pam_rootok

As a PAM module, pam_rootok is configured in PAM service files, typically located in /etc/pam.d/.

Syntax within pam.d files:

auth   [module-type]   pam_rootok.so   [module-arguments]

Example usage:

auth   sufficient   pam_rootok.so

This module does not accept any specific module-arguments.

pam_rootok is a Pluggable Authentication Module (PAM) that provides a very simple authentication method: it succeeds if and only if the current effective user ID (EUID) is zero (i.e., the user is root).

This module is typically used in PAM configurations for services like su or login to allow the root user to always authenticate, even if the password file is corrupted or forgotten, or if other authentication methods fail. It does not perform any password verification or cryptographic checks itself; its sole function is to check the EUID.

While it provides a crucial fallback mechanism for system administration, it should almost never be used as the sole authentication method for root, especially not on critical services. It is usually combined with other stronger authentication modules (e.g., pam_unix.so) as a sufficient or optional rule, allowing root to bypass password prompts in specific scenarios, or as a last resort in a stack.

Using pam_rootok without other strong authentication modules can be a significant security risk, as anyone gaining root privileges through other means (e.g., a kernel exploit) could then authenticate as root without a password. It should generally be used with care and in conjunction with other robust authentication methods. It authenticates based purely on EUID, not on user identity or credentials.

pam_rootok is exclusively an auth type module. It determines whether a user is authenticated based on their effective user ID.

It's often found in the auth stack for services like su or sudo. For instance, in /etc/pam.d/su, you might see it configured as sufficient to allow root to execute su without being prompted for a password, assuming root is already authenticated on the console. It can also be used as a required or optional module depending on the desired authentication flow.

The pam_rootok module is a core component of the Linux-PAM (Pluggable Authentication Modules) framework, which was developed to provide a flexible and standardized way to manage authentication services on Unix-like operating systems. Introduced as part of the initial PAM implementations, pam_rootok has served as a fundamental module ensuring that the root user can always authenticate under specific configurations, providing a crucial 'break glass in case of emergency' or convenience mechanism for system administrators.

pam(8), pam.conf(5), pam_unix(8), su(1), login(1)