PAM_EXEC(8)             FreeBSD System Manager's Manual            PAM_EXEC(8)

NAME
     pam_exec - Exec PAM module

SYNOPSIS
     [service-name] module-type control-flag pam_exec [arguments]

DESCRIPTION
     The exec service module for PAM executes the program designated by its
     first argument if no options are specified, with its remaining arguments
     as command-line arguments.  If options are specified, the program and its
     arguments follow the last option or -- if the program name conflicts with
     an option name.

     The following options may be passed before the program and its arguments:

     capture_stderr
             Capture text printed by the program to its standard error stream
             and pass it to the conversation function as error messages.  No
             attempt is made at buffering the text, so results may vary.

     capture_stdout
             Capture text printed by the program to its standard output stream
             and pass it to the conversation function as informational
             messages.  No attempt is made at buffering the text, so results
             may vary.

     debug   Ignored for compatibility reasons.

     no_warn
             Ignored for compatibility reasons.

     return_prog_exit_status
             Use the program exit status as the return code of the pam_sm_*
             function.  It must be a valid return value for this function.

     expose_authtok
             Write the authentication token to the program's standard input
             stream, followed by a NUL character.  Ignored for
             pam_sm_setcred().

     use_first_pass
             If expose_authtok was specified, do not prompt for an
             authentication token if one is not already available.

     --      Stop options parsing; program and its arguments follow.

     The child's environment is set to the current PAM environment list, as
     returned by pam_getenvlist(3).  In addition, the following PAM items are
     exported as environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE,
     PAM_SM_FUNC, PAM_TTY and PAM_USER.

     The PAM_SM_FUNC variable contains the name of the PAM service module
     function being called.  It may be:
           -   pam_sm_acct_mgmt
           -   pam_sm_authenticate
           -   pam_sm_chauthtok
           -   pam_sm_close_session
           -   pam_sm_open_session
           -   pam_sm_setcred

     If return_prog_exit_status is not set (default), the PAM_SM_FUNC function
     returns PAM_SUCCESS if the program exit status is 0, PAM_PERM_DENIED
     otherwise.

     If return_prog_exit_status is set, the program exit status is used.  It
     should be PAM_SUCCESS or one of the error codes allowed by the calling
     PAM_SM_FUNC function.  The valid codes are documented in each function
     man page.  If the exit status is not a valid return code, PAM_SERVICE_ERR
     is returned.  Each valid codes numerical value is available as an
     environment variable (eg. PAM_SUCESS, PAM_USER_UNKNOWN, etc).  This is
     useful in shell scripts for instance.

SEE ALSO
     pam_get_item(3), pam.conf(5), pam(8), pam_sm_acct_mgmt(8),
     pam_sm_authenticate(8), pam_sm_chauthtok(8), pam_sm_close_session(8),
     pam_sm_open_session(8), pam_sm_setcred(8)

AUTHORS
     The pam_exec module and this manual page were developed for the FreeBSD
     Project by ThinkSec AS and NAI Labs, the Security Research Division of
     Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
     ("CBOSS"), as part of the DARPA CHATS research program.

FreeBSD 13.1-RELEASE-p6          May 24, 2019          FreeBSD 13.1-RELEASE-p6