pam_allowroot Module

Purpose

Returns PAM_SUCCESS if the authenticating user has a real user ID (UID) of 0.

Description

The pam_allowroot module checks the real user ID (UID) under which the PAM application was run. If the UID of the authenticating user is 0 (zero), then it is the root user and PAM_SUCCESS is returned.

The pam_allowroot module only checks the real user ID. Many applications that require root access will set the effective user ID to 0. For this reason, the effective ID is not used in determining whether or not the user executing the authenticating application is a root user.

It is recommended that pam_allowroot be used as sufficient in conjunction with other modules. This allows the root user to bypass the rest of the modules in the stack and for a failure not to impact the result of other authenticating users. An example authentication stack configuration is shown below which mimics the historic behavior of the su command.

#
# The PAM configuration for standard su behavior.
#
su auth sufficient /usr/lib/security/pam_allowroot
su auth required   /usr/lib/security/pam_aix

Supported PAM module types

Authentication: Returns PAM_SUCCESS if UID of authenticating user is 0.
Account Management: Returns PAM_SUCCESS if UID of authenticating user is 0.

Options

The pam_allowroot module accepts the following parameters specified as options in the PAM configuration file:

Item	Description
debug	Log debugging information to syslog.
nowarn	Do not display warning messages.

Return Values

Upon successful completion, PAM_SUCCESS is returned. If a failure occurs, a PAM error code will be returned, depending on the actual error.

Location

/usr/lib/security/pam_allowroot