pam_wheel

' pam_wheel.so 'u pam_wheel.so [debug] [deny] [group= name ][root_only] [trust] [use_uid]

The pam_wheel PAM module is used to enforce the so -called wheel group . By default it permits root access to the system if the applicant user is a member of the wheel group . If no group with this name exist, the module is using the group with the group -ID 0 .

debug Print debug information .

deny Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the group option), deny access . Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in which case we return PAM_SUCCESS) .

group= name Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication .

root_only The check for wheel membership is done only when the target user UID is 0 .

trust The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd) .

use_uid The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example) .

The auth and account module types are provided .

PAM_AUTH_ERR Authentication failure .

PAM_BUF_ERR Memory buffer error .

PAM_IGNORE The return value should be ignored by PAM dispatch .

PAM_PERM_DENY Permission denied .

PAM_SERVICE_ERR Cannot determine the user name .

PAM_SUCCESS Success .

PAM_USER_UNKNOWN User not known .

The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non -root applicants .

---

.RS 4
su auth sufficient pam_rootok .so su auth required pam_wheel .so su auth required pam_unix .so
.RE

---

pam.conf(5), pam.d(5), pam(8)

pam_wheel was written by Cristian Gafton <gafton@redhat .com> .