1.\" Copyright (c) 2001,2003 Networks Associates Technology, Inc. 2.\" Copyright (c) 2017-2019 Dag-Erling Smørgrav 3.\" Copyright (c) 2018 Thomas Munro 4.\" All rights reserved. 5.\" 6.\" Portions of this software were developed for the FreeBSD Project by 7.\" ThinkSec AS and NAI Labs, the Security Research Division of Network 8.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 9.\" ("CBOSS"), as part of the DARPA CHATS research program. 10.\" 11.\" Redistribution and use in source and binary forms, with or without 12.\" modification, are permitted provided that the following conditions 13.\" are met: 14.\" 1. Redistributions of source code must retain the above copyright 15.\" notice, this list of conditions and the following disclaimer. 16.\" 2. Redistributions in binary form must reproduce the above copyright 17.\" notice, this list of conditions and the following disclaimer in the 18.\" documentation and/or other materials provided with the distribution. 19.\" 3. The name of the author may not be used to endorse or promote 20.\" products derived from this software without specific prior written 21.\" permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.Dd May 24, 2019 36.Dt PAM_EXEC 8 37.Os 38.Sh NAME 39.Nm pam_exec 40.Nd Exec PAM module 41.Sh SYNOPSIS 42.Op Ar service-name 43.Ar module-type 44.Ar control-flag 45.Pa pam_exec 46.Op Ar arguments 47.Sh DESCRIPTION 48The exec service module for PAM executes the program designated by 49its first argument if no options are specified, with its remaining 50arguments as command-line arguments. 51If options are specified, the program and its arguments follow the last 52option or 53.Cm -- 54if the program name conflicts with an option name. 55.Pp 56The following options may be passed before the program and its 57arguments: 58.Bl -tag -width indent 59.It Cm capture_stderr 60Capture text printed by the program to its standard error stream and 61pass it to the conversation function as error messages. 62No attempt is made at buffering the text, so results may vary. 63.It Cm capture_stdout 64Capture text printed by the program to its standard output stream and 65pass it to the conversation function as informational messages. 66No attempt is made at buffering the text, so results may vary. 67.It Cm debug 68Ignored for compatibility reasons. 69.It Cm no_warn 70Ignored for compatibility reasons. 71.It Cm return_prog_exit_status 72Use the program exit status as the return code of the pam_sm_* function. 73It must be a valid return value for this function. 74.It Cm expose_authtok 75Write the authentication token to the program's standard input stream, 76followed by a NUL character. 77Ignored for 78.Fn pam_sm_setcred . 79.It Cm use_first_pass 80If 81.Cm expose_authtok 82was specified, do not prompt for an authentication token if one is not 83already available. 84.It Cm -- 85Stop options parsing; 86program and its arguments follow. 87.El 88.Pp 89The child's environment is set to the current PAM environment list, 90as returned by 91.Xr pam_getenvlist 3 . 92In addition, the following PAM items are exported as environment 93variables: 94.Ev PAM_RHOST , 95.Ev PAM_RUSER , 96.Ev PAM_SERVICE , 97.Ev PAM_SM_FUNC , 98.Ev PAM_TTY 99and 100.Ev PAM_USER . 101.Pp 102The 103.Ev PAM_SM_FUNC 104variable contains the name of the PAM service module function being 105called. 106It may be: 107.Bl -dash -offset indent -compact 108.It 109pam_sm_acct_mgmt 110.It 111pam_sm_authenticate 112.It 113pam_sm_chauthtok 114.It 115pam_sm_close_session 116.It 117pam_sm_open_session 118.It 119pam_sm_setcred 120.El 121.Pp 122If 123.Cm return_prog_exit_status 124is not set (default), the 125.Ev PAM_SM_FUNC 126function returns 127.Er PAM_SUCCESS 128if the program exit status is 0, 129.Er PAM_PERM_DENIED 130otherwise. 131.Pp 132If 133.Cm return_prog_exit_status 134is set, the program exit status is used. 135It should be 136.Er PAM_SUCCESS 137or one of the error codes allowed by the calling 138.Ev PAM_SM_FUNC 139function. 140The valid codes are documented in each function man page. 141If the exit status is not a valid return code, 142.Er PAM_SERVICE_ERR 143is returned. 144Each valid codes numerical value is available as an environment variable 145(eg.\& 146.Ev PAM_SUCESS , 147.Ev PAM_USER_UNKNOWN , 148etc). 149This is useful in shell scripts for instance. 150.Sh SEE ALSO 151.Xr pam_get_item 3 , 152.Xr pam.conf 5 , 153.Xr pam 3 , 154.Xr pam_sm_acct_mgmt 3 , 155.Xr pam_sm_authenticate 3 , 156.Xr pam_sm_chauthtok 3 , 157.Xr pam_sm_close_session 3 , 158.Xr pam_sm_open_session 3 , 159.Xr pam_sm_setcred 3 160.Sh AUTHORS 161The 162.Nm 163module and this manual page were developed for the 164.Fx 165Project by 166ThinkSec AS and NAI Labs, the Security Research Division of Network 167Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 168.Pq Dq CBOSS , 169as part of the DARPA CHATS research program. 170