Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam_wheel(8) [linux man page]

PAM_WHEEL(8)							 Linux-PAM Manual						      PAM_WHEEL(8)

NAME
pam_wheel - Only permit root access to members of group wheel SYNOPSIS
pam_wheel.so [debug] [deny] [group=name] [root_only] [trust] DESCRIPTION
The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits root access to the system if the applicant user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0. OPTIONS
debug Print debug information. deny Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the group option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in which case we return PAM_SUCCESS). group=name Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication. root_only The check for wheel membership is done only. trust The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd). MODULE TYPES PROVIDED
The auth and account module types are provided. RETURN VALUES
PAM_AUTH_ERR Authentication failure. PAM_BUF_ERR Memory buffer error. PAM_IGNORE The return value should be ignored by PAM dispatch. PAM_PERM_DENY Permission denied. PAM_SERVICE_ERR Cannot determine the user name. PAM_SUCCESS Success. PAM_USER_UNKNOWN User not known. EXAMPLES
The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants. su auth sufficient pam_rootok.so su auth required pam_wheel.so su auth required pam_unix.so SEE ALSO
pam.conf(5), pam.d(5), pam(7) AUTHOR
pam_wheel was written by Cristian Gafton <gafton@redhat.com>. Linux-PAM Manual 05/31/2011 PAM_WHEEL(8)

Check Out this Related Man Page

PAM_GROUP(8)							 Linux-PAM Manual						      PAM_GROUP(8)

NAME
pam_group - PAM module for group access SYNOPSIS
pam_group.so DESCRIPTION
The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. By default rules for group memberships are taken from config file /etc/security/group.conf. This module's usefulness relies on the file-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a setgid binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file-systems that the user has access to are so significant, is the fact that when a system is mounted nosuid the user is unable to create or execute such a binary file. For this module to provide any level of security, all file-systems that the user has write access to should be mounted nosuid. The pam_group module functions in parallel with the /etc/group file. If the user is granted any groups based on the behavior of this module, they are granted in addition to those entries /etc/group (or equivalent). OPTIONS
This module does not recognise any options. MODULE TYPES PROVIDED
Only the auth module type is provided. RETURN VALUES
PAM_SUCCESS group membership was granted. PAM_ABORT Not all relevant data could be gotten. PAM_BUF_ERR Memory buffer error. PAM_CRED_ERR Group membership was not granted. PAM_IGNORE pam_sm_authenticate was called which does nothing. PAM_USER_UNKNOWN The user is not known to the system. FILES
/etc/security/group.conf Default configuration file SEE ALSO
group.conf(5), pam.d(5), pam(7). AUTHORS
pam_group was written by Andrew G. Morgan <morgan@kernel.org>. Linux-PAM Manual 06/04/2011 PAM_GROUP(8)
Man Page