-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
59 lines (47 loc) · 2.42 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
pam-exec2
Version 0.5
Copyright (C) 2013 Robin McCorkell
This file is part of pam-exec2.
pam-exec2 is free software: you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
pam-exec2 is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with pam-exec2. If not, see <http://www.gnu.org/licenses/>.
A PAM module, based on pam_exec, to execute external binaries or scripts in a
safe environment. This module provides the ability to pipe stdout and stderr
to a logfile; set the UID and GID of the process to the target user; set the
UID of the process to the EUID it is running as.
The external process will have the following environment variables, along with
the standard ones provided by the PAM stack:
* PAM_USER - target user
* PAM_SERVICE - service running the PAM stack
* PAM_TTY - TTY in use
* PAM_RHOST - remote host calling the PAM stack
* PAM_RUSER - remote user
* PAM_TYPE - 'auth', 'account', 'password', 'open_session' or
'close_session' depending on the PAM invocation
Usage:
pam_exec2.so [options] /path/to/executable [args]
Options:
* debug - send debug information to syslog
* quiet - no output to application
* drop_priv - set UID and GID to target user (PAM_USER)
* seteuid - set UID to EUID of calling process
* syslog - redirect stdout and stderr to syslog (LOG_AUTHPRIV):
stdout as LOG_NOTICE, stderr as LOG_ERR
* once - use pam-once to limit execution to first open_session and last
close_session of a user - only applicable for session type
* type=... - only execute if PAM_TYPE matches ...
* log=... - redirect stdout and stderr to ...
drop_priv and seteuid are mutually exclusive, as are syslog and log=...
Contact:
Robin McCorkell <rmccorkell@karoshi.org.uk>
See INSTALL for instructions on how to install this program. For preparing a
release, run ./autogen.sh to generate the required files.
All source files are contained in the src directory. Additional macros used in
configure.ac are stored in the m4 directory.