Miscellaneous
Miscellaneous functions and procedures (refer to the following table) do not fit into any other category.
glob
Description
The glob() function searches a character string for a specific shell-style pattern. glob() is often used to match patterns to file names because the patterns that are used are the same patterns that are used by the Unix/Linux shell file name matching algorithms.
Note
For more information on creating search patterns, see Wildcard Search Characters and quote.
Syntax
result = glob (pattern, string);
Arguments
| Name | Description |
|---|---|
| pattern | Required. The search pattern |
| string | Required. The string to search |
Return values
| Name | Description |
|---|---|
| true | A pattern match was found |
| false | A pattern match was not found |
Example
result = glob (pattern, logfilename);
iologcloseactionrunhost
Description
iologcloseactionrunhost() is used to specify a /path/filename to be executed on the runhost when the iolog is closed. The specified /path/filename can be a shell script or binary. The user to run the program as, environment, arguments, and working directory are specified in the function call. Stdin, stdout, stderr are redirected to /dev/null. The timeout (specified in seconds) is mandatory. A timeout value of zero indicates no timeout. Note that a timeout value greater than zero causes the end user’s invocation of pbrun to pause while the close action takes place or until the timeout expires. Any runtime errors such as invalid user, cwd, or command are logged via syslog, and to the appropriate EPM log (for example,pbrunlog, pblocaldlog) if specified in pb.settings.
Syntax
Iologcloseactionrunhost( user, environment, timeout, cwd "/path/command and arguments");
Arguments
Example
iologcloseactionrunhost( "jsmith", {"PATH=/bin", "TMPDIR=/tmp/", "PBUL=PBULTEST"}, 20, "/tmp", "/usr/local/bin/closeaction –a –b" );
Example
iologcloseactionrunhost( "root", {}, 0, "/tmp", "/usr/local/bin/closeaction –a –b" );
Note
For more information, see iolog .
isset
Description
The isset() function determines whether a variable has been set. A variable with a blank or zero value returns true, because blank and zero are considered values.
Syntax
result = isset (string);
Arguments
| Name | Description |
|---|---|
| string | Required. A string that contains a variable name. |
Return values
| Name | Description |
|---|---|
| true | Integer. The specified variable has a value. |
| false | Integer. The specified variable does not have a value. |
Example
In this example, result contains an integer value of 1 (true) because the runhost variable has a value of beyondtrust1.
runhost = "beyondtrust1";
result = isset ("runhost");
policytimeout
Description
The policytimeout() procedure adds an overall policy timeout mechanism so that pbmasterd can abort the request when the policy processing takes an inordinate amount of time.
For example, when submitconfirmuser() is used, but the submitting user (or process) does not enter a password.
This prevents pbmasterd processes that appear to be unresponsive when the policy is waiting for user input which may never arrive. When the policy timeout is encountered, the request is rejected, with the exitstatus set to:
policy timeout (<seconds> seconds) reached for <submitting user> on host <submithost> for command <command and args>
That message is also logged to pbmasterd.log.
This timeout mechanism terminates pbmasterd any time that the policy processing takes longer than the timeout value specified.
This includes any user input functions, infinite loops, long running external programs run with system() and remotesystem(), DNS and NFS hangs, and lengthy policies.
When the policytimeout() procedure is called at the beginning of the policy it applies to the entire policy. If called later, it applies to the rest of the policy.
If the function is not called, or called with a value of 0, there is no timeout and pbmasterd processes the entire policy (including waiting for user input) before terminating.
The policytimeout() procedure can be called many times, each time overriding the value previously set.
This timeout is canceled when an accept or reject is encountered (for example, the policy is completed). Note that this timeout does not affect the runconfirmuser mechanism, which is processed after an accept. This timeout does not affect the secured task once accepted. For example, this cannot protect against a user not providing username/password input for pbrun telnet . pbmasterd informs EPM clients (pbrun, pbksh, pbsh, pbssh) of the timeout, and those clients also timeout. Note that the exact timing of pbmasterd timing out and the client timing out is not exact.
pbmasterd and the client process the timeout independently, and either may terminate before the other. Older clients cannot process such a timeout, and may appear unresponsive when pbmasterd terminates during expected user input. pbmasterd does not have a mechanism to interrupt an older client that is expecting input.
When remotesystem() is used with the submithost, the policy timeout is independent of the timeout specified in the remotesystem function call. The first of those timeouts to be encountered is the one that is processed.
When remotesystem() is used with a host other than the submithost, only the timeout specified in the remotesystem function call is used. If that is 0 (meaning no timeout), and the policy server encounters the policy timeout, the remote host may have a hungpblocald process.
Syntax
policytimeout( <timeout_value_in_seconds> );
Arguments
| Name | Description |
|---|---|
| timeout_value_in_seconds | Required. Specifies the policy timeout value in seconds. |
Return values
Not applicable
Example
policytimeout(25);
submitconfirmuser(user);
accept;
Example
tmout=2;
policytimeout(tmout);
submitconfirmuser(user);
accept;
Example
policytimeout(25);
...
policytimeout(40);
...
policytimeout(0);
...
quote
Description
The quote() function encloses a string in the specified character. It also inserts a backslash character (\) in front of any special characters that are contained in the string, to indicate that these characters should be taken literally (that is, treated as special characters). The quote() function is useful when parsing arguments into commands that are shell scripts.
Note
For more information on special characters, see Special Characters.
Syntax
result = quote (string1, quotechar);
Arguments
| Name | Description |
|---|---|
| string1 | Required. The string to enclose in the specified quotechar |
| quotechar | Required. The character to use as the enclosing character |
Return values
result contains the quoted string.
Example
In the example:
result = quote ("Hello, Hello, Hello", "*");
result is assigned:
"*Hello, Hello, Hello*"
runtimewarn
Description
After the specified number of minutes, a message is written to the user’s stderr. If the optional message argument is not specified, the default message is: WARNING: You have exceeded the maximum allowed session time.
Internally, this feature makes use of the new read-only policy variables runtimewarn and runtimewarnmsg to communicate the details from the policy server to the run host.
This feature might typically be used to warn a user of an upcoming timeout specified by the runtimelimit variable.
The runtimewarn time limit is specified in minutes (within a procedure), while runtimeout is specified in seconds (as a variable).
This feature may also be used with the new runtimewarnlog() procedure described below.
Syntax
runtimewarn( minutes [, message] );
Arguments
| Name | Description |
|---|---|
| Minutes | Required positive integer specifying the timeout in minutes. |
| Message | Optional string specifying a message to issue to the user on stderr. |
Example
runtimewarn(20);
runtimewarn(20, "Warning, your session will expire soon!");
Note:
For more information, see the following:
runtimewarnlog
Description
This feature requires an I/O log. After the specified number of minutes, a message is written to the log server’s syslog. This message allows variable substitution using the %variable% syntax. Any variable recorded in the Accept event can be incorporated into the message. When the finish event is logged, the new timelimitexceeded variable is set to 1. If the time limit is not exceeded, the timelimitexceeded variable is not recorded in the finish event. If the optional message argument is not specified, the default message is: user:%user% exceeded time limit as %runuser%@%runhost% for %runargv%
Internally, this feature makes use of the new read-only policy variables runtimewarnlog and runtimewarnlogmsg to communicate the details from the policy server to the run host.
This feature might typically be used to create log entries of the longer sessions, possibly after warning a user using runtimewarn() of an upcoming timeout specified by the runtimelimit variable.
Note
The runtimewarnlog time limit is specified in minutes (within a procedure), while runtimeout is specified in seconds (as a variable).
Syntax
runtimewarnlog( minutes [, message] );
Arguments
| Name | Description |
|---|---|
| Minutes | Required positive integer specifying the timeout in minutes. |
| Message | Optional string specifying a message to syslog on the log server. |
Example
runtimewarnlog(20);
runtimewarnlog(20, "user:%user% exceeded session time limit");
Note:
For more information, see the following:
unset
Description
The unset procedure is used to remove temporary variables from the event and I/O log files when the variables are no longer needed. Variables that are required for the functioning of an EPM daemon may not be unset.
Syntax
unset (variable);
Arguments
| Name | Description |
|---|---|
| variable | Required. The temporary variable to remove. |
Return values
Not applicable
Example
In this example, removes the temporary variable xyz from the log files.
unset("xyz");
Updated 17 days ago