDED

The auth and account module types are provided.

RETURN VALUES

PAM_AUTH_ERR

Authentication failure.

PAM_BUF_ERR

Memory buffer error.

PAM_IGNORE

The return value should be ignored by PAM dispatch.

PAM_PERM_DENY

Permission denied.

PAM_SERVICE_ERR

Cannot determine the user name.

PAM_SUCCESS

Success.

PAM_USER_UNKNOWN

User not known.

EXAMPLES

The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants.

su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so

SEE ALSO

pam.conf (5), pam.d (5), pam (7)

AUTHOR

pam_wheel was written by Cristian Gafton <gafton@redhat.com>.

---