pam.d_su.qubes 2.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566
  1. #
  2. # The PAM configuration file for the Shadow `su' service
  3. #
  4. # This allows root to su without passwords (normal operation)
  5. auth sufficient pam_rootok.so
  6. # Uncomment this to force users to be a member of group root
  7. # before they can use `su'. You can also add "group=foo"
  8. # to the end of this line if you want to use a group other
  9. # than the default "root" (but this may have side effect of
  10. # denying "root" user, unless she's a member of "foo" or explicitly
  11. # permitted earlier by e.g. "sufficient pam_rootok.so").
  12. # (Replaces the `SU_WHEEL_ONLY' option from login.defs)
  13. # auth required pam_wheel.so
  14. # Uncomment this if you want wheel members to be able to
  15. # su without a password.
  16. # auth sufficient pam_wheel.so trust
  17. # Uncomment this if you want members of a specific group to not
  18. # be allowed to use su at all.
  19. # auth required pam_wheel.so deny group=nosu
  20. # Uncomment and edit /etc/security/time.conf if you need to set
  21. # time restrainst on su usage.
  22. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
  23. # as well as /etc/porttime)
  24. # account requisite pam_time.so
  25. # This module parses environment configuration file(s)
  26. # and also allows you to use an extended config
  27. # file /etc/security/pam_env.conf.
  28. #
  29. # parsing /etc/environment needs "readenv=1"
  30. session required pam_env.so readenv=1
  31. # locale variables are also kept into /etc/default/locale in etch
  32. # reading this file *in addition to /etc/environment* does not hurt
  33. session required pam_env.so readenv=1 envfile=/etc/default/locale
  34. # Defines the MAIL environment variable
  35. # However, userdel also needs MAIL_DIR and MAIL_FILE variables
  36. # in /etc/login.defs to make sure that removing a user
  37. # also removes the user's mail spool file.
  38. # See comments in /etc/login.defs
  39. #
  40. # "nopen" stands to avoid reporting new mail when su'ing to another user
  41. session optional pam_mail.so nopen
  42. # Sets up user limits according to /etc/security/limits.conf
  43. # (Replaces the use of /etc/limits in old login)
  44. session required pam_limits.so
  45. # {{ Qubes specific modifications being here
  46. # Prevent 'su -' from asking for password in Debian [based] templates.
  47. # https://github.com/QubesOS/qubes-issues/issues/1128
  48. # Feel free to comment out the following line.
  49. auth sufficient pam_permit.so
  50. # }} Qubes specific modifications end here
  51. # The standard Unix authentication modules, used with
  52. # NIS (man nsswitch) as well as normal /etc/passwd and
  53. # /etc/shadow entries.
  54. @include common-auth
  55. @include common-account
  56. @include common-session