freebsd-dev/contrib/libpam/doc/modules/pam_rootok.sgml

<!--
   $Id: pam_rootok.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
   
   This file was written by Andrew G. Morgan <morgan@parc.power.net>
-->

<sect1>The root access module

<sect2>Synopsis

<p>
<descrip>

<tag><bf>Module Name:</bf></tag>
pam_rootok

<tag><bf>Author:</bf></tag>
Andrew G. Morgan &lt;morgan@parc.power.net&gt;

<tag><bf>Maintainer:</bf></tag>
<bf>Linux-PAM</bf> maintainer

<tag><bf>Management groups provided:</bf></tag>
authentication

<tag><bf>Cryptographically sensitive:</bf></tag>
	
<tag><bf>Security rating:</bf></tag>

<tag><bf>Clean code base:</bf></tag>
Clean.

<tag><bf>System dependencies:</bf></tag>

<tag><bf>Network aware:</bf></tag>

</descrip>

<sect2>Overview of module

<p>
This module is for use in situations where the superuser wishes
to gain access to a service without having to enter a password.

<sect2>Authentication component

<p>
<descrip>

<tag><bf>Recognized arguments:</bf></tag>
<tt/debug/

<tag><bf>Description:</bf></tag>

This module authenticates the user if their <tt/uid/ is <tt/0/.
Applications that are created <em/setuid/-root generally retain the
<tt/uid/ of the user but run with the authority of an enhanced
<em/effective-/<tt/uid/. It is the real <tt/uid/ that is checked.

<tag><bf>Examples/suggested usage:</bf></tag>

In the case of the <tt/su/ application the historical usage is to
permit the superuser to adopt the identity of a lesser user without
the use of a password. To obtain this behavior under <tt/Linux-PAM/
the following pair of lines are needed for the corresponding entry in
the configuration file:
<tscreen>
<verb>
#
# su authentication. Root is granted access by default.
#
su	auth	 sufficient	pam_rootok.so
su	auth	 required	pam_unix_auth.so
</verb>
</tscreen>

<p>
Note. For programs that are run by the superuser (or started when the
system boots) this module should not be used to authenticate users.

</descrip>

<!--
End of sgml insert for this module.
-->