diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2002-07-13 05:48:19 +0000 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2002-07-13 05:48:19 +0000 |
| commit | 2b395f6d039fb5c92a5ae799b305dd33061c9fbc (patch) | |
| tree | 6386214fcccb9987050ca9b5534bffc5d473c688 /doc | |
| parent | c95e6e34c26fc95f622b4d0535bccede3c655146 (diff) | |
| download | pam-2b395f6d039fb5c92a5ae799b305dd33061c9fbc.tar.gz pam-2b395f6d039fb5c92a5ae799b305dd33061c9fbc.tar.bz2 pam-2b395f6d039fb5c92a5ae799b305dd33061c9fbc.zip | |
Relevant BUGIDs: 476951, 476953
Purpose of commit: bugfix
Commit summary:
---------------
Be more careful when using the deny option - pay attention to the trust
option before you grant access.
Fix from Nalin.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/modules/pam_wheel.sgml | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/doc/modules/pam_wheel.sgml b/doc/modules/pam_wheel.sgml index 8c07a8b7..85841923 100644 --- a/doc/modules/pam_wheel.sgml +++ b/doc/modules/pam_wheel.sgml @@ -22,7 +22,7 @@ Cristian Gafton <gafton@redhat.com> Author. <tag><bf>Management groups provided:</bf></tag> -authentication +authentication; account <tag><bf>Cryptographically sensitive:</bf></tag> @@ -31,7 +31,6 @@ authentication <tag><bf>Clean code base:</bf></tag> <tag><bf>System dependencies:</bf></tag> -Requires libpwdb. <tag><bf>Network aware:</bf></tag> @@ -42,7 +41,7 @@ Requires libpwdb. <p> Only permit root access to members of the wheel (<tt/gid=0/) group. -<sect2>Authentication component +<sect2>Authentication and Account components <p> <descrip> @@ -56,13 +55,17 @@ Only permit root access to members of the wheel (<tt/gid=0/) group. <tag><bf>Description:</bf></tag> -This module is used to enforce the so-called <em/wheel/ group. By +This module is used to enforce the so-called <em/wheel/ group. By default, it permits root access to the system if the applicant user is a member of the <tt/wheel/ group (first, the module checks for the existence of a '<tt/wheel/' group. Otherwise the module defines the group with group-id <tt/0/ to be the <em/wheel/ group). <p> +The module can be used as either an '<tt/auth/' or an '<tt/account/' +module. + +<p> The action of the module may be modified from this default by one or more of the following flags in the <tt>/etc/pam.conf</tt> file. <itemize> @@ -88,10 +91,13 @@ password. <bf/USE WITH CARE/. <item> <tt/deny/ - -This is used to reverse the logic of the module's behavior. -If the user is trying to get <tt/uid=0/ access and is a member of the wheel +This is used to reverse the logic of the module's behavior. If the +user is trying to get <tt/uid=0/ access and is a member of the wheel group, deny access (for the wheel group, this is perhaps nonsense!): it is intended for use in conjunction with the <tt/group=/ argument... +Conversely, if the user is not in the group, return <tt/PAM_IGNORE/ +(unless <tt/trust/ was also specified, in which case we return +<tt/PAM_SUCCESS/). <item> <tt/group=XXXX/ - @@ -114,7 +120,7 @@ file: # su auth sufficient pam_rootok.so su auth required pam_wheel.so -su auth required pam_unix_auth.so +su auth required pam_unix.so </verb> </tscreen> |