The group service module for PAM accepts or rejects users based on their membership in a particular file group.
The following options may be passed to the
pam_group module:
deny
Reverse the meaning of the test, i.e., reject the applicant if and only if he or she is a member of the specified group. This can be useful to exclude certain groups of users from certain services.
fail_safe
If the specified group does not exist, or has no members, act as if it does exist and the applicant is a member.
group=groupname
Specify the name of the group to check. The default is “wheel”.
root_only
Skip this module entirely if the target account is not the superuser account.
authenticate
The user is asked to authenticate using his own password.