1PAM_EXEC(8)                    Linux-PAM Manual                    PAM_EXEC(8)
2
3
4

NAME

6       pam_exec - PAM module which calls an external command
7

SYNOPSIS

9       pam_exec.so [debug] [expose_authtok] [seteuid] [quiet] [stdout]
10                   [log=file] [type=type] command [...]
11

DESCRIPTION

13       pam_exec is a PAM module that can be used to run an external command.
14
15       The child's environment is set to the current PAM environment list, as
16       returned by pam_getenvlist(3) In addition, the following PAM items are
17       exported as environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE,
18       PAM_TTY, PAM_USER and PAM_TYPE, which contains one of the module types:
19       account, auth, password, open_session and close_session.
20
21       Commands called by pam_exec need to be aware of that the user can have
22       control over the environment.
23

OPTIONS

25       debug
26           Print debug information.
27
28       expose_authtok
29           During authentication the calling command can read the password
30           from stdin(3). Only first PAM_MAX_RESP_SIZE bytes of a password are
31           provided to the command.
32
33       log=file
34           The output of the command is appended to file
35
36       type=type
37           Only run the command if the module type matches the given type.
38
39       stdout
40           Per default the output of the executed command is written to
41           /dev/null. With this option, the stdout output of the executed
42           command is redirected to the calling application. It's in the
43           responsibility of this application what happens with the output.
44           The log option is ignored.
45
46       quiet
47           Per default pam_exec.so will echo the exit status of the external
48           command if it fails. Specifying this option will suppress the
49           message.
50
51       seteuid
52           Per default pam_exec.so will execute the external command with the
53           real user ID of the calling process. Specifying this option means
54           the command is run with the effective user ID.
55

MODULE TYPES PROVIDED

57       All module types (auth, account, password and session) are provided.
58

RETURN VALUES

60       PAM_SUCCESS
61           The external command was run successfully.
62
63       PAM_BUF_ERR
64           Memory buffer error.
65
66       PAM_CONV_ERR
67           The conversation method supplied by the application failed to
68           obtain the username.
69
70       PAM_INCOMPLETE
71           The conversation method supplied by the application returned
72           PAM_CONV_AGAIN.
73
74       PAM_SERVICE_ERR
75           No argument or a wrong number of arguments were given.
76
77       PAM_SYSTEM_ERR
78           A system error occurred or the command to execute failed.
79
80       PAM_IGNORE
81           pam_setcred was called, which does not execute the command. Or, the
82           value given for the type= parameter did not match the module type.
83

EXAMPLES

85       Add the following line to /etc/pam.d/passwd to rebuild the NIS database
86       after each local password change:
87
88                   password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
89
90
91       This will execute the command
92
93           make -C /var/yp
94
95       with effective user ID.
96

SEE ALSO

98       pam.conf(5), pam.d(5), pam(8)
99

AUTHOR

101       pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and Josh
102       Triplett <josh@joshtriplett.org>.
103
104
105
106Linux-PAM Manual                  06/08/2020                       PAM_EXEC(8)
Impressum