1.\" Copyright (c) 2001,2003 Networks Associates Technology, Inc. 2.\" Copyright (c) 2017-2019 Dag-Erling Smørgrav 3.\" Copyright (c) 2018 Thomas Munro 4.\" All rights reserved. 5.\" 6.\" Portions of this software were developed for the FreeBSD Project by 7.\" ThinkSec AS and NAI Labs, the Security Research Division of Network 8.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 9.\" ("CBOSS"), as part of the DARPA CHATS research program. 10.\" 11.\" Redistribution and use in source and binary forms, with or without 12.\" modification, are permitted provided that the following conditions 13.\" are met: 14.\" 1. Redistributions of source code must retain the above copyright 15.\" notice, this list of conditions and the following disclaimer. 16.\" 2. Redistributions in binary form must reproduce the above copyright 17.\" notice, this list of conditions and the following disclaimer in the 18.\" documentation and/or other materials provided with the distribution. 19.\" 3. The name of the author may not be used to endorse or promote 20.\" products derived from this software without specific prior written 21.\" permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" $FreeBSD$ 36.\" 37.Dd May 24, 2019 38.Dt PAM_EXEC 8 39.Os 40.Sh NAME 41.Nm pam_exec 42.Nd Exec PAM module 43.Sh SYNOPSIS 44.Op Ar service-name 45.Ar module-type 46.Ar control-flag 47.Pa pam_exec 48.Op Ar arguments 49.Sh DESCRIPTION 50The exec service module for PAM executes the program designated by 51its first argument if no options are specified, with its remaining 52arguments as command-line arguments. 53If options are specified, the program and its arguments follow the last 54option or 55.Cm -- 56if the program name conflicts with an option name. 57.Pp 58The following options may be passed before the program and its 59arguments: 60.Bl -tag -width indent 61.It Cm capture_stderr 62Capture text printed by the program to its standard error stream and 63pass it to the conversation function as error messages. 64No attempt is made at buffering the text, so results may vary. 65.It Cm capture_stdout 66Capture text printed by the program to its standard output stream and 67pass it to the conversation function as informational messages. 68No attempt is made at buffering the text, so results may vary. 69.It Cm debug 70Ignored for compatibility reasons. 71.It Cm no_warn 72Ignored for compatibility reasons. 73.It Cm return_prog_exit_status 74Use the program exit status as the return code of the pam_sm_* function. 75It must be a valid return value for this function. 76.It Cm expose_authtok 77Write the authentication token to the program's standard input stream, 78followed by a NUL character. 79Ignored for 80.Fn pam_sm_setcred . 81.It Cm use_first_pass 82If 83.Cm expose_authtok 84was specified, do not prompt for an authentication token if one is not 85already available. 86.It Cm -- 87Stop options parsing; 88program and its arguments follow. 89.El 90.Pp 91The child's environment is set to the current PAM environment list, 92as returned by 93.Xr pam_getenvlist 3 . 94In addition, the following PAM items are exported as environment 95variables: 96.Ev PAM_RHOST , 97.Ev PAM_RUSER , 98.Ev PAM_SERVICE , 99.Ev PAM_SM_FUNC , 100.Ev PAM_TTY 101and 102.Ev PAM_USER . 103.Pp 104The 105.Ev PAM_SM_FUNC 106variable contains the name of the PAM service module function being 107called. 108It may be: 109.Bl -dash -offset indent -compact 110.It 111pam_sm_acct_mgmt 112.It 113pam_sm_authenticate 114.It 115pam_sm_chauthtok 116.It 117pam_sm_close_session 118.It 119pam_sm_open_session 120.It 121pam_sm_setcred 122.El 123.Pp 124If 125.Cm return_prog_exit_status 126is not set (default), the 127.Ev PAM_SM_FUNC 128function returns 129.Er PAM_SUCCESS 130if the program exit status is 0, 131.Er PAM_PERM_DENIED 132otherwise. 133.Pp 134If 135.Cm return_prog_exit_status 136is set, the program exit status is used. 137It should be 138.Er PAM_SUCCESS 139or one of the error codes allowed by the calling 140.Ev PAM_SM_FUNC 141function. 142The valid codes are documented in each function man page. 143If the exit status is not a valid return code, 144.Er PAM_SERVICE_ERR 145is returned. 146Each valid codes numerical value is available as an environment variable 147(eg.\& 148.Ev PAM_SUCESS , 149.Ev PAM_USER_UNKNOWN , 150etc). 151This is useful in shell scripts for instance. 152.Sh SEE ALSO 153.Xr pam_get_item 3 , 154.Xr pam.conf 5 , 155.Xr pam 3 , 156.Xr pam_sm_acct_mgmt 3 , 157.Xr pam_sm_authenticate 3 , 158.Xr pam_sm_chauthtok 3 , 159.Xr pam_sm_close_session 3 , 160.Xr pam_sm_open_session 3 , 161.Xr pam_sm_setcred 3 162.Sh AUTHORS 163The 164.Nm 165module and this manual page were developed for the 166.Fx 167Project by 168ThinkSec AS and NAI Labs, the Security Research Division of Network 169Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 170.Pq Dq CBOSS , 171as part of the DARPA CHATS research program. 172