pam_rootok — Gain only root access

Synopsis [debug]


pam_rootok is a PAM module that authenticates the user if their UID is 0. Applications that are created setuid-root generally retain the UID of the user but run with the authority of an enhanced effective-UID. It is the real UID that is checked.



Print debug information.

Module Types Provided

The auth, acct and password module types are provided.

Return Values


The UID is 0.


The UID is not0.


In the case of the su(1) application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the /etc/pam.d/su configuration file:

# su authentication. Root is granted access by default.
auth  sufficient
auth  required

See Also

su(1), pam.conf(5), pam.d(5), pam(8)


pam_rootok was written by Andrew G. Morgan, <>.


05/18/2017 Linux-PAM Manual