WORKAROUND 1 - Wrapper scripts using PermitUserEnvironment
You could create a wrapper script to achieve this. For example:
1. Create an executable script in /home/funcacct called passwd, adding the customisation - in this case -r files. E.g.:
#Unlock user account
/usr/bin/passwd –r files $*
NOTE: Ensure the script contains the hashtags and all commands within are fully pathed. Ensure the script is executable.
2. Set the functional account (funcacct) enviroment PATH variable to first look in the directory containing the passwd script.
Display the contents of the functional account .ssh/environment via 'cat' or similar:
It should return the contents, containing a relevant PATH for your configuration and requirements such as:
NOTE: As the commands are run non-interactively, changing the PATH variable in the shell files/login scripts will not have any effect.
3. Set PermitUserEnvironment (or AcceptEnv) in sshd_config to yes for the functional account, and ensure SSH is restarted.
WORKAROUND 2 - Wrapper scripts using Delegation prefix
As above, but instead of changing the PermitUserEnvironment, set the Delegation Prefix in TPAM | Details tab to a directory. E.g. /path/to/utils/.
Then place your passwd script in this directory. Ensure all commands run are available from this directory, such as echo and grep.