From e00b284b2062d80db8eca6bc650cd04768f79158 Mon Sep 17 00:00:00 2001
From: des <des@FreeBSD.org>
Date: Fri, 13 Nov 2009 11:19:26 +0000
Subject: Note that nullok should not be used by processes that can't access
 the password database.

PR:		bin/126650, misc/140514
MFC after:	1 week
---
 lib/libpam/modules/pam_unix/pam_unix.8 | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'lib')

diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8
index eec0e0e..82354d5 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.8
+++ b/lib/libpam/modules/pam_unix/pam_unix.8
@@ -105,6 +105,17 @@ sufficient.
 If the password database has no password for the entity being
 authenticated, then this option will forgo password prompting, and
 silently allow authentication to succeed.
+.Pp
+.Sy NOTE:
+If
+.Nm
+is invoked by a process that does not have the privileges required to
+access the password database (in most cases, this means root
+privileges), the
+.Cm nullok
+option may cause
+.Nm
+to allow any user to log in with any password.
 .It Cm local_pass
 Use only the local password database, even if NIS is in use.
 This will cause an authentication failure if the system is configured
-- 
cgit v1.1