pam_rootok

pam_rootok.so [debug]

pam_rootok is a PAM authentication module that returns success if the calling user has a UID of 0 (root). It is most commonly used in /etc/pam.d/su to allow the root user to switch identity to any other account without being prompted for a password.It is typically combined with the sufficient control flag, so that root passes immediately and other users continue down the stack to be authenticated normally (e.g. by pam_unix or pam_wheel).The module provides only the auth management group; it has no session, password, or account semantics.

debug

Log a message to syslog (auth facility) describing the action taken.

Only useful in auth stacks. The module checks the real UID, so it relies on the calling process actually running as root. Misconfigured PAM stacks that place this module in the wrong service file can grant unintended privilege escalation.

pam_rootok is part of the Linux-PAM distribution and has been included since the early releases of Linux-PAM in the late 1990s.

pam(8), su(1), pam_wheel(8), pam_unix(8)