pam_wheel.so [
debug
] [
deny
] [
group=name
] [
root_only
] [
trust
] [
use_uid
]
The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits root access to the system if the applicant user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0.
-
debug Print debug information.
-
deny Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the
groupoption), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unlesstrustwas also specified, in which case we return PAM_SUCCESS).-
group=name Instead of checking the wheel or GID 0 groups, use the
name-
root_only The check for wheel membership is done only.
-
trust The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).
-
use_uid The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example).
- PAM_AUTH_ERR
Authentication failure.
- PAM_BUF_ERR
Memory buffer error.
- PAM_IGNORE
The return value should be ignored by PAM dispatch.
- PAM_PERM_DENY
Permission denied.
- PAM_SERVICE_ERR
Cannot determine the user name.
- PAM_SUCCESS
Success.
- PAM_USER_UNKNOWN
User not known.
The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants.
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so