2 # The PAM configuration file for the Shadow `su' service
5 # This allows root to su without passwords (normal operation)
6 auth sufficient pam_rootok.so
8 # Uncomment this to force users to be a member of group root
9 # before they can use `su'. You can also add "group=foo"
10 # to the end of this line if you want to use a group other
11 # than the default "root" (but this may have side effect of
12 # denying "root" user, unless she's a member of "foo" or explicitly
13 # permitted earlier by e.g. "sufficient pam_rootok.so").
14 # (Replaces the `SU_WHEEL_ONLY' option from login.defs)
15 # auth required pam_wheel.so
17 # Uncomment this if you want wheel members to be able to
18 # su without a password.
19 # auth sufficient pam_wheel.so trust
21 # Uncomment this if you want members of a specific group to not
22 # be allowed to use su at all.
23 # auth required pam_wheel.so deny group=nosu
25 # Uncomment and edit /etc/security/time.conf if you need to set
26 # time restrainst on su usage.
27 # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
28 # as well as /etc/porttime)
29 # account requisite pam_time.so
31 # This module parses environment configuration file(s)
32 # and also allows you to use an extended config
33 # file /etc/security/pam_env.conf.
35 # parsing /etc/environment needs "readenv=1"
36 session required pam_env.so readenv=1
37 # locale variables are also kept into /etc/default/locale in etch
38 # reading this file *in addition to /etc/environment* does not hurt
39 session required pam_env.so readenv=1 envfile=/etc/default/locale
41 # Defines the MAIL environment variable
42 # However, userdel also needs MAIL_DIR and MAIL_FILE variables
43 # in /etc/login.defs to make sure that removing a user
44 # also removes the user's mail spool file.
45 # See comments in /etc/login.defs
47 # "nopen" stands to avoid reporting new mail when su'ing to another user
48 session optional pam_mail.so nopen
50 # Sets up user limits, please uncomment and read /etc/security/limits.conf
51 # to enable this functionality.
52 # (Replaces the use of /etc/limits in old login)
53 # session required pam_limits.so
55 # The standard Unix authentication modules, used with
56 # NIS (man nsswitch) as well as normal /etc/passwd and
57 # /etc/shadow entries.
59 @include common-account
60 @include common-session