LFCS Question #417: Real Exam Question with Answer & Explanation

Question

On a new Linux system, the root user is being asked to provide the root user password before being able to use the su command. What line in the /etc/pam.d/su file will allow root to use su without supplying passwords?

Options

• Aauth required pam_norootpw.so
• Bauth sufficient pam_norootpw.so
• Cauth required pam_rootok.so
• Dauth sufficient pam_rootok.so

Explanation

To allow the root user to use su without a password, the /etc/pam.d/su file needs to include the pam_rootok.so module with a sufficient control flag.

Common mistakes.

• A. pam_norootpw.so is not a standard or commonly used PAM module for this purpose, and required would still necessitate other authentication methods.
• B. Similar to A, pam_norootpw.so is not the correct PAM module for this functionality.
• C. While pam_rootok.so is the correct module, using required would mean that even if root is successfully authenticated by this module, other required or requisite modules in the stack would still need to succeed, potentially leading to a password prompt.

Concept tested. PAM su configuration for root

Reference. https://manpages.debian.org/unstable/libpam-doc/pam_rootok.8.en.html

No community discussion yet for this question.