1#
2# The PAM configuration file for the Shadow `su' service
3#
4
5# This allows root to su without passwords (normal operation)
6auth       sufficient pam_rootok.so
7
8# Uncomment this to force users to be a member of group root
9# before they can use `su'. You can also add "group=foo"
10# to the end of this line if you want to use a group other
11# than the default "root" (but this may have side effect of
12# denying "root" user, unless she's a member of "foo" or explicitly
13# permitted earlier by e.g. "sufficient pam_rootok.so").
14# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
15# auth       required   pam_wheel.so
16
17# Uncomment this if you want wheel members to be able to
18# su without a password.
19# auth       sufficient pam_wheel.so trust
20
21# Uncomment this if you want members of a specific group to not
22# be allowed to use su at all.
23# auth       required   pam_wheel.so deny group=nosu
24
25# Uncomment and edit /etc/security/time.conf if you need to set
26# time restrainst on su usage.
27# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
28# as well as /etc/porttime)
29# account    requisite  pam_time.so
30
31# This module parses environment configuration file(s)
32# and also allows you to use an extended config
33# file /etc/security/pam_env.conf.
34#
35# parsing /etc/environment needs "readenv=1"
36session       required   pam_env.so readenv=1
37
38# Defines the MAIL environment variable
39# However, userdel also needs MAIL_DIR and MAIL_FILE variables
40# in /etc/login.defs to make sure that removing a user
41# also removes the user's mail spool file.
42# See comments in /etc/login.defs
43#
44# "nopen" stands to avoid reporting new mail when su'ing to another user
45session    optional   pam_mail.so nopen
46
47# Sets up user limits, please uncomment and read /etc/security/limits.conf
48# to enable this functionality.
49# (Replaces the use of /etc/limits in old login)
50# session    required   pam_limits.so
51
52# The standard Unix authentication modules, used with
53# NIS (man nsswitch) as well as normal /etc/passwd and
54# /etc/shadow entries.
55auth       include      common-auth
56account    include      common-account
57session    include      common-session
58