summaryrefslogtreecommitdiffstats
path: root/modules/pam_exec/pam_exec.8.xml
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_exec/pam_exec.8.xml')
-rw-r--r--modules/pam_exec/pam_exec.8.xml303
1 files changed, 303 insertions, 0 deletions
diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
new file mode 100644
index 0000000..1f21733
--- /dev/null
+++ b/modules/pam_exec/pam_exec.8.xml
@@ -0,0 +1,303 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_exec">
+
+ <refmeta>
+ <refentrytitle>pam_exec</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_exec-name">
+ <refname>pam_exec</refname>
+ <refpurpose>PAM module which calls an external command</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_exec-cmdsynopsis">
+ <command>pam_exec.so</command>
+ <arg choice="opt">
+ debug
+ </arg>
+ <arg choice="opt">
+ expose_authtok
+ </arg>
+ <arg choice="opt">
+ seteuid
+ </arg>
+ <arg choice="opt">
+ quiet
+ </arg>
+ <arg choice="opt">
+ stdout
+ </arg>
+ <arg choice="opt">
+ log=<replaceable>file</replaceable>
+ </arg>
+ <arg choice="opt">
+ type=<replaceable>type</replaceable>
+ </arg>
+ <arg choice="plain">
+ <replaceable>command</replaceable>
+ </arg>
+ <arg choice="opt">
+ <replaceable>...</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_exec-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ pam_exec is a PAM module that can be used to run
+ an external command.
+ </para>
+
+ <para>
+ The child's environment is set to the current PAM environment list, as
+ returned by
+ <citerefentry>
+ <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>
+ In addition, the following PAM items are
+ exported as environment variables: <emphasis>PAM_RHOST</emphasis>,
+ <emphasis>PAM_RUSER</emphasis>, <emphasis>PAM_SERVICE</emphasis>,
+ <emphasis>PAM_TTY</emphasis>, <emphasis>PAM_USER</emphasis> and
+ <emphasis>PAM_TYPE</emphasis>, which contains one of the module
+ types: <option>account</option>, <option>auth</option>,
+ <option>password</option>, <option>open_session</option> and
+ <option>close_session</option>.
+ </para>
+
+ <para>
+ Commands called by pam_exec need to be aware of that the user
+ can have control over the environment.
+ </para>
+
+ </refsect1>
+
+ <refsect1 id="pam_exec-options">
+
+ <title>OPTIONS</title>
+ <para>
+ <variablelist>
+
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Print debug information.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>expose_authtok</option>
+ </term>
+ <listitem>
+ <para>
+ During authentication the calling command can read
+ the password from <citerefentry>
+ <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
+ bytes of a password are provided to the command.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>log=<replaceable>file</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The output of the command is appended to
+ <filename>file</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>type=<replaceable>type</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Only run the command if the module type matches the given type.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>stdout</option>
+ </term>
+ <listitem>
+ <para>
+ Per default the output of the executed command is written to <filename>/dev/null</filename>. With this option, the stdout output of the executed command is redirected to the calling application. It's in the responsibility of this application what happens with the output. The <option>log</option> option is ignored.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>quiet</option>
+ </term>
+ <listitem>
+ <para>
+ Per default pam_exec.so will echo the exit status of the
+ external command if it fails.
+ Specifying this option will suppress the message.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>seteuid</option>
+ </term>
+ <listitem>
+ <para>
+ Per default pam_exec.so will execute the external command
+ with the real user ID of the calling process.
+ Specifying this option means the command is run
+ with the effective user ID.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_exec-types">
+ <title>MODULE TYPES PROVIDED</title>
+ <para>
+ All module types (<option>auth</option>, <option>account</option>,
+ <option>password</option> and <option>session</option>) are provided.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_exec-return_values'>
+ <title>RETURN VALUES</title>
+ <para>
+ <variablelist>
+
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ The external command was run successfully.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_BUF_ERR</term>
+ <listitem>
+ <para>
+ Memory buffer error.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_CONV_ERR</term>
+ <listitem>
+ <para>
+ The conversation method supplied by the application
+ failed to obtain the username.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_INCOMPLETE</term>
+ <listitem>
+ <para>
+ The conversation method supplied by the application
+ returned PAM_CONV_AGAIN.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_SERVICE_ERR</term>
+ <listitem>
+ <para>
+ No argument or a wrong number of arguments were given.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_SYSTEM_ERR</term>
+ <listitem>
+ <para>
+ A system error occurred or the command to execute failed.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_IGNORE</term>
+ <listitem>
+ <para>
+ <function>pam_setcred</function> was called, which
+ does not execute the command. Or, the value given for the type=
+ parameter did not match the module type.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_exec-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ Add the following line to <filename>/etc/pam.d/passwd</filename> to
+ rebuild the NIS database after each local password change:
+ <programlisting>
+ password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
+ </programlisting>
+
+ This will execute the command
+ <programlisting>make -C /var/yp</programlisting>
+ with effective user ID.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_exec-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_exec-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_exec was written by Thorsten Kukuk &lt;kukuk@thkukuk.de&gt; and
+ Josh Triplett &lt;josh@joshtriplett.org&gt;.
+ </para>
+ </refsect1>
+
+</refentry>