LinuxCommandLibrary

pam_rootok

Permit root login if already root

SYNOPSIS

pam_rootok.so

DESCRIPTION

The pam_rootok.so PAM module provides authentication for the root user or users with UID 0. Instead of requiring a password or other authentication method, it grants access if the user is root. This module is typically used in conjunction with other PAM modules to control root access based on the system's configuration.

When used, PAM will check if the user being authenticated has a UID of 0. If so, the authentication succeeds immediately. Otherwise, the authentication process proceeds to the next module in the PAM configuration file. This module should be used with caution as it can potentially bypass stronger authentication methods for the root user.

CAVEATS

Misconfiguration of this module can severely compromise system security by allowing unrestricted root access. Exercise caution when using this module and always test configuration changes in a non-production environment.

USAGE

The pam_rootok.so module doesn't take any specific module options. It is configured by placing it in the relevant PAM configuration file (e.g., /etc/pam.d/system-auth, /etc/pam.d/login).

A typical use-case might be alongside pam_wheel.so for wheel group members.
Example:
auth sufficient pam_rootok.so

SECURITY CONSIDERATIONS

Ensure that the placement of pam_rootok.so within the PAM stack is carefully considered. Putting it too early in the stack may effectively disable other authentication mechanisms intended for root, which can be extremely dangerous. Ensure that robust authentication measures are in place for non-root users before employing this module to avoid privilege escalation vulnerabilities.

HISTORY

pam_rootok has been a part of PAM modules in Linux systems for a long time. Its presence stems from the need to sometimes simplify root authentication, particularly in environments where direct password-based root login is discouraged but specific applications require elevated privileges.

SEE ALSO

pam(8), passwd(1), login(1)

Copied to clipboard