| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319 |
- <?xml version="1.0" encoding='UTF-8'?>
- <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
- <refentry id="pam_exec">
- <refmeta>
- <refentrytitle>pam_exec</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
- <refnamediv id="pam_exec-name">
- <refname>pam_exec</refname>
- <refpurpose>PAM module which calls an external command</refpurpose>
- </refnamediv>
- <refsynopsisdiv>
- <cmdsynopsis id="pam_exec-cmdsynopsis">
- <command>pam_exec.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- expose_authtok
- </arg>
- <arg choice="opt">
- seteuid
- </arg>
- <arg choice="opt">
- quiet
- </arg>
- <arg choice="opt">
- quiet_log
- </arg>
- <arg choice="opt">
- stdout
- </arg>
- <arg choice="opt">
- log=<replaceable>file</replaceable>
- </arg>
- <arg choice="opt">
- type=<replaceable>type</replaceable>
- </arg>
- <arg choice="plain">
- <replaceable>command</replaceable>
- </arg>
- <arg choice="opt">
- <replaceable>...</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
- <refsect1 id="pam_exec-description">
- <title>DESCRIPTION</title>
- <para>
- pam_exec is a PAM module that can be used to run
- an external command.
- </para>
- <para>
- The child's environment is set to the current PAM environment list, as
- returned by
- <citerefentry>
- <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>
- In addition, the following PAM items are
- exported as environment variables: <emphasis>PAM_RHOST</emphasis>,
- <emphasis>PAM_RUSER</emphasis>, <emphasis>PAM_SERVICE</emphasis>,
- <emphasis>PAM_TTY</emphasis>, <emphasis>PAM_USER</emphasis> and
- <emphasis>PAM_TYPE</emphasis>, which contains one of the module
- types: <option>account</option>, <option>auth</option>,
- <option>password</option>, <option>open_session</option> and
- <option>close_session</option>.
- </para>
- <para>
- Commands called by pam_exec need to be aware of that the user
- can have control over the environment.
- </para>
- </refsect1>
- <refsect1 id="pam_exec-options">
- <title>OPTIONS</title>
- <para>
- <variablelist>
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>expose_authtok</option>
- </term>
- <listitem>
- <para>
- During authentication the calling command can read
- the password from <citerefentry>
- <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
- bytes of a password are provided to the command.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>log=<replaceable>file</replaceable></option>
- </term>
- <listitem>
- <para>
- The output of the command is appended to
- <filename>file</filename>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>type=<replaceable>type</replaceable></option>
- </term>
- <listitem>
- <para>
- Only run the command if the module type matches the given type.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>stdout</option>
- </term>
- <listitem>
- <para>
- Per default the output of the executed command is written to <filename>/dev/null</filename>. With this option, the stdout output of the executed command is redirected to the calling application. It's in the responsibility of this application what happens with the output. The <option>log</option> option is ignored.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>quiet</option>
- </term>
- <listitem>
- <para>
- Per default pam_exec.so will echo the exit status of the
- external command if it fails.
- Specifying this option will suppress the message.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>quiet_log</option>
- </term>
- <listitem>
- <para>
- Per default pam_exec.so will log the exit status of the
- external command if it fails.
- Specifying this option will suppress the log message.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>seteuid</option>
- </term>
- <listitem>
- <para>
- Per default pam_exec.so will execute the external command
- with the real user ID of the calling process.
- Specifying this option means the command is run
- with the effective user ID.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </para>
- </refsect1>
- <refsect1 id="pam_exec-types">
- <title>MODULE TYPES PROVIDED</title>
- <para>
- All module types (<option>auth</option>, <option>account</option>,
- <option>password</option> and <option>session</option>) are provided.
- </para>
- </refsect1>
- <refsect1 id='pam_exec-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- The external command was run successfully.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_CONV_ERR</term>
- <listitem>
- <para>
- The conversation method supplied by the application
- failed to obtain the username.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_INCOMPLETE</term>
- <listitem>
- <para>
- The conversation method supplied by the application
- returned PAM_CONV_AGAIN.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- No argument or a wrong number of arguments were given.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SYSTEM_ERR</term>
- <listitem>
- <para>
- A system error occurred or the command to execute failed.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- <function>pam_setcred</function> was called, which
- does not execute the command. Or, the value given for the type=
- parameter did not match the module type.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </para>
- </refsect1>
- <refsect1 id='pam_exec-examples'>
- <title>EXAMPLES</title>
- <para>
- Add the following line to <filename>/etc/pam.d/passwd</filename> to
- rebuild the NIS database after each local password change:
- <programlisting>
- password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
- </programlisting>
- This will execute the command
- <programlisting>make -C /var/yp</programlisting>
- with effective user ID.
- </para>
- </refsect1>
- <refsect1 id='pam_exec-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
- <refsect1 id='pam_exec-author'>
- <title>AUTHOR</title>
- <para>
- pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and
- Josh Triplett <josh@joshtriplett.org>.
- </para>
- </refsect1>
- </refentry>
|
