| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | # |
| 2 | # The PAM configuration file for the Shadow `su' service |
| 3 | # |
| 4 | |
| 5 | # This allows root to su without passwords (normal operation) |
| 6 | auth sufficient pam_rootok.so |
| 7 | |
| 8 | # Uncomment this to force users to be a member of group root |
| 9 | # before they can use `su'. You can also add "group=foo" |
| 10 | # to the end of this line if you want to use a group other |
| 11 | # than the default "root" (but this may have side effect of |
| 12 | # denying "root" user, unless she's a member of "foo" or explicitly |
| 13 | # permitted earlier by e.g. "sufficient pam_rootok.so"). |
| 14 | # (Replaces the `SU_WHEEL_ONLY' option from login.defs) |
| 15 | # auth required pam_wheel.so |
| 16 | |
| 17 | # Uncomment this if you want wheel members to be able to |
| 18 | # su without a password. |
| 19 | # auth sufficient pam_wheel.so trust |
| 20 | |
| 21 | # Uncomment this if you want members of a specific group to not |
| 22 | # be allowed to use su at all. |
| 23 | # auth required pam_wheel.so deny group=nosu |
| 24 | |
| 25 | # Uncomment and edit /etc/security/time.conf if you need to set |
| 26 | # time restrainst on su usage. |
| 27 | # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs |
| 28 | # as well as /etc/porttime) |
| 29 | # account requisite pam_time.so |
| 30 | |
| 31 | # This module parses environment configuration file(s) |
| 32 | # and also allows you to use an extended config |
| 33 | # file /etc/security/pam_env.conf. |
| 34 | # |
| 35 | # parsing /etc/environment needs "readenv=1" |
| 36 | session required pam_env.so readenv=1 |
| 37 | |
| 38 | # Defines the MAIL environment variable |
| 39 | # However, userdel also needs MAIL_DIR and MAIL_FILE variables |
| 40 | # in /etc/login.defs to make sure that removing a user |
| 41 | # also removes the user's mail spool file. |
| 42 | # See comments in /etc/login.defs |
| 43 | # |
| 44 | # "nopen" stands to avoid reporting new mail when su'ing to another user |
| 45 | session optional pam_mail.so nopen |
| 46 | |
| 47 | # Sets up user limits, please uncomment and read /etc/security/limits.conf |
| 48 | # to enable this functionality. |
| 49 | # (Replaces the use of /etc/limits in old login) |
| 50 | # session required pam_limits.so |
| 51 | |
| 52 | # The standard Unix authentication modules, used with |
| 53 | # NIS (man nsswitch) as well as normal /etc/passwd and |
| 54 | # /etc/shadow entries. |
| 55 | auth include common-auth |
| 56 | account include common-account |
| 57 | session include common-session |