Question

How can I run a script as root when a user logs in with pam_exec.so (or otherwise)? The script requires information about the user to function.

Problem and Environment

I would like to run a script—/path/script.sh—as root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.

I am currently editing /etc/pam.d/system-auth and adding the following line:

session     optional     pam_exec.so /path/script.sh

This works fine when I become the user with sudo su, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,

$ su - robot7
Password: 
/path/script.sh failed: exit code 1
-bash-4.2$

fails while

$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$

works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER in the second case is the correct username (robot7, not root).

This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc or others to run it.

If I set the command in /etc/pam.d/system-auth to run on auth and not session (as suggested by similar questions), it never runs.

Edit

Adding seteuid to the pam_exec.so command allows the script to run when the user authenticates (su - robot7), but does not run the script on SSH (which is the primary method with which users log in).