pam_wheel(8) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | MODULE TYPES PROVIDED | RETURN VALUES | EXAMPLES | SEE ALSO | AUTHOR | COLOPHON

PAM_WHEEL(8)                Linux-PAM Manual                PAM_WHEEL(8)

NAME         top

       pam_wheel - Only permit root access to members of group wheel

SYNOPSIS         top


       pam_wheel.so [debug] [deny] [group=name] [root_only] [trust]
                    [use_uid]

DESCRIPTION         top

       The pam_wheel PAM module is used to enforce the so-called wheel
       group. By default it permits access to the target user if the
       applicant user is a member of the wheel group. If no group with
       this name exist, the module is using the group with the group-ID
       0.

OPTIONS         top

       debug
           Print debug information.

       deny
           Reverse the sense of the auth operation: if the user is
           trying to get UID 0 access and is a member of the wheel group
           (or the group of the group option), deny access. Conversely,
           if the user is not in the group, return PAM_IGNORE (unless
           trust was also specified, in which case we return
           PAM_SUCCESS).

       group=name
           Instead of checking the wheel or GID 0 groups, use the name
           group to perform the authentication.

       root_only
           The check for wheel membership is done only when the target
           user UID is 0.

       trust
           The pam_wheel module will return PAM_SUCCESS instead of
           PAM_IGNORE if the user is a member of the wheel group (thus
           with a little play stacking the modules the wheel members may
           be able to su to root without being prompted for a passwd).

       use_uid
           The check will be done against the real uid of the calling
           process, instead of trying to obtain the user from the login
           session associated with the terminal in use.

MODULE TYPES PROVIDED         top

       The auth and account module types are provided.

RETURN VALUES         top

       PAM_AUTH_ERR
           Authentication failure.

       PAM_BUF_ERR
           Memory buffer error.

       PAM_IGNORE
           The return value should be ignored by PAM dispatch.

       PAM_PERM_DENY
           Permission denied.

       PAM_SERVICE_ERR
           Cannot determine the user name.

       PAM_SUCCESS
           Success.

       PAM_USER_UNKNOWN
           User not known.

EXAMPLES         top

       The root account gains access by default (rootok), only wheel
       members can become root (wheel) but Unix authenticate non-root
       applicants.

           su      auth     sufficient     pam_rootok.so
           su      auth     required       pam_wheel.so
           su      auth     required       pam_unix.so

SEE ALSO         top

       pam.conf(5), pam.d(5), pam(8)

AUTHOR         top

       pam_wheel was written by Cristian Gafton <gafton@redhat.com>.

COLOPHON         top

       This page is part of the linux-pam (Pluggable Authentication
       Modules for Linux) project.  Information about the project can be
       found at ⟨http://www.linux-pam.org/⟩.  If you have a bug report
       for this manual page, see ⟨//www.linux-pam.org/⟩.  This page was
       obtained from the project's upstream Git repository
       ⟨https://github.com/linux-pam/linux-pam.git⟩ on 2023-12-22.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2023-12-18.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       man-pages@man7.org

Linux-PAM Manual               12/22/2023                   PAM_WHEEL(8)