Home > Articles > Programming > Android

  • Print
  • + Share This

PAM and su

Unlike the last pam_listfile example, which restricts the users that may be switched to with su, pam_wheel is used to specifically restrict the successful execution of su to the root user. It does so by utilizing a special group called wheel with the GID of 0. Its default behavior is to allow only members of the wheel group to su to root when this module is in force. This is another authentication-only module. Its arguments are described in Table 5.11. This module has some arguments that you really don't want to use. The use_id argument causes the pam_wheel to use the effective UID of the user. In this way a non-wheel group member could su to a wheel group member and then su to root. This is probably not the behavior you seek.

The trust argument could cause wheel members to be able to su to root without a password, depending on the way in which modules are stacked. Avoid these two arguments, unless you are debugging or are otherwise prepared for their consequences.

On many releases of Linux, there is a GID 0, the root group. You may wish, therefore, to create a wheel group with a different GID—for example GID=10 (Red Hat 5.2/6.0 does this for you)—then use the group argument to pam_wheel. Example 5-20 displays a representative /etc/pam.d/su file. Make sure that you have a group called wheel in /etc/group. Any member of that group will be allowed to su to root. All other users will get a Password incorrect error message, even if they know the correct password.

Example 5-20 The /etc/pam.d/su File with pam_wheel

Auth     required   /lib/security/pam_wheel.so group=wheel
auth     required   /lib/security/pam_pwdb.so
account   required   /lib/security/pam_pwdb.so
password   required   /lib/security/pam_cracklib.so minlen=20 retry=3
password   required   /lib/security/pam_pwdb.so md5 use_authtok
session   required   /lib/security/pam_pwdb.so

Table 5.11 Arguments of pam_wheel




Generates additional output to syslog.


Uses the current process UID and not that returned by getlogin. This may result in the use of an effective UID and is not recommended for production use.


Causes this module to succeed if the user is a member of the wheel group. This option may cause members of wheel to become root without a password. Be very careful when using this argument.


Reverse the logic of this module.


Instead of allowing users in the group wheel, allow the users in groupname.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.