From 2b395f6d039fb5c92a5ae799b305dd33061c9fbc Mon Sep 17 00:00:00 2001
From: "Andrew G. Morgan" <morgan@kernel.org>
Date: Sat, 13 Jul 2002 05:48:19 +0000
Subject: Relevant BUGIDs: 476951, 476953

Purpose of commit: bugfix

Commit summary:
---------------
Be more careful when using the deny option - pay attention to the trust
option before you grant access.
Fix from Nalin.
---
 doc/modules/pam_wheel.sgml | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

(limited to 'doc')
diff --git a/doc/modules/pam_wheel.sgml b/doc/modules/pam_wheel.sgml
index 8c07a8b7..85841923 100644
--- a/doc/modules/pam_wheel.sgml
+++ b/doc/modules/pam_wheel.sgml
@@ -22,7 +22,7 @@ Cristian Gafton &lt;gafton@redhat.com&gt;
 Author.
 
 <tag><bf>Management groups provided:</bf></tag>
-authentication
+authentication; account
 
 <tag><bf>Cryptographically sensitive:</bf></tag>
 	
@@ -31,7 +31,6 @@ authentication
 <tag><bf>Clean code base:</bf></tag>
 
 <tag><bf>System dependencies:</bf></tag>
-Requires libpwdb.
 
 <tag><bf>Network aware:</bf></tag>
 
@@ -42,7 +41,7 @@ Requires libpwdb.
 <p>
 Only permit root access to members of the wheel (<tt/gid=0/) group.
 
-<sect2>Authentication component
+<sect2>Authentication and Account components
 
 <p>
 <descrip>
@@ -56,12 +55,16 @@ Only permit root access to members of the wheel (<tt/gid=0/) group.
 
 <tag><bf>Description:</bf></tag>
 
-This module is used to enforce the so-called <em/wheel/ group. By
+This module is used to enforce the so-called <em/wheel/ group.  By
 default, it permits root access to the system if the applicant user is
 a member of the <tt/wheel/ group (first, the module checks for the
 existence of a '<tt/wheel/' group. Otherwise the module defines the
 group with group-id <tt/0/ to be the <em/wheel/ group).
 
+<p>
+The module can be used as either an '<tt/auth/' or an '<tt/account/'
+module.
+
 <p>
 The action of the module may be modified from this default by one or
 more of the following flags in the <tt>/etc/pam.conf</tt> file.
@@ -88,10 +91,13 @@ password. <bf/USE WITH CARE/.
 
 <item>
 <tt/deny/ - 
-This is used to reverse the logic of the module's behavior.
-If the user is trying to get <tt/uid=0/ access and is a member of the wheel
+This is used to reverse the logic of the module's behavior.  If the
+user is trying to get <tt/uid=0/ access and is a member of the wheel
 group, deny access (for the wheel group, this is perhaps nonsense!):
 it is intended for use in conjunction with the <tt/group=/ argument...
+Conversely, if the user is not in the group, return <tt/PAM_IGNORE/
+(unless <tt/trust/ was also specified, in which case we return
+<tt/PAM_SUCCESS/).
 
 <item>
 <tt/group=XXXX/ -
@@ -114,7 +120,7 @@ file:
 #
 su	auth	 sufficient	pam_rootok.so
 su	auth	 required	pam_wheel.so
-su	auth	 required	pam_unix_auth.so
+su	auth	 required	pam_unix.so
 </verb>
 </tscreen>
 
-- 
cgit v1.2.3

