1PAM_EXEC(8)                    Linux-PAM Manual                    PAM_EXEC(8)
2
3
4

NAME

6       pam_exec - PAM module which calls an external command
7

SYNOPSIS

9       pam_exec.so [debug] [expose_authtok] [seteuid] [quiet] [stdout]
10                   [log=file] [type=type] command [...]
11

DESCRIPTION

13       pam_exec is a PAM module that can be used to run an external command.
14
15       The child's environment is set to the current PAM environment list, as
16       returned by pam_getenvlist(3) In addition, the following PAM items are
17       exported as environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE,
18       PAM_TTY, PAM_USER and PAM_TYPE, which contains one of the module types:
19       account, auth, password, open_session and close_session.
20
21       Commands called by pam_exec need to be aware of that the user can have
22       controll over the environment.
23

OPTIONS

25       debug
26           Print debug information.
27
28       expose_authtok
29           During authentication the calling command can read the password
30           from stdin(3). Only first PAM_MAX_RESP_SIZE bytes of a password are
31           provided to the command.
32
33       log=file
34           The output of the command is appended to file
35
36       type=type
37           Only run the command if the module type matches the given type.
38
39       stdout
40           Per default the output of the executed command is written to
41           /dev/null. With this option, the stdout output of the executed
42           command is redirected to the calling application. It's in the
43           responsibility of this application what happens with the output.
44           The log option is ignored.
45
46       quiet
47           Per default pam_exec.so will echo the exit status of the external
48           command if it fails. Specifying this option will suppress the
49           message.
50
51       seteuid
52           Per default pam_exec.so will execute the external command with the
53           real user ID of the calling process. Specifying this option means
54           the command is run with the effective user ID.
55

MODULE TYPES PROVIDED

57       All module types (auth, account, password and session) are provided.
58

RETURN VALUES

60       PAM_SUCCESS
61           The external command was run successfully.
62
63       PAM_SERVICE_ERR
64           No argument or a wrong number of arguments were given.
65
66       PAM_SYSTEM_ERR
67           A system error occurred or the command to execute failed.
68
69       PAM_IGNORE
70           pam_setcred was called, which does not execute the command. Or, the
71           value given for the type= parameter did not match the module type.
72

EXAMPLES

74       Add the following line to /etc/pam.d/passwd to rebuild the NIS database
75       after each local password change:
76
77                   password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
78
79
80       This will execute the command
81
82           make -C /var/yp
83
84       with effective user ID.
85

SEE ALSO

87       pam.conf(5), pam.d(5), pam(8)
88

AUTHOR

90       pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and Josh
91       Triplett <josh@joshtriplett.org>.
92
93
94
95Linux-PAM Manual                  05/18/2017                       PAM_EXEC(8)
Impressum