blob: a79c073af1eaa5c94b38ba558b2687475f2a727b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_rootok">
<refmeta>
<refentrytitle>pam_rootok</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="source">Linux-PAM</refmiscinfo>
<refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv xml:id="pam_rootok-name">
<refname>pam_rootok</refname>
<refpurpose>Gain only root access</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis xml:id="pam_rootok-cmdsynopsis" sepchar=" ">
<command>pam_rootok.so</command>
<arg choice="opt" rep="norepeat">
debug
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 xml:id="pam_rootok-description">
<title>DESCRIPTION</title>
<para>
pam_rootok is a PAM module that authenticates the user if their
<emphasis>UID</emphasis> is <emphasis>0</emphasis>.
Applications that are created setuid-root generally retain the
<emphasis>UID</emphasis> of the user but run with the authority
of an enhanced effective-UID. It is the real <emphasis>UID</emphasis>
that is checked.
</para>
</refsect1>
<refsect1 xml:id="pam_rootok-options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>
debug
</term>
<listitem>
<para>
Print debug information.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 xml:id="pam_rootok-types">
<title>MODULE TYPES PROVIDED</title>
<para>
The <option>auth</option>, <option>account</option> and
<option>password</option> module types are provided.
</para>
</refsect1>
<refsect1 xml:id="pam_rootok-return_values">
<title>RETURN VALUES</title>
<variablelist>
<varlistentry>
<term>PAM_SUCCESS</term>
<listitem>
<para>
The <emphasis>UID</emphasis> is <emphasis>0</emphasis>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_AUTH_ERR</term>
<listitem>
<para>
The <emphasis>UID</emphasis> is <emphasis remap="B">not</emphasis>
<emphasis>0</emphasis>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 xml:id="pam_rootok-examples">
<title>EXAMPLES</title>
<para>
In the case of the <citerefentry>
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
</citerefentry> application the historical usage is to
permit the superuser to adopt the identity of a lesser user
without the use of a password. To obtain this behavior with PAM
the following pair of lines are needed for the corresponding entry
in the <filename>/etc/pam.d/su</filename> configuration file:
<programlisting>
# su authentication. Root is granted access by default.
auth sufficient pam_rootok.so
auth required pam_unix.so
</programlisting>
</para>
</refsect1>
<refsect1 xml:id="pam_rootok-see_also">
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 xml:id="pam_rootok-author">
<title>AUTHOR</title>
<para>
pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>.
</para>
</refsect1>
</refentry>
|
