1.\" Copyright (c) 2001,2003 Networks Associates Technology, Inc. 2.\" Copyright (c) 2017 Dag-Erling Smørgrav 3.\" Copyright (c) 2018 Thomas Munro 4.\" All rights reserved. 5.\" 6.\" Portions of this software were developed for the FreeBSD Project by 7.\" ThinkSec AS and NAI Labs, the Security Research Division of Network 8.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 9.\" ("CBOSS"), as part of the DARPA CHATS research program. 10.\" 11.\" Redistribution and use in source and binary forms, with or without 12.\" modification, are permitted provided that the following conditions 13.\" are met: 14.\" 1. Redistributions of source code must retain the above copyright 15.\" notice, this list of conditions and the following disclaimer. 16.\" 2. Redistributions in binary form must reproduce the above copyright 17.\" notice, this list of conditions and the following disclaimer in the 18.\" documentation and/or other materials provided with the distribution. 19.\" 3. The name of the author may not be used to endorse or promote 20.\" products derived from this software without specific prior written 21.\" permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" $FreeBSD$ 36.\" 37.Dd August 14, 2018 38.Dt PAM_EXEC 8 39.Os 40.Sh NAME 41.Nm pam_exec 42.Nd Exec PAM module 43.Sh SYNOPSIS 44.Op Ar service-name 45.Ar module-type 46.Ar control-flag 47.Pa pam_exec 48.Op Ar arguments 49.Sh DESCRIPTION 50The exec service module for PAM executes the program designated by 51its first argument if no options are specified, with its remaining 52arguments as command-line arguments. 53If options are specified, the program and its arguments follow the last 54option or 55.Cm -- 56if the program name conflicts with an option name. 57.Pp 58The following options may be passed before the program and its 59arguments: 60.Bl -tag -width indent 61.It Cm capture_stderr 62Capture text printed by the program to its standard error stream and 63pass it to the conversation function as error messages. 64No attempt is made at buffering the text, so results may vary. 65.It Cm capture_stdout 66Capture text printed by the program to its standard output stream and 67pass it to the conversation function as informational messages. 68No attempt is made at buffering the text, so results may vary. 69.It Cm debug 70Ignored for compatibility reasons. 71.It Cm no_warn 72Ignored for compatibility reasons. 73.It Cm return_prog_exit_status 74Use the program exit status as the return code of the pam_sm_* function. 75It must be a valid return value for this function. 76.It Cm expose_authtok 77Write the authentication token to the program's standard input stream. 78.It Cm -- 79Stop options parsing; 80program and its arguments follow. 81.El 82.Pp 83The child's environment is set to the current PAM environment list, 84as returned by 85.Xr pam_getenvlist 3 . 86In addition, the following PAM items are exported as environment 87variables: 88.Ev PAM_RHOST , 89.Ev PAM_RUSER , 90.Ev PAM_SERVICE , 91.Ev PAM_SM_FUNC , 92.Ev PAM_TTY 93and 94.Ev PAM_USER . 95.Pp 96The 97.Ev PAM_SM_FUNC 98variable contains the name of the PAM service module function being 99called. 100It may be: 101.Bl -dash -offset indent -compact 102.It 103pam_sm_acct_mgmt 104.It 105pam_sm_authenticate 106.It 107pam_sm_chauthtok 108.It 109pam_sm_close_session 110.It 111pam_sm_open_session 112.It 113pam_sm_setcred 114.El 115.Pp 116If 117.Cm return_prog_exit_status 118is not set (default), the 119.Ev PAM_SM_FUNC 120function returns 121.Er PAM_SUCCESS 122if the program exit status is 0, 123.Er PAM_PERM_DENIED 124otherwise. 125.Pp 126If 127.Cm return_prog_exit_status 128is set, the program exit status is used. 129It should be 130.Er PAM_SUCCESS 131or one of the error codes allowed by the calling 132.Ev PAM_SM_FUNC 133function. 134The valid codes are documented in each function man page. 135If the exit status is not a valid return code, 136.Er PAM_SERVICE_ERR 137is returned. 138Each valid codes numerical value is available as an environment variable 139(eg.\& 140.Ev PAM_SUCESS , 141.Ev PAM_USER_UNKNOWN , 142etc). 143This is useful in shell scripts for instance. 144.Sh SEE ALSO 145.Xr pam_get_item 3 , 146.Xr pam.conf 5 , 147.Xr pam 8 , 148.Xr pam_sm_acct_mgmt 8 , 149.Xr pam_sm_authenticate 8 , 150.Xr pam_sm_chauthtok 8 , 151.Xr pam_sm_close_session 8 , 152.Xr pam_sm_open_session 8 , 153.Xr pam_sm_setcred 8 154.Sh AUTHORS 155The 156.Nm 157module and this manual page were developed for the 158.Fx 159Project by 160ThinkSec AS and NAI Labs, the Security Research Division of Network 161Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 162.Pq Dq CBOSS , 163as part of the DARPA CHATS research program. 164