<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_exec">
<refmeta>
<refentrytitle>pam_exec</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="source">Linux-PAM</refmiscinfo>
<refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv xml:id="pam_exec-name">
<refname>pam_exec</refname>
<refpurpose>PAM module which calls an external command</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis xml:id="pam_exec-cmdsynopsis" sepchar=" ">
<command>pam_exec.so</command>
<arg choice="opt" rep="norepeat">
debug
</arg>
<arg choice="opt" rep="norepeat">
expose_authtok
</arg>
<arg choice="opt" rep="norepeat">
seteuid
</arg>
<arg choice="opt" rep="norepeat">
quiet
</arg>
<arg choice="opt" rep="norepeat">
quiet_log
</arg>
<arg choice="opt" rep="norepeat">
stdout
</arg>
<arg choice="opt" rep="norepeat">
log=<replaceable>file</replaceable>
</arg>
<arg choice="opt" rep="norepeat">
type=<replaceable>type</replaceable>
</arg>
<arg choice="plain" rep="norepeat">
<replaceable>command</replaceable>
</arg>
<arg choice="opt" rep="norepeat">
<replaceable>...</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 xml:id="pam_exec-description">
<title>DESCRIPTION</title>
<para>
pam_exec is a PAM module that can be used to run
an external command.
</para>
<para>
The child's environment is set to the current PAM environment list, as
returned by
<citerefentry>
<refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>
In addition, the following PAM items are
exported as environment variables: <emphasis>PAM_RHOST</emphasis>,
<emphasis>PAM_RUSER</emphasis>, <emphasis>PAM_SERVICE</emphasis>,
<emphasis>PAM_TTY</emphasis>, <emphasis>PAM_USER</emphasis> and
<emphasis>PAM_TYPE</emphasis>, which contains one of the module
types: <option>account</option>, <option>auth</option>,
<option>password</option>, <option>open_session</option> and
<option>close_session</option>.
</para>
<para>
Commands called by pam_exec need to be aware of that the user
can have control over the environment.
</para>
</refsect1>
<refsect1 xml:id="pam_exec-options">
<title>OPTIONS</title>
<para>
<variablelist>
<varlistentry>
<term>
debug
</term>
<listitem>
<para>
Print debug information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
expose_authtok
</term>
<listitem>
<para>
During authentication the calling command can read
the password from <citerefentry>
<refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
bytes of a password are provided to the command.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
log=file
</term>
<listitem>
<para>
The output of the command is appended to
<filename>file</filename>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
type=type
</term>
<listitem>
<para>
Only run the command if the module type matches the given type.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
stdout
</term>
<listitem>
<para>
Per default the output of the executed command is written to <filename>/dev/null</filename>. With this option, the stdout output of the executed command is redirected to the calling application. It's in the responsibility of this application what happens with the output. The <option>log</option> option is ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
quiet
</term>
<listitem>
<para>
Per default pam_exec.so will echo the exit status of the
external command if it fails.
Specifying this option will suppress the message.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
quiet_log
</term>
<listitem>
<para>
Per default pam_exec.so will log the exit status of the
external command if it fails.
Specifying this option will suppress the log message.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
seteuid
</term>
<listitem>
<para>
Per default pam_exec.so will execute the external command
with the real user ID of the calling process.
Specifying this option means the command is run
with the effective user ID.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 xml:id="pam_exec-types">
<title>MODULE TYPES PROVIDED</title>
<para>
All module types (<option>auth</option>, <option>account</option>,
<option>password</option> and <option>session</option>) are provided.
</para>
</refsect1>
<refsect1 xml:id="pam_exec-return_values">
<title>RETURN VALUES</title>
<para>
<variablelist>
<varlistentry>
<term>PAM_SUCCESS</term>
<listitem>
<para>
The external command was run successfully.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_BUF_ERR</term>
<listitem>
<para>
Memory buffer error.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_CONV_ERR</term>
<listitem>
<para>
The conversation method supplied by the application
failed to obtain the username.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_INCOMPLETE</term>
<listitem>
<para>
The conversation method supplied by the application
returned PAM_CONV_AGAIN.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_SERVICE_ERR</term>
<listitem>
<para>
No argument or a wrong number of arguments were given.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_SYSTEM_ERR</term>
<listitem>
<para>
A system error occurred or the command to execute failed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_IGNORE</term>
<listitem>
<para>
<function>pam_setcred</function> was called, which
does not execute the command. Or, the value given for the type=
parameter did not match the module type.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 xml:id="pam_exec-examples">
<title>EXAMPLES</title>
<para>
Add the following line to <filename>/etc/pam.d/passwd</filename> to
rebuild the NIS database after each local password change:
<programlisting>
password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
</programlisting>
This will execute the command
<programlisting>make -C /var/yp</programlisting>
with effective user ID.
</para>
</refsect1>
<refsect1 xml:id="pam_exec-see_also">
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 xml:id="pam_exec-author">
<title>AUTHOR</title>
<para>
pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and
Josh Triplett <josh@joshtriplett.org>.
</para>
</refsect1>
</refentry>