pam_wheel - Only permit root access to members of group wheel
pam_wheel.so [debug] [deny] [group=name]
[root_only] [trust] [use_uid]
The pam_wheel PAM module is used to enforce the so-called
wheel group. By default it permits access to the target user if the
applicant user is a member of the wheel group. If no group with this
name exist, the module is using the group with the group-ID 0.
Print debug information.
Reverse the sense of the auth operation: if the user is
trying to get UID 0 access and is a member of the wheel group (or the group of
the group option), deny access. Conversely, if the user is not in the
group, return PAM_IGNORE (unless trust was also specified, in which
case we return PAM_SUCCESS).
Instead of checking the wheel or GID 0 groups, use the
name group to perform the authentication.
The check for wheel membership is done only when the
target user UID is 0.
The pam_wheel module will return PAM_SUCCESS instead of
PAM_IGNORE if the user is a member of the wheel group (thus with a little play
stacking the modules the wheel members may be able to su to root without being
prompted for a passwd).
The check will be done against the real uid of the
calling process, instead of trying to obtain the user from the login session
associated with the terminal in use.
The auth and account module types are provided.
Memory buffer error.
The return value should be ignored by PAM dispatch.
Cannot determine the user name.
User not known.
The root account gains access by default (rootok), only wheel
members can become root (wheel) but Unix authenticate non-root
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so
pam_wheel was written by Cristian Gafton