Home Explore Help
Sign In
Qubes
/
core-agent-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e52f4f1341
Branches Tags
core-agent-linu...
/
passwordless-root
/
debian
/
pam.d_su.qubes

pam.d_su.qubes 2.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566 
  1. #
    2. 

  2. # The PAM configuration file for the Shadow `su' service
    3. 

  3. #
    4. 

  4. 

  5. # This allows root to su without passwords (normal operation)
    6. 

  6. auth       sufficient pam_rootok.so
    7. 

  7. 

  8. # Uncomment this to force users to be a member of group root
    9. 

  9. # before they can use `su'. You can also add "group=foo"
    10. 

  10. # to the end of this line if you want to use a group other
    11. 

  11. # than the default "root" (but this may have side effect of
    12. 

  12. # denying "root" user, unless she's a member of "foo" or explicitly
    13. 

  13. # permitted earlier by e.g. "sufficient pam_rootok.so").
    14. 

  14. # (Replaces the `SU_WHEEL_ONLY' option from login.defs)
    15. 

  15. # auth       required   pam_wheel.so
    16. 

  16. 

  17. # Uncomment this if you want wheel members to be able to
    18. 

  18. # su without a password.
    19. 

  19. # auth       sufficient pam_wheel.so trust
    20. 

  20. 

  21. # Uncomment this if you want members of a specific group to not
    22. 

  22. # be allowed to use su at all.
    23. 

  23. # auth       required   pam_wheel.so deny group=nosu
    24. 

  24. 

  25. # Uncomment and edit /etc/security/time.conf if you need to set
    26. 

  26. # time restrainst on su usage.
    27. 

  27. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
    28. 

  28. # as well as /etc/porttime)
    29. 

  29. # account    requisite  pam_time.so
    30. 

  30. 

  31. # This module parses environment configuration file(s)
    32. 

  32. # and also allows you to use an extended config
    33. 

  33. # file /etc/security/pam_env.conf.
    34. 

  34. #
    35. 

  35. # parsing /etc/environment needs "readenv=1"
    36. 

  36. session       required   pam_env.so readenv=1
    37. 

  37. # locale variables are also kept into /etc/default/locale in etch
    38. 

  38. # reading this file *in addition to /etc/environment* does not hurt
    39. 

  39. session       required   pam_env.so readenv=1 envfile=/etc/default/locale
    40. 

  40. 

  41. # Defines the MAIL environment variable
    42. 

  42. # However, userdel also needs MAIL_DIR and MAIL_FILE variables
    43. 

  43. # in /etc/login.defs to make sure that removing a user
    44. 

  44. # also removes the user's mail spool file.
    45. 

  45. # See comments in /etc/login.defs
    46. 

  46. #
    47. 

  47. # "nopen" stands to avoid reporting new mail when su'ing to another user
    48. 

  48. session    optional   pam_mail.so nopen
    49. 

  49. 

  50. # Sets up user limits according to /etc/security/limits.conf
    51. 

  51. # (Replaces the use of /etc/limits in old login)
    52. 

  52. session    required   pam_limits.so
    53. 

  53. 

  54. # {{ Qubes specific modifications being here
    55. 

  55. #    Prevent 'su -' from asking for password in Debian [based] templates.
    56. 

  56. #    https://github.com/QubesOS/qubes-issues/issues/1128
    57. 

  57. #    Feel free to comment out the following line.
    58. 

  58. auth sufficient pam_permit.so
    59. 

  59. # }} Qubes specific modifications end here
    60. 

  60. 

  61. # The standard Unix authentication modules, used with
    62. 

  62. # NIS (man nsswitch) as well as normal /etc/passwd and
    63. 

  63. # /etc/shadow entries.
    64. 

  64. @include common-auth
    65. 

  65. @include common-account
    66. 

  66. @include common-session
    67.