oreilly.comSafari Books Online.Conferences.


PAM Modules
Pages: 1, 2, 3

This module is intended for use with the su program. It restricts access to the superuser account to the wheel group, or to group ID "0" (if there is no wheel group). It only has an auth component. Wheel is the traditional name for the group authorized to su to root.


Use group [name] instead of wheel.
Return PAM_SUCCESS, which allows su without passwords, instead of PAM_IGNORE. This has obvious security implications.
Reverses the module's logic. Use this with the group argument to prohibit certain groups from using su.
Base the module's logic on the uid of a program, rather than of the user.

Session accessories

These are modules that don't affect security, but which make life easier or better for the user or the system administrator.

This module allows the administrator to set resource limits on users. It relies on libpwdb, and on kernel support for resource limits. It should be used as a required session module. is configured in /etc/security/limits.conf. The first entry which matches the user is the one which will apply to that user. The syntax is:

domain	type	item	value
  • domain -- user | @group | *
  • type -- soft | hard | -
  • item -- core | data | fsize | memlock | nofile | rss | stack | cpu | nproc | as | maxlogins | priority
  • value -- value in KB, minutes or # of items

Term expansion:

  • * -- all
  • - -- both
  • fsize -- filesize
  • memlock -- max locked memory address space
  • nofile -- open files
  • rss -- resident set size
  • nproc -- number of processes
  • as -- address space provides the "you have new mail" service to the user. It has both session and auth components, and should be treated as an optional module. Arguments include dir=[directory] (for the mail directory), and quiet (only report if there is new mail, don't report the absence of mail or old mail).

This module creates home directories on the fly for authenticated users, and is particularly useful for batch addition of users. requires the arguments 'skel=[directory]', for a skeleton home directory, and 'umask=[octal mask]'.

Final words

Linux Network Administrator's Guide, 2nd EditionLinux Network Administrator's Guide, 2nd Edition
By Olaf Kirch & Terry Dawson
2nd Edition June 2000
1-56592-400-2, Order Number: 4002
503 pages, $39.95

PAM modules provide flexibility in authentication and session management. See the further reading section, or the PAM manuals on your system, for more information on the modules.

PAM is built into many Linux distributions, including Caldera 1.3, 2.2 and later; Debian 2.2 and later; Turbo Linux 3.6 and later; Red Hat 5.0 and later; and SuSE 6.2 (partial support). FreeBSD supports PAM from version 3.1.

If your system is one of the ones which has built in PAM, you are probably already using many PAM modules. Examine /etc/pam.d or /etc/pam.conf for details of what your system is already doing with PAM.

Further reading

Jennifer Vesperman is the author of Essential CVS. She writes for the O'Reilly Network, the Linux Documentation Project, and occasionally Linux.Com.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: