(root)/
Linux-PAM-1.5.3/
modules/
pam_rootok/
pam_rootok.8.xml
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_rootok">

  <refmeta>
    <refentrytitle>pam_rootok</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo class="source">Linux-PAM</refmiscinfo>
    <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
  </refmeta>

  <refnamediv xml:id="pam_rootok-name">
    <refname>pam_rootok</refname>
    <refpurpose>Gain only root access</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis xml:id="pam_rootok-cmdsynopsis" sepchar=" ">
      <command>pam_rootok.so</command>
      <arg choice="opt" rep="norepeat">
        debug
      </arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1 xml:id="pam_rootok-description">

    <title>DESCRIPTION</title>

    <para>
      pam_rootok is a PAM module that authenticates the user if their
      <emphasis>UID</emphasis> is <emphasis>0</emphasis>.
      Applications that are created setuid-root generally retain the
      <emphasis>UID</emphasis> of the user but run with the authority
      of an enhanced effective-UID. It is the real <emphasis>UID</emphasis>
      that is checked.
    </para>
  </refsect1>

  <refsect1 xml:id="pam_rootok-options">
    <title>OPTIONS</title>
        <variablelist>
      <varlistentry>
        <term>
          debug
        </term>
        <listitem>
          <para>
            Print debug information.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 xml:id="pam_rootok-types">
    <title>MODULE TYPES PROVIDED</title>
    <para>
      The <option>auth</option>, <option>account</option> and
      <option>password</option> module types are provided.
    </para>
  </refsect1>

  <refsect1 xml:id="pam_rootok-return_values">
    <title>RETURN VALUES</title>
    <variablelist>
      <varlistentry>
        <term>PAM_SUCCESS</term>
        <listitem>
          <para>
            The <emphasis>UID</emphasis> is <emphasis>0</emphasis>.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_AUTH_ERR</term>
        <listitem>
          <para>
            The <emphasis>UID</emphasis> is <emphasis remap="B">not</emphasis>
            <emphasis>0</emphasis>.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 xml:id="pam_rootok-examples">
    <title>EXAMPLES</title>
    <para>
      In the case of the <citerefentry>
        <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry> application the historical usage is to
      permit the superuser to adopt the identity of a lesser user
      without the use of a password. To obtain this behavior with PAM
      the following pair of lines are needed for the corresponding entry
      in the <filename>/etc/pam.d/su</filename> configuration file:
      <programlisting>
# su authentication. Root is granted access by default.
auth  sufficient   pam_rootok.so
auth  required     pam_unix.so
      </programlisting>
    </para>
  </refsect1>

  <refsect1 xml:id="pam_rootok-see_also">
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
        <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>
    </para>
  </refsect1>

  <refsect1 xml:id="pam_rootok-author">
    <title>AUTHOR</title>
      <para>
        pam_rootok was written by Andrew G. Morgan, &lt;morgan@kernel.org&gt;.
      </para>
  </refsect1>

</refentry>