xref: /freebsd/lib/libpam/modules/pam_exec/pam_exec.8 (revision 035dd78d30ba28a3dc15c05ec85ad10127165677)
1.\" Copyright (c) 2001,2003 Networks Associates Technology, Inc.
2.\" Copyright (c) 2017-2019 Dag-Erling Smørgrav
3.\" Copyright (c) 2018 Thomas Munro
4.\" All rights reserved.
5.\"
6.\" Portions of this software were developed for the FreeBSD Project by
7.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
8.\" Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
9.\" ("CBOSS"), as part of the DARPA CHATS research program.
10.\"
11.\" Redistribution and use in source and binary forms, with or without
12.\" modification, are permitted provided that the following conditions
13.\" are met:
14.\" 1. Redistributions of source code must retain the above copyright
15.\"    notice, this list of conditions and the following disclaimer.
16.\" 2. Redistributions in binary form must reproduce the above copyright
17.\"    notice, this list of conditions and the following disclaimer in the
18.\"    documentation and/or other materials provided with the distribution.
19.\" 3. The name of the author may not be used to endorse or promote
20.\"    products derived from this software without specific prior written
21.\"    permission.
22.\"
23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33.\" SUCH DAMAGE.
34.\"
35.\" $FreeBSD$
36.\"
37.Dd May 24, 2019
38.Dt PAM_EXEC 8
39.Os
40.Sh NAME
41.Nm pam_exec
42.Nd Exec PAM module
43.Sh SYNOPSIS
44.Op Ar service-name
45.Ar module-type
46.Ar control-flag
47.Pa pam_exec
48.Op Ar arguments
49.Sh DESCRIPTION
50The exec service module for PAM executes the program designated by
51its first argument if no options are specified, with its remaining
52arguments as command-line arguments.
53If options are specified, the program and its arguments follow the last
54option or
55.Cm --
56if the program name conflicts with an option name.
57.Pp
58The following options may be passed before the program and its
59arguments:
60.Bl -tag -width indent
61.It Cm capture_stderr
62Capture text printed by the program to its standard error stream and
63pass it to the conversation function as error messages.
64No attempt is made at buffering the text, so results may vary.
65.It Cm capture_stdout
66Capture text printed by the program to its standard output stream and
67pass it to the conversation function as informational messages.
68No attempt is made at buffering the text, so results may vary.
69.It Cm debug
70Ignored for compatibility reasons.
71.It Cm no_warn
72Ignored for compatibility reasons.
73.It Cm return_prog_exit_status
74Use the program exit status as the return code of the pam_sm_* function.
75It must be a valid return value for this function.
76.It Cm expose_authtok
77Write the authentication token to the program's standard input stream,
78followed by a NUL character.
79Ignored for
80.Fn pam_sm_setcred .
81.It Cm use_first_pass
82If
83.Cm expose_authtok
84was specified, do not prompt for an authentication token if one is not
85already available.
86.It Cm --
87Stop options parsing;
88program and its arguments follow.
89.El
90.Pp
91The child's environment is set to the current PAM environment list,
92as returned by
93.Xr pam_getenvlist 3 .
94In addition, the following PAM items are exported as environment
95variables:
96.Ev PAM_RHOST ,
97.Ev PAM_RUSER ,
98.Ev PAM_SERVICE ,
99.Ev PAM_SM_FUNC ,
100.Ev PAM_TTY
101and
102.Ev PAM_USER .
103.Pp
104The
105.Ev PAM_SM_FUNC
106variable contains the name of the PAM service module function being
107called.
108It may be:
109.Bl -dash -offset indent -compact
110.It
111pam_sm_acct_mgmt
112.It
113pam_sm_authenticate
114.It
115pam_sm_chauthtok
116.It
117pam_sm_close_session
118.It
119pam_sm_open_session
120.It
121pam_sm_setcred
122.El
123.Pp
124If
125.Cm return_prog_exit_status
126is not set (default), the
127.Ev PAM_SM_FUNC
128function returns
129.Er PAM_SUCCESS
130if the program exit status is 0,
131.Er PAM_PERM_DENIED
132otherwise.
133.Pp
134If
135.Cm return_prog_exit_status
136is set, the program exit status is used.
137It should be
138.Er PAM_SUCCESS
139or one of the error codes allowed by the calling
140.Ev PAM_SM_FUNC
141function.
142The valid codes are documented in each function man page.
143If the exit status is not a valid return code,
144.Er PAM_SERVICE_ERR
145is returned.
146Each valid codes numerical value is available as an environment variable
147(eg.\&
148.Ev PAM_SUCESS ,
149.Ev PAM_USER_UNKNOWN ,
150etc).
151This is useful in shell scripts for instance.
152.Sh SEE ALSO
153.Xr pam_get_item 3 ,
154.Xr pam.conf 5 ,
155.Xr pam 3 ,
156.Xr pam_sm_acct_mgmt 3 ,
157.Xr pam_sm_authenticate 3 ,
158.Xr pam_sm_chauthtok 3 ,
159.Xr pam_sm_close_session 3 ,
160.Xr pam_sm_open_session 3 ,
161.Xr pam_sm_setcred 3
162.Sh AUTHORS
163The
164.Nm
165module and this manual page were developed for the
166.Fx
167Project by
168ThinkSec AS and NAI Labs, the Security Research Division of Network
169Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
170.Pq Dq CBOSS ,
171as part of the DARPA CHATS research program.
172