{"id":3212,"date":"2022-12-20T16:43:50","date_gmt":"2022-12-20T19:43:50","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/pam_wheel-man8\/"},"modified":"2022-12-20T16:43:50","modified_gmt":"2022-12-20T19:43:50","slug":"pam_wheel-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/pam_wheel-man8\/","title":{"rendered":"PAM_WHEEL (man8)"},"content":{"rendered":"<h1 align=\"center\">PAM_WHEEL<\/h1>\n<p> <a href=\"#NAME\">NAME<\/a><br \/> <a href=\"#SYNOPSIS\">SYNOPSIS<\/a><br \/> <a href=\"#DESCRIPTION\">DESCRIPTION<\/a><br \/> <a href=\"#OPTIONS\">OPTIONS<\/a><br \/> <a href=\"#MODULE TYPES PROVIDED\">MODULE TYPES PROVIDED<\/a><br \/> <a href=\"#RETURN VALUES\">RETURN VALUES<\/a><br \/> <a href=\"#EXAMPLES\">EXAMPLES<\/a><br \/> <a href=\"#SEE ALSO\">SEE ALSO<\/a><br \/> <a href=\"#AUTHOR\">AUTHOR<\/a> <\/p>\n<hr>\n<h2>NAME <a name=\"NAME\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\">pam_wheel \u2212 Only permit root access to members of group wheel<\/p>\n<h2>SYNOPSIS <a name=\"SYNOPSIS\"><\/a> <\/h2>\n<table width=\"100%\" border=\"0\" rules=\"none\" frame=\"void\" cellspacing=\"0\" cellpadding=\"0\">\n<tr valign=\"top\" align=\"left\">\n<td width=\"11%\"><\/td>\n<td width=\"89%\">\n<p style=\"margin-top: 1em\"><b>pam_wheel.so<\/b> [debug] [deny] [group=<i>name<\/i>] [root_only] [trust] [use_uid]<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<h2>DESCRIPTION <a name=\"DESCRIPTION\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\">The pam_wheel PAM module is used to enforce the so\u2212called <i>wheel<\/i> group. By default it permits root access to the system if the applicant user is a member of the <i>wheel<\/i> group. If no group with this name exist, the module is using the group with the group\u2212ID <b>0<\/b>.<\/p>\n<h2>OPTIONS <a name=\"OPTIONS\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\"><b>debug<\/b><\/p>\n<p style=\"margin-left:17%;\">Print debug information.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\"><b>deny<\/b><\/p>\n<p style=\"margin-left:17%;\">Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the <b>group<\/b> option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless <b>trust<\/b> was also specified, in which case we return PAM_SUCCESS).<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\"><b>group=<\/b><i>name<\/i><\/p>\n<p style=\"margin-left:17%;\">Instead of checking the wheel or GID 0 groups, use the <i>name<\/i> group to perform the authentication.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\"><b>root_only<\/b><\/p>\n<p style=\"margin-left:17%;\">The check for wheel membership is done only when the target user UID is 0.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\"><b>trust<\/b><\/p>\n<p style=\"margin-left:17%;\">The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\"><b>use_uid<\/b><\/p>\n<p style=\"margin-left:17%;\">The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example).<\/p>\n<h2>MODULE TYPES PROVIDED <a name=\"MODULE TYPES PROVIDED\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\">The <b>auth<\/b> and <b>account<\/b> module types are provided.<\/p>\n<h2>RETURN VALUES <a name=\"RETURN VALUES\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\">PAM_AUTH_ERR<\/p>\n<p style=\"margin-left:17%;\">Authentication failure.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\">PAM_BUF_ERR<\/p>\n<p style=\"margin-left:17%;\">Memory buffer error.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\">PAM_IGNORE<\/p>\n<p style=\"margin-left:17%;\">The return value should be ignored by PAM dispatch.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\">PAM_PERM_DENY<\/p>\n<p style=\"margin-left:17%;\">Permission denied.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\">PAM_SERVICE_ERR<\/p>\n<p style=\"margin-left:17%;\">Cannot determine the user name.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\">PAM_SUCCESS<\/p>\n<p style=\"margin-left:17%;\">Success.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\">PAM_USER_UNKNOWN<\/p>\n<p style=\"margin-left:17%;\">User not known.<\/p>\n<h2>EXAMPLES <a name=\"EXAMPLES\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\">The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\u2212root applicants.<\/p>\n<p style=\"margin-left:17%; margin-top: 1em\">su auth sufficient pam_rootok.so <br \/> su auth required pam_wheel.so <br \/> su auth required pam_unix.so<\/p>\n<h2>SEE ALSO <a name=\"SEE ALSO\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\"><b>pam.conf<\/b>(5), <b>pam.d<\/b>(5), <b>pam<\/b>(8)<\/p>\n<h2>AUTHOR <a name=\"AUTHOR\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\">pam_wheel was written by Cristian Gafton <gafton@redhat.com>.<\/p>\n<hr>\n","protected":false},"excerpt":{"rendered":"<p>  pam_wheel \u2212 Only permit root access to members of group wheel <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,353],"class_list":["post-3212","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-pam_wheel"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3212"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3212\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}