1*4882a593Smuzhiyun# 2*4882a593Smuzhiyun# The PAM configuration file for the Shadow `su' service 3*4882a593Smuzhiyun# 4*4882a593Smuzhiyun 5*4882a593Smuzhiyun# This allows root to su without passwords (normal operation) 6*4882a593Smuzhiyunauth sufficient pam_rootok.so 7*4882a593Smuzhiyun 8*4882a593Smuzhiyun# Uncomment this to force users to be a member of group root 9*4882a593Smuzhiyun# before they can use `su'. You can also add "group=foo" 10*4882a593Smuzhiyun# to the end of this line if you want to use a group other 11*4882a593Smuzhiyun# than the default "root" (but this may have side effect of 12*4882a593Smuzhiyun# denying "root" user, unless she's a member of "foo" or explicitly 13*4882a593Smuzhiyun# permitted earlier by e.g. "sufficient pam_rootok.so"). 14*4882a593Smuzhiyun# (Replaces the `SU_WHEEL_ONLY' option from login.defs) 15*4882a593Smuzhiyun# auth required pam_wheel.so 16*4882a593Smuzhiyun 17*4882a593Smuzhiyun# Uncomment this if you want wheel members to be able to 18*4882a593Smuzhiyun# su without a password. 19*4882a593Smuzhiyun# auth sufficient pam_wheel.so trust 20*4882a593Smuzhiyun 21*4882a593Smuzhiyun# Uncomment this if you want members of a specific group to not 22*4882a593Smuzhiyun# be allowed to use su at all. 23*4882a593Smuzhiyun# auth required pam_wheel.so deny group=nosu 24*4882a593Smuzhiyun 25*4882a593Smuzhiyun# Uncomment and edit /etc/security/time.conf if you need to set 26*4882a593Smuzhiyun# time restrainst on su usage. 27*4882a593Smuzhiyun# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs 28*4882a593Smuzhiyun# as well as /etc/porttime) 29*4882a593Smuzhiyun# account requisite pam_time.so 30*4882a593Smuzhiyun 31*4882a593Smuzhiyun# This module parses environment configuration file(s) 32*4882a593Smuzhiyun# and also allows you to use an extended config 33*4882a593Smuzhiyun# file /etc/security/pam_env.conf. 34*4882a593Smuzhiyun# 35*4882a593Smuzhiyun# parsing /etc/environment needs "readenv=1" 36*4882a593Smuzhiyunsession required pam_env.so readenv=1 37*4882a593Smuzhiyun 38*4882a593Smuzhiyun# Defines the MAIL environment variable 39*4882a593Smuzhiyun# However, userdel also needs MAIL_DIR and MAIL_FILE variables 40*4882a593Smuzhiyun# in /etc/login.defs to make sure that removing a user 41*4882a593Smuzhiyun# also removes the user's mail spool file. 42*4882a593Smuzhiyun# See comments in /etc/login.defs 43*4882a593Smuzhiyun# 44*4882a593Smuzhiyun# "nopen" stands to avoid reporting new mail when su'ing to another user 45*4882a593Smuzhiyunsession optional pam_mail.so nopen 46*4882a593Smuzhiyun 47*4882a593Smuzhiyun# Sets up user limits, please uncomment and read /etc/security/limits.conf 48*4882a593Smuzhiyun# to enable this functionality. 49*4882a593Smuzhiyun# (Replaces the use of /etc/limits in old login) 50*4882a593Smuzhiyun# session required pam_limits.so 51*4882a593Smuzhiyun 52*4882a593Smuzhiyun# The standard Unix authentication modules, used with 53*4882a593Smuzhiyun# NIS (man nsswitch) as well as normal /etc/passwd and 54*4882a593Smuzhiyun# /etc/shadow entries. 55*4882a593Smuzhiyunauth include common-auth 56*4882a593Smuzhiyunaccount include common-account 57*4882a593Smuzhiyunsession include common-session 58