diff options
Diffstat (limited to '')
-rw-r--r-- | modules/pam_exec/pam_exec.8 | 188 | ||||
-rw-r--r-- | modules/pam_exec/pam_exec.8.xml | 319 |
2 files changed, 507 insertions, 0 deletions
diff --git a/modules/pam_exec/pam_exec.8 b/modules/pam_exec/pam_exec.8 new file mode 100644 index 0000000..7108791 --- /dev/null +++ b/modules/pam_exec/pam_exec.8 @@ -0,0 +1,188 @@ +'\" t +.\" Title: pam_exec +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_EXEC" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_exec \- PAM module which calls an external command +.SH "SYNOPSIS" +.HP \w'\fBpam_exec\&.so\fR\ 'u +\fBpam_exec\&.so\fR [debug] [expose_authtok] [seteuid] [quiet] [quiet_log] [stdout] [log=\fIfile\fR] [type=\fItype\fR] \fIcommand\fR [\fI\&.\&.\&.\fR] +.SH "DESCRIPTION" +.PP +pam_exec is a PAM module that can be used to run an external command\&. +.PP +The child\*(Aqs environment is set to the current PAM environment list, as returned by +\fBpam_getenvlist\fR(3) +In addition, the following PAM items are exported as environment variables: +\fIPAM_RHOST\fR, +\fIPAM_RUSER\fR, +\fIPAM_SERVICE\fR, +\fIPAM_TTY\fR, +\fIPAM_USER\fR +and +\fIPAM_TYPE\fR, which contains one of the module types: +\fBaccount\fR, +\fBauth\fR, +\fBpassword\fR, +\fBopen_session\fR +and +\fBclose_session\fR\&. +.PP +Commands called by pam_exec need to be aware of that the user can have control over the environment\&. +.SH "OPTIONS" +.PP +.PP +\fBdebug\fR +.RS 4 +Print debug information\&. +.RE +.PP +\fBexpose_authtok\fR +.RS 4 +During authentication the calling command can read the password from +\fBstdin\fR(3)\&. Only first +\fIPAM_MAX_RESP_SIZE\fR +bytes of a password are provided to the command\&. +.RE +.PP +\fBlog=\fR\fB\fIfile\fR\fR +.RS 4 +The output of the command is appended to +file +.RE +.PP +\fBtype=\fR\fB\fItype\fR\fR +.RS 4 +Only run the command if the module type matches the given type\&. +.RE +.PP +\fBstdout\fR +.RS 4 +Per default the output of the executed command is written to +/dev/null\&. With this option, the stdout output of the executed command is redirected to the calling application\&. It\*(Aqs in the responsibility of this application what happens with the output\&. The +\fBlog\fR +option is ignored\&. +.RE +.PP +\fBquiet\fR +.RS 4 +Per default pam_exec\&.so will echo the exit status of the external command if it fails\&. Specifying this option will suppress the message\&. +.RE +.PP +\fBquiet_log\fR +.RS 4 +Per default pam_exec\&.so will log the exit status of the external command if it fails\&. Specifying this option will suppress the log message\&. +.RE +.PP +\fBseteuid\fR +.RS 4 +Per default pam_exec\&.so will execute the external command with the real user ID of the calling process\&. Specifying this option means the command is run with the effective user ID\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +All module types (\fBauth\fR, +\fBaccount\fR, +\fBpassword\fR +and +\fBsession\fR) are provided\&. +.SH "RETURN VALUES" +.PP +.PP +PAM_SUCCESS +.RS 4 +The external command was run successfully\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +The conversation method supplied by the application failed to obtain the username\&. +.RE +.PP +PAM_INCOMPLETE +.RS 4 +The conversation method supplied by the application returned PAM_CONV_AGAIN\&. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +No argument or a wrong number of arguments were given\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +A system error occurred or the command to execute failed\&. +.RE +.PP +PAM_IGNORE +.RS 4 +\fBpam_setcred\fR +was called, which does not execute the command\&. Or, the value given for the type= parameter did not match the module type\&. +.RE +.SH "EXAMPLES" +.PP +Add the following line to +/etc/pam\&.d/passwd +to rebuild the NIS database after each local password change: +.sp +.if n \{\ +.RS 4 +.\} +.nf + password optional pam_exec\&.so seteuid /usr/bin/make \-C /var/yp + +.fi +.if n \{\ +.RE +.\} +.sp +This will execute the command +.sp +.if n \{\ +.RS 4 +.\} +.nf +make \-C /var/yp +.fi +.if n \{\ +.RE +.\} +.sp +with effective user ID\&. +.SH "SEE ALSO" +.PP +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_exec was written by Thorsten Kukuk <kukuk@thkukuk\&.de> and Josh Triplett <josh@joshtriplett\&.org>\&. diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml new file mode 100644 index 0000000..7e89943 --- /dev/null +++ b/modules/pam_exec/pam_exec.8.xml @@ -0,0 +1,319 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_exec"> + + <refmeta> + <refentrytitle>pam_exec</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_exec-name"> + <refname>pam_exec</refname> + <refpurpose>PAM module which calls an external command</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_exec-cmdsynopsis"> + <command>pam_exec.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + expose_authtok + </arg> + <arg choice="opt"> + seteuid + </arg> + <arg choice="opt"> + quiet + </arg> + <arg choice="opt"> + quiet_log + </arg> + <arg choice="opt"> + stdout + </arg> + <arg choice="opt"> + log=<replaceable>file</replaceable> + </arg> + <arg choice="opt"> + type=<replaceable>type</replaceable> + </arg> + <arg choice="plain"> + <replaceable>command</replaceable> + </arg> + <arg choice="opt"> + <replaceable>...</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_exec-description"> + + <title>DESCRIPTION</title> + + <para> + pam_exec is a PAM module that can be used to run + an external command. + </para> + + <para> + The child's environment is set to the current PAM environment list, as + returned by + <citerefentry> + <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + In addition, the following PAM items are + exported as environment variables: <emphasis>PAM_RHOST</emphasis>, + <emphasis>PAM_RUSER</emphasis>, <emphasis>PAM_SERVICE</emphasis>, + <emphasis>PAM_TTY</emphasis>, <emphasis>PAM_USER</emphasis> and + <emphasis>PAM_TYPE</emphasis>, which contains one of the module + types: <option>account</option>, <option>auth</option>, + <option>password</option>, <option>open_session</option> and + <option>close_session</option>. + </para> + + <para> + Commands called by pam_exec need to be aware of that the user + can have control over the environment. + </para> + + </refsect1> + + <refsect1 id="pam_exec-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>expose_authtok</option> + </term> + <listitem> + <para> + During authentication the calling command can read + the password from <citerefentry> + <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis> + bytes of a password are provided to the command. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>log=<replaceable>file</replaceable></option> + </term> + <listitem> + <para> + The output of the command is appended to + <filename>file</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>type=<replaceable>type</replaceable></option> + </term> + <listitem> + <para> + Only run the command if the module type matches the given type. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>stdout</option> + </term> + <listitem> + <para> + Per default the output of the executed command is written to <filename>/dev/null</filename>. With this option, the stdout output of the executed command is redirected to the calling application. It's in the responsibility of this application what happens with the output. The <option>log</option> option is ignored. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>quiet</option> + </term> + <listitem> + <para> + Per default pam_exec.so will echo the exit status of the + external command if it fails. + Specifying this option will suppress the message. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>quiet_log</option> + </term> + <listitem> + <para> + Per default pam_exec.so will log the exit status of the + external command if it fails. + Specifying this option will suppress the log message. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>seteuid</option> + </term> + <listitem> + <para> + Per default pam_exec.so will execute the external command + with the real user ID of the calling process. + Specifying this option means the command is run + with the effective user ID. + </para> + </listitem> + </varlistentry> + + </variablelist> + + </para> + </refsect1> + + <refsect1 id="pam_exec-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + All module types (<option>auth</option>, <option>account</option>, + <option>password</option> and <option>session</option>) are provided. + </para> + </refsect1> + + <refsect1 id='pam_exec-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The external command was run successfully. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + The conversation method supplied by the application + failed to obtain the username. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_INCOMPLETE</term> + <listitem> + <para> + The conversation method supplied by the application + returned PAM_CONV_AGAIN. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + No argument or a wrong number of arguments were given. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + A system error occurred or the command to execute failed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + <function>pam_setcred</function> was called, which + does not execute the command. Or, the value given for the type= + parameter did not match the module type. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_exec-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/passwd</filename> to + rebuild the NIS database after each local password change: + <programlisting> + password optional pam_exec.so seteuid /usr/bin/make -C /var/yp + </programlisting> + + This will execute the command + <programlisting>make -C /var/yp</programlisting> + with effective user ID. + </para> + </refsect1> + + <refsect1 id='pam_exec-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_exec-author'> + <title>AUTHOR</title> + <para> + pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and + Josh Triplett <josh@joshtriplett.org>. + </para> + </refsect1> + +</refentry> |