1PAM_EXEC(8)                    Linux-PAM Manual                    PAM_EXEC(8)
2
3
4

NAME

6       pam_exec - PAM module which calls an external command
7

SYNOPSIS

9       pam_exec.so [debug] [expose_authtok] [seteuid] [quiet] [quiet_log]
10                   [stdout] [log=file] [type=type] command [...]
11

DESCRIPTION

13       pam_exec is a PAM module that can be used to run an external command.
14
15       The child's environment is set to the current PAM environment list, as
16       returned by pam_getenvlist(3) In addition, the following PAM items are
17       exported as environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE,
18       PAM_TTY, PAM_USER and PAM_TYPE, which contains one of the module types:
19       account, auth, password, open_session and close_session.
20
21       Commands called by pam_exec need to be aware of that the user can have
22       control over the environment.
23

OPTIONS

25       debug
26           Print debug information.
27
28       expose_authtok
29           During authentication the calling command can read the password
30           from stdin(3). Only first PAM_MAX_RESP_SIZE bytes of a password are
31           provided to the command.
32
33       log=file
34           The output of the command is appended to file
35
36       type=type
37           Only run the command if the module type matches the given type.
38
39       stdout
40           Per default the output of the executed command is written to
41           /dev/null. With this option, the stdout output of the executed
42           command is redirected to the calling application. It's in the
43           responsibility of this application what happens with the output.
44           The log option is ignored.
45
46       quiet
47           Per default pam_exec.so will echo the exit status of the external
48           command if it fails. Specifying this option will suppress the
49           message.
50
51       quiet_log
52           Per default pam_exec.so will log the exit status of the external
53           command if it fails. Specifying this option will suppress the log
54           message.
55
56       seteuid
57           Per default pam_exec.so will execute the external command with the
58           real user ID of the calling process. Specifying this option means
59           the command is run with the effective user ID.
60

MODULE TYPES PROVIDED

62       All module types (auth, account, password and session) are provided.
63

RETURN VALUES

65       PAM_SUCCESS
66           The external command was run successfully.
67
68       PAM_BUF_ERR
69           Memory buffer error.
70
71       PAM_CONV_ERR
72           The conversation method supplied by the application failed to
73           obtain the username.
74
75       PAM_INCOMPLETE
76           The conversation method supplied by the application returned
77           PAM_CONV_AGAIN.
78
79       PAM_SERVICE_ERR
80           No argument or a wrong number of arguments were given.
81
82       PAM_SYSTEM_ERR
83           A system error occurred or the command to execute failed.
84
85       PAM_IGNORE
86           pam_setcred was called, which does not execute the command. Or, the
87           value given for the type= parameter did not match the module type.
88

EXAMPLES

90       Add the following line to /etc/pam.d/passwd to rebuild the NIS database
91       after each local password change:
92
93                   password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
94
95
96       This will execute the command
97
98           make -C /var/yp
99
100       with effective user ID.
101

SEE ALSO

103       pam.conf(5), pam.d(5), pam(8)
104

AUTHOR

106       pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and Josh
107       Triplett <josh@joshtriplett.org>.
108
109
110
111Linux-PAM                         05/07/2023                       PAM_EXEC(8)
Impressum