pam_wheel (8) - Linux Man Pages
pam_wheel: Only permit root access to members of group wheel
pam_wheel - Only permit root access to members of group wheel
- pam_wheel.so [debug] [deny] [group=name] [root_only] [trust]
- Print debug information.
- Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the group option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in which case we return PAM_SUCCESS).
- Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication.
- The check for wheel membership is done only when the target user UID is 0.
- The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).
MODULE TYPES PROVIDED
- Authentication failure.
- Memory buffer error.
- The return value should be ignored by PAM dispatch.
- Permission denied.
- Cannot determine the user name.
- User not known.
The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants.
su auth sufficient pam_rootok.so su auth required pam_wheel.so su auth required pam_unix.so
pam_wheel was written by Cristian Gafton <gafton [at] redhat.com>.