Task information variables

Task information variables store information about a specific task request. Using the Security Policy Scripting Language, a security administrator can query this information and use it to make security decisions about a task request. These values are logged in the event logs and I/O logs.

ℹ️

Note

The run variables do not apply to pbssh. If these run variables are present in the policy, they do not have any effect on pbssh and are ignored.

In EPM, each secured task has its own set of task information variables. Other secured task requests do not share the information in these variables.

Two copies of task information variables are created and maintained for each task request that EPM processes. One set is read-only. These read-only variables contain the original, unmodified information about a task request. The other set, known as run variables, have information identical to their corresponding read-only versions; however, their values can be modified. The information in the modifiable variables is the information that EPM actually uses to execute a request once it is accepted. The modifiable task information variables have the same names as their read-only counterparts except they have the prefix run.

ℹ️

Note

These run variables do not apply to pbssh. If the run variables are present in the policy, they do not have any effect on pbssh and are ignored.

There are some special pass-through values that are available for the run versions of some task information variables. These special values are needed when the policy server host and run host represent different systems. In this scenario, processing some functions may fail because the values for those variables need to be retrieved from the run host system rather than the policy server host. The following functions are affected: gethome(), getgroup(), getgroups(), and getshell().

ValueDescriptionExample
!g!Returns the run user’s run group on run host.rungroup = "!g!";
!G!Returns all groups that the run user belongs to on run host.rungroups = {"!G!"};
!~!Returns the run user’s home directory on run host.runcwd = "!~!";
!!!Returns the run user’s default shell on run host.runcommand = "!!!";

ℹ️

Note

For more information, see the following:

On the gethome(), getgroup(), getgroups(), and getshell() functions, Built-in Functions and Procedures

argc

Data type

Integer, read-only

Description

The argc variable contains the number of arguments that are supplied with the current command. The command name is treated as an argument. Thus, the actual number of user supplied arguments, not including the command name itself, is argc - 1.

There is not a run version of this variable.

Valid values

A positive integer.

argv

Run version

runargv

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

List. argv is read-only. runargv is modifiable.

Description

The argv and runargv variables contain the list of argument values that are associated with the current command. The first argument value, with index 0, is the name of the command. Use the run version of this variable to change an argument value.

Syntax

runargv = list;

Valid values

A list in which the first element contains the name of the current command, as entered by the submitting user. The remaining list elements contain the command arguments, as entered by the submitting user. argv is a read-only variable whose value comes from the pbrun command line. The default value of runargv is the value of argv.

Example

runargv = {"uname", "-a"};

bkgd

Run version

runbkgd

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Boolean. bkgd is read-only. runbkgd is modifiable.

Description

The bkgd and runbkgd variables indicate whether to run a task in the background with HUP signals ignored. Endpoint Privilege Management for Unix and Linux sets both variables when the user executes pbrun with a -b switch. To change whether a task actually runs in the background with HUP signals ignored, set the runbkgd variable.

ℹ️

Note

In this context, the function name inside the function behaves like a function parameter.

When its parent process terminates, HUP refers to the hangup signal that is sent to a child process by the operating system. If the child process was set to ignore HUP signals, the child process continues to run even though its parent process was terminated.

ℹ️

Note

This feature can be useful for applications running in the background.

Syntax

runbkgd = boolean;

Valid values

NameDescription
trueIgnore HUP signals.
false Do not ignore HUP signals.

bkgd is read-only and defaults to true when pbrun –b is used. Otherwise, it defaults to false. runbkgd defaults to the value of bkgd.

Example

runbkgd = true;

clienthost

Data type

String, read-only

Description

The name of the client (submit) host as resolved on the client host.

Valid values

A string as described above.

ℹ️

Note

For more information, see the following:

host

submithost

command

Run version

runcommand

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

String. command is read-only. runcommand is modifiable.

Description

The command and runcommand variables contain the name of the current command request. If specified, command arguments are stored in runargv and are not stored in command or runcommand. To change the current command, set the runcommand variable.

ℹ️

Note

Setting the run version of this variable also sets runargv[0]; however, setting runargv does not set runcommand.

Syntax

runcommand = string;

Valid values

A string containing the name of the current task request command as entered by the submitting user. command is a read-only variable. runcommand defaults to the value of command.

Example

runcommand = "/bin/ls";

ℹ️

Note

For more information, see the following:

argc

argv

runargv

cwd

Run version

runcwd

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

String. cwd is read-only. runcwd is modifiable.

Description

The cwd and runcwd variables contain the full path of the working directory on the submit host from which the current task request is being initiated. To cause the requested program to execute in a different directory on a run host, set the runcwd variable. Depending on how Endpoint Privilege Management for Unix and Linux is deployed, submit host and run host might be different machines with different directory structures.

ℹ️

Note

If Endpoint Privilege Management for Unix and Linux cannot set this variable and enforceRunCwd is set to No, the task request runs in the /tmp directory on the run host.

Syntax

runcwd = string;

Valid values

A string specifying the run host working directory for the current task request. cwd is a read-only variable. Also, cwd is the directory from which the command originated. runcwd defaults to cwd.

Example

runcwd = "/home/username";

ℹ️

Note

For more information, see runchroot.

env

Run version

runenv

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

List. env is read-only. runenv is modifiable.

Description

The env and runenv variables contain the name and value pairs of each Unix or Linux environment variable that is present when the current task request is submitted. Each environment variable is stored as an element within env. Each of these elements has the format NAME=Value, where NAME is the name of the environment variable and Value is the value that is stored in that variable.

The value of an environment variable is modified by setting runenv.

The getenv(), setenv, keepenv, and unsetenv functions and procedures can access the values within env.

Syntax

runenv = list of strings;

Valid values

A list in which each element has the format NAME=value where NAME is the name of the Unix or Linux environment variable and value is the value stored in that variable. This list defaults to the run time environment of the pbrun command.

ℹ️

Note

For more information, see the following:

getenv

keepenv

logomit

setenv

unsetenv

execute_via_su

Data type

Boolean

Description

The run environment for the secured task is normally dictated by the EPM-UL policy server policy. It may be desirable to have the runhost dictate the run environment for the secured task.

EPM-UL version 7.1 and above can use the su - command to create a login shell for the secured task, thus allowing the login mechanism to setup the run environment. The policy server host keyword execute_via_su in /etc/pb.settings globally enables using su - to execute the secured task. This keyword can be overridden by the policy variable with the same name execute_via_su. The execute_via_su variable's initial value is based on the keyword setting's value.

When execute_via_su is used, any run environment set up in the policy affect the execution of su - rather than the execution of the secured task. This includes the use of runcwd, setenv(), keepenv(), etc., and !g!, !G!, etc.

Entitlement reports do not indicate that su - is used, however,affects the Accept events in the event log show if su - was used to invoke the secured task. This feature does not work for runusers whose login is disabled (for example, using /sbin/nologin or /bin/false).

Settings KeywordPolicy VariableResult uses su -?
unsetunsetno
TRUEYES
FALSEno
Nounsetno
TRUEYES
FALSEno
YesunsetYES
TRUEYES
FALSEno

Valid values

  • 0
  • 1
  • true
  • false

Default

unset

ℹ️

Note

For more information, see the following:

runcommand

runuser

runargv

runenvironmentfile

setenv

keepenv

false

Data type

Boolean, read-only

Description

The false variable is a read-only variable with a predefined value of 0.

Many program statements rely upon conditional tests to determine what program statement should be executed next. The if statement is an example of this. Conditional tests evaluate to either a true value or a false value. In the Security Policy Scripting Language, a true value is represented by any positive, non-zero integer, but is usually represented by the integer value 1. A 0 represents false.

Because true and false values are used so frequently within security policy files, the variable true may be used in place of a numeric value 1 and the variable false may be used in place of a 0 value when evaluating a conditional expression or initializing a variable.

Valid values

0. Constant, cannot be changed.

ℹ️

Note

For more information, see true.

group

Run version

rungroup

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

String. group is read-only. rungroup is modifiable.

Description

The group and rungroup variables contain the name of the submitting user’s primary group. To temporarily change the submitting user’s primary group, set the rungroup variable.

ℹ️

Note

If the rungroup does not exist on the run host, the run host refuses to execute the command.

Syntax

rungroup = string;

Valid values

A string that contains the name of the submitting user’s primary group. group is a read-only variable. The default value of rungroup defaults to the value of group.

Example

rungroup = "bin";

groups

Run version

rungroups

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

List. groups is read-only. rungroups is modifiable.

Description

The groups and rungroups variables contain the list of groups the submitting user belongs to. To temporarily modify the list of groups, set the rungroups variable.

If one of the rungroups does not exist on the run host, the run host issues a warning before executing the command.

Syntax

rungroups = list;

Valid values

The groups variable contains the name of each group the submitting user belongs to on the submit host.

The value of the rungroups variable defaults to the value of the groups variable.

Example

rungroups = {"bin", "wheel"};

host

Run version

runhost

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

String. host is read-only. runhost is modifiable.

Description

submithost is the name of the machine that executed pbrun. host is the value that is passed to pbrun with the –h switch. If a –h switch is not used, then the value of host is taken from submithost. If the value of runhost is not explicitly set in the policy, then its value comes from host.

Setting runhost in the policy has no effect when the task is run in local mode (that is, when pbrun is executed with the -l option, or if the runlocalmode policy variable is set to true).

Syntax

runhost = string;

Valid values

A string that contains the fully-qualified name of the run host machine. host is a read-only default value and is the name of the submit host. The default value of runhost is the value of host.

Example

runhost = "tad";

ℹ️

Note

For more information, see the following:

localmode

masterhost

pid

requestuser

runconfirmuser

subprocuser

submithost

submithostip

uniqueid

hour

Data type

Integer, read-only

Description

The hour variable contains the current hour, taken from the policy server host, in HH format.

Valid values

An integer ranging from 0 - 23 (inclusive) from the policy server host.

i18n_date

Data type

UTF-8 encoded string, read-only

Description

The i18n_date variable contains the current date, taken from the policy server host. It is formatted according to the operating system’s locale settings.

Valid values

A UTF-8 encoded string that contains a date.

i18n_day

Data type

UTF-8 encoded string, read-only

Description

The i18n_day variable contains the current date, taken from the policy server host. It is formatted according to the operating system’s locale settings.

Valid values

A UTF-8 encoded string that contains a day value.

i18n_dayname

Data type

UTF-8 encoded string, read-only

Description

The i18n_dayname variable contains the current day of the week, taken from the policy server host. It is formatted according to the operating system’s locale settings.

Valid values

A UTF-8 encoded string that c

Contains a value for the day of the week.

i18n_hour

Data type

UTF-8 encoded string, read-only

Description

The i18n_hour variable contains the current hour, taken from the policy server host. It is formatted according to the operating system’s locale settings.

Valid values

A UTF-8 encoded string that contains an hour value.

i18n_minute

Data type

UTF-8 encoded string, read-only

Description

The i18n_minute variable contains the minute portion of the current time, taken from the policy server host. It is formatted according to the operating system’s locale settings. The month, day, date, and year variables can be used together to determine the current date, per the policy server host. The hour and minute variables can be used together to determine the current time, per the policy server host.

Valid values

A UTF-8 encoded string that contains a minute value.

i18n_month

Data type

UTF-8 encoded string, read-only

Description

The i18n_month variable contains the current month, taken from the policy server host. It is formatted according to the operating system’s locale settings. The month, day, date, and year variables can be used together to determine the current date per the policy server host. The hour and minute variables can be used together to determine the current time per the policy server host.

Valid values

A UTF-8 encoded string that contains the month value.

localmode

Run version

runlocalmode

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Boolean. localmode is read-only. runlocalmode is modifiable.

Description

The localmode and runlocalmode variables indicate if the submitting user specified that the current task request run in local mode. When a task runs in local mode, pbmasterd returns control to pbrun rather than pblocald. After the task is accepted, pbrun replaces itself with the current task request. The result is that localmode cannot be used with Advanced Control and Audit (ACA), and the current task request is processed without the benefit of any further event logging (the exit status is not logged) or keystroke actions.

Regarding pbrun, the localmode mechanism is deprecated in favor of Optimized Run Mode, in which all features are available.

The Endpoint Privilege Management shells pbsh and pbksh normally operate in localmode. This can be disabled by setting runlocalmode=false.

Endpoint Privilege Management for Unix and Linux sets the localmode variables when the user executes pbrun with a -l switch, or when the runlocalmode variable is set to true in the policy.

Syntax

runlocalmode = boolean;

Valid values

NameDescription
trueRun local mode. The default value is true if pbrun –l is used, false otherwise.
falseDisable local mode.

localmode is a read-only variable with a value of true if pbrun –l is used, false otherwise.

runlocalmode defaults to localmode. If the allowlocalmode setting is false, then runlocalmode is set to read-only and has a value of false.

Example

runlocalmode = false;

ℹ️

Note

For more information, see the following:

bkgd

runbkgd

noreconnect

pblocald

allowlocalmode

logaccept_utc

Data type

String, read-only

Description

The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when logging accept events.

Valid values

Any valid date and time.

logcksum

Data type

String, modifiable

Description

When runcksum, runcksumlist, runmd5sum, or runmd5sumlist are present in the policy, the run host verifies that the checksum of the runcommand matches the values specified in those variables. The logcksum variable allows the checksum of the runcommand to be recorded in the event log for analysis.

There is no read-only version of this variable.

Syntax

logcksum = string_value

Valid values

NameDescription
cksumSave the runtime-generated application checksum in the chksum variable and record it in the event log. This is the value that would be compared to the runcksum or runcksumlist user-defined policy variable (if available).
md5Save the runtime-generated application MD5 checksum in the md5sum variable and record it in the event log. This is the value that would be compared to the runmd5sum or runmd5sumlist user-defined policy variable (if available).
allRecord both runtime-generated checksum values (chksum and md5sum variables) in the event log.

Example

logcksum = "cksum";

Example

logcksum = "md5";

Example

logcksum = "all";

logfinish_utc

Data type

String, read-only

Description

The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when logging finish events.

Valid values

Any valid date and time.

logkeystroke_utc

Data type

String, read-only

Description

The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when logging keystroke events.

Valid values

Any valid date and time.

logpid

Data type

Number, read-only

Description

The logpid variable contains the PID of the log server daemon logging the accept.

This read-only variable is not available during the processing of the policy, because it is created after the policy performs an accept. This variable is available in the event log.

There is no run version of this variable.

Valid values

A number that contains a PID.

This is a read-only variable.

ℹ️

Note

For more information, see the following:

pid

runpid

submitpid

taskpid

logreject_utc

Data type

String, read-only

Description

The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when logging reject events.

Valid values

Any valid date and time.

logserver_utcoffset

Data type

String representing an integer, read-only

Description

The logserver timezone offset from UTC, in hours.

Valid values

-12 to 14

logservers

Data type

List

Description

A list of log hosts for pblocald to use for event and I/O logging. The policy variable overrides the settings keyword when the logservers keyword in the settings file is enabled. In other words,

/etc/pb.settings:
.
.
logservers name0
/opt/pbul/policies/pb.conf:
...logservers={"name1", "name2"};
...

The log servers that are used are name1 and name2.

Syntax

logservers = {list};

Example

logservers = {"name1", "name2"};

master_utcoffset

Data type

String representing an integer, read-only

Description

The policy server timezone offset from UTC, in hours.

Valid values

-12 to 14

mastertimelimit

Data type

Integer, modifiable

Description

The mastertimelimit variable specifies a time limit, in seconds, between pbmasterd and pblocald, for a task request. If the job does not finish within the specified number of seconds, it is terminated.

mastertimelimit is similar to mastertimeout, but it is based on total time rather than idle time.

mastertimelimit is similar to runtimelimit, from the pbmasterd point of view, and is useful only when there is no log server.

ℹ️

Note

The mastertimelimit variable is not honored in local mode.

Syntax

mastertimelimit = number;

Valid values

  • number: Enable time limit checking.
  • 0: Disable time limit checking. This value is the default.

Example

mastertimelimit = 3600;

ℹ️

Note

For more information, see the following:

mastertimeout

runtimelimit

runtimeout

submittimeout

mastertimeout

Data type

Integer, modifiable

Description

The mastertimeout variable specifies the amount of idle time, in seconds, between pbmasterd and pblocald. If the job is idle for the specified number of seconds, then it is terminated. mastertimeout is similar to runtimeout, from the pbmasterd point of view, and is useful only when there is no log server.

ℹ️

Note

The mastertimeout variable is not honored in local mode.

Syntax

mastertimeout = number;

Valid values

  • number: Enable idle checking.
  • 0: Disable idle checking. This value is the default.

Example

runtimeout = 3600;

ℹ️

Note

For more information, see the following:

mastertimelimit

runtimelimit

runtimeout

[submittimeout](https://docs.beyondtrust.com/epm-l/docs/system#submittimeout

nice

Run version

runnice

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Integer. nice is read-only. runnice is modifiable.

Description

The nice and runnice variables contain the nice value for the current task request. The nice value controls task execution priority. To modify task execution priority, set runnice.

Syntax

runnice = number;

Valid values

An integer value that represents a task execution priority. This variable has no default value.

Example

runnice = 20;

ℹ️

Note

For more information, see the Unix or Linux manual page for the nice command.

noexec

Data type

Integer. noexec is modifiable.

Description

This variable does not apply to pbssh. If it is present in the policy, and set to 1, pbrun, pblocald, pbsh, and pbksh will attempt to prevent the secured task from performing an exec to launch a new program (for example, prevent vi's shell escape :!/bin/bash).

This mechanism uses the LD_PRELOAD or equivalent mechanism to load an Endpoint Privilege Management for Unix and Linux shared library that intercepts the exec family of library calls.

The noexec feature requires Endpoint Privilege Management for Unix and Linux 8.5.0 runhosts. Any previous version of runhost silently ignores the noexec feature.

ℹ️

Note

Care should be used when enabling noexec for shell scripts (these normally exec other programs).

Restrictions

  • The noexec feature works only for binaries that are dynamically linked, on operating systems that support the LD_PRELOAD or equivalent mechanism.
  • The noexec feature supports setuid programs only on Linux and Solaris run hosts.
  • The noexec feature cannot execute shell scripts that lack the #!/path/shell specification.
  • The noexec feature currently does not support the Endpoint Privilege Management for Unix and Linuxexecute_via_su feature.
  • HP-UX 11.11 requires linker patch PHSS_22535 or newer.

Syntax

noexec=1;

Valid values

Valid values are 0 and 1. This variable has default value of 0.

Example

noexec=1;

ℹ️

Note

For more information, see the Unix/Linux manual pages for the ld.so (Linux), ld.so.1 (Solaris), ld (HP-UX), and dld.sl (HP-UX) commands.

pblocaldnoglob

Data type

Boolean, modifiable

Description

pblocaldnoglob stops pblocald from expanding arguments to the target program. By setting this variable to a non-zero value, you can duplicate the way version EPM-UL 2.6 and earlier pass arguments.

There is no read-only version of this variable.

Syntax

pblocaldglob = boolean;

Valid values

NameDescription
trueNon-zero. Stop pblocald from expanding arguments to the target program.
falseZero. Allow pblocald to expand arguments to the target program. This setting is the default.

Example

pblocaldnoglob = true;

pbrisklevel

Data type

Number, modifiable

Description

The pbrisklevel variable specifies a risk rating that is passed to BeyondInsight. The data is displayed in the BeyondInsight for Unix & Linux grid and Agent Details grid.

There is no read-only version of this variable.

Syntax

pbrisklevel = number;

Valid values

A whole number in the range of 0 - 9

  • 9 means highest risk
  • 0 means no risk

Default value

If pbrisklevel is not explicitly set in the policy, the risk level setting defaults to zero (0).

Example

pbrisklevel = 3;

pidmessage

Data type

String, modifiable

Description

The pidmessage variable contains an optional string that causes the process ID of the task on the run host to print out at the start of the task.

There is no read-only version of this variable.

ℹ️

Note

EPM-UL ignores pidmessage when running as local mode.

Syntax

pidmessage = string;

Valid values

Any string. The default value is empty.

Example

The following example produces output similar to This is job: sparky 9876 before the target command runs.

pidmessage = "This is job: ";

requestuser

Data type

String, read-only

Description

The requestuser variable contains the value that is specified by the pbrun –u argument. When a user runs pbrun with the –u username option, the value is placed in requestuser. The policy then determines whether or not to honor the request. If the –u command option is not used, then requestuser contains the same value as user.

There is no run version of this variable.

Valid values

A string as described above.

ℹ️

Note

For more information, see the following:

user

[runuser]

rlimit_as

Run version

runrlimit_as

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_as is read-only, runrlimit_as is modifiable.

Description

These variables control the maximum memory available to a process in bytes as a 32-bit number. These variables are equivalent to vmem on some systems. rlimit_as is the read-only value for the user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_as is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_as functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_as = number;

Valid values

Vary according to platform.

Example

runrlimit_as = 1000;

rlimit_core

Run version

runrlimit_core

ℹ️

Note

This run variable does not apply to pbssh. If present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_core is read-only. runrlimit_core is modifiable.

Description

These variables control the maximum size of a core file in bytes as a 32-bit number. rlimit_core is the read-only value for the user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_core is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_core functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_core = number;

Valid values

Vary according to platform.

Example

runrlimitcore = 1000;

rlimit_cpu

Run version

runrlimit_cpu

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_cpu is read-only. runlimit_cpu is modifiable.

Description

These variables control the maximum size CPU time of a process in seconds as a 32-bit number.

rlimit_cpu is the read-only value for the user who invokes EPM-UL.

runrlimit_cpu is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_cpu functionality, set runenablerlimits to a value of 1.

Syntax

runlimit_cpu = number;

Valid values

Vary according to platform.

Example

runrlimit_cpu = 1000;

rlimit_data

Run version

runrlimit_data

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_data is read-only. runrlimit_data is modifiable.

Description

These variables control the maximum size of a process’ data segment as a 32-bit number. rlimit_data is the read-only value for the user who invoked Endpoint Privilege Management for Unix and Linux. runrlimit_data is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_data functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_data = number;

Valid values

Vary according to platform.

Example

runrlimit_data = 100;

rlimit_fsize

Run version

runrlimit_fsize

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_fsize is read-only. runrlimit_fsize is modifiable.

Description

These variables control the maximum size of a file in bytes as a 32-bit number. rlimit_fsize is the read-only value for the user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_fsize is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_fsize functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_fsize = number;

Valid values

Vary according to platform.

Example

runrlimit_fsize = 1000;

rlimit_locks

Run version

runrlimit_locks

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_locks is read-only. runrlimit_locks is modifiable.

Description

These variables control the maximum number of file locks for a process as a 32-bit number.

rlimit_locks is the read-only value for the user who invokes EPM-UL.

runrlimit_locks is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_locks functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_locks = number;

Valid values

Vary according to platform.

Example

runrlimit_locks = 1000;

rlimit_memlock

Run version

runrlimit_memlock

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_memlock is read-only. runrlimit_memlock is modifiable.

Description

These variables control the maximum number of bytes of virtual memory that may be locked at a given time as a 32-bit number. rlimit_memlock is the read-only value for the user who invokes Endpoint Privilege Management for Unix and Linux. runrlimit_memlock is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_memlock functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_memlock = number;

Valid values

Vary according to platform.

Example

runrlimit_memlock = 1000;

rlimit_nproc

Run version

runrlimit_nproc

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_nproc is read-only. runrlimit_nproc is modifiable.

Description

These variables control the maximum number of process a user may run at a given time as a 32-bit number.

rlimit_nproc is the read-only value for the user who invokes EPM-UL.

runrlimit_ nproc is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_nproc functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_nproc = number;

Valid values

Vary according to platform.

Example

runrlimit_nproc = 1000;

rlimit_nofile

Run version

runrlimit_nofile

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_nofile is read-only. runrlimit_nofile is modifiable.

Description

These variables control the maximum number of files a user may have open at a given time as a 32-bit number.

rlimit_nofile is the read-only value for the user who invokes EPM-UL.

runrlimit_ nofile is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_nofile functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_nofile = number;

Valid values

Vary according to platform.

Example

runrlimit_nofile = 1000;

rlimit_rss

Run version

runrlimit_rss

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_rss is read-only. runrlimit_rss is modifiable.

Description

These variables control the maximum size of a process’ resident set (number of virtual pages that are resident at a given time) as a 32-bit number.

rlimit_rss is the read-only value for the user who invokes EPM-UL.

runrlimit_rss is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_rss functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_rss = number;

Valid values

Vary according to platform.

Example

runrlimit_rss = 1000;

rlimit_stack

Run version

runrlimit_stack

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. rlimit_stack is read-only. runrlimit_stack is modifiable.

Description

These variables control the maximum size the process stack in bytes as a 32-bit number.

rlimit_stack is the read-only value for the user who invokes EPM-UL.

runrlimit_stack is the modifiable value for the target secured task.

ℹ️

Note

To enable runrlimit_stack functionality, set runenablerlimits to a value of 1.

Syntax

runrlimit_stack = number;

Valid values

Vary according to platform.

Example

runrlimit_stack = 1000;

runconfirmmessage

Data type

String, modifiable

Description

The runconfirmmessage variable contains the prompt that is displayed when the submitting user is required to enter a password. If a prompt is not set in runconfirmmessage, then the following default prompt is used: type in the user's password.

The Endpoint Privilege Management for Unix and Linux variable runconfirmuser determines if a password is required.

There is no read-only version of this variable.

Syntax

runconfirmmessage = string;

Valid values

A string containing a user-password prompt. The default value is empty, which defaults to type in the user's password.

Example

runconfirmmessage = "Please enter the password for pat";

runconfirmuser

Data type

String, modifiable

Description

The runconfirmuser variable controls whether or not a user must correctly enter a password before the current task request is executed. When this variable is set, the submitting user is prompted for the password that is associated with the run host user name that is set in this variable.

The variable runconfirmmessage determines the password prompt that is displayed to the user after the policy is finished, but before the run host starts the command request. When setting runconfirmuser, it is a good idea to set runconfirmmessage.

If the user fails in three attempts to submit the correct password, the secured task request is not executed. Because the secured task has already been accepted, the Endpoint Privilege Management for Unix and Linux event log records an exit status of ConfirmUser failed.

There is no read-only version of this variable.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runconfirmuser = user;

Valid values

A string that contains a user name that is present on the run host (as specified in the runhost variable), for which a password must be supplied before the current task request can be run. The default value is empty, which indicates this password check will not be performed.

Example

runconfirmuser = "sandy";

runconfirmpasswdservice

Data type

String, modifiable

Description

The runconfirmpasswdservice variable stores the name of the PAM password service which will be used to perform password authentication and account management for the user named by the runconfirmuser variable. It overrides pampasswordservice in pb.settings of the run host.

There is no read-only version of this variable.

Syntax

runconfirmpasswdservice = pam_password_service;

Valid values

A string that contains a name of a valid PAM password service that is present on the run host. There is no default value. If this variable is not defined, the server setting pampasswordservice (if set) is used.

Example

runconfirmpasswdservice = "pbul_pam_stack";

runcksum

Data type

String, modifiable

Description

The runcksum variable stores a checksum value. By default, runcksum is an empty string. Run the EPM-UL utility program pbsum to populate the string, which generates application and file checksum values.

Use checksum values to determine if a file or application has changed by establishing a baseline checksum and then comparing that baseline checksum against a checksum that is generated during security policy file processing. If the checksum values are different, then the file or application has changed since generation of the baseline checksum, and EPM-UL will refuse to run it.

Application checksum values can be used to determine if a virus has infected an application or if the file has been changed.

There is no read-only version of this variable.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runcksum = string;

Valid values

A string that contains a checksum value that is generated by pbsum. The default value is empty, which specifies no checksum checking.

Example

runcksum = "2f9777ff";

runcksumlist

Data type

List

Description

The runcksumlist variable contains a list of checksum values. By default, runcksumlist is an empty list. Populate it by running the Endpoint Privilege Management for Unix and Linux utility program pbsum, which generates application and file checksum values.

Use checksum values to determine if the target files or applications have changed by establishing baseline checksum values and then comparing those baseline checksum values against a checksum that is generated during security policy file processing. If the checksum value that was generated during security policy file processing does not match any of the values in runcksumlist, then the file or application has changed since generation of the baseline checksum, and Endpoint Privilege Management for Unix and Linux refuses to run it.

Application checksum values can be used to determine if a virus has infected an application or if the file has been changed.

There is no read-only version of this variable.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runcksumlist = list of checksum values;

Valid values

A list of strings that represents checksum values generated by pbsum. The default value is empty, which specifies no checksum checking.

Example

runcksumlist={"b3b156bc", "59bf4a99"};

runchroot

Data type

String, modifiable

Description

The runchroot variable contains the name of the user’s root directory. A secured task can access only those files that reside within that root directory. To change the root directory for the current task, set runchroot.

There is no read-only version of this variable.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

To use Endpoint Privilege Management for Unix and Linux with the directory that is specified in the runchroot variable, the following files must be copied into that directory:

FilesTarget Directory
/etc/pb.settingsrunchroot/etc
Key files in /etc (if using Endpoint Privilege Management for Unix and Linux encryption)runchroot/etc
/usr/lib/symark/pb/* (if using Kerberos, SSL, or LDAP)runchroot/usr/lib/symark/pb

In addition, if the pbrunlog setting has a value, you must create a corresponding directory under the directory that is specified in runchroot. For example, if pbrunlog is set to /var/log/pbrun.log, then create a runchroot/var/log directory.

Syntax

runchroot = string;

Valid values

A string that contains a valid absolute path specification. The default value is empty, which implies that the entire run host’s file system is accessible.

Example

runchroot = "/usr/local/newroot";

runeffectivegroup

Data type

String, modifiable

Description

runeffectivegroup provides control over the effective group ID (egid) of the secured task. Setting this to a group name makes that group the effective group for the task. If runeffectivegroup is not set, then the value of rungroup specifies the effective group.

Any change to the rungroup variable resets runeffectivegroup to the same value. If you want runeffectivegroup to be different from rungroup, then set runeffectivegroup after rungroup.

There is no read-only version of this variable.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runeffectivegroup = group;

Valid values

A string that contains a valid group name. The default value is the value of rungroup.

Example

runeffectivegroup = "bin";

ℹ️

Note

For more information, see the following:

pblogdreconnection

pbrunreconnection

rungroup

runuser

runeffectiveuser

Data type

String, modifiable

Description

runeffectiveuser provides control over the effective user ID (euid) of the requested job. Setting this variable to a user name makes that user the effective user for the job. If it is not set, the value of runuser specifies the effective user.

Any change to the runuser variable resets runeffectiveuser to the same value. If you want runeffectiveuser to be different from runuser, then set runeffectiveuser after runuser.

There is no read-only version of this variable.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runeffectiveuser = string;

Valid values

A string containing a valid user name. The default value is the value of runuser.

Example

runeffectiveuser = "bin";

ℹ️

Note

For more information, see the following:

pblogdreconnection

pbrunreconnection

runeffectivegroup

runenablerlimits

Data type

Boolean

Description

This variable determines if the runrlimit variables are used on the run host. This variable must be set to a value of 1 to enable the functionality of the following variables: rlimit_as, rlimit_core, rlimit_cpu, rlimit_data, rlimit_fsize, rlimit_locks, rlimit_memlock, rlimit_nofile, rlimit_nproc, rlimit_rss, rlimit_stack.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runenablerlimits = boolean;

Valid values

NameDescription
trueUse the runrlimit_* values on the run host.
falseIgnore the runrlimit_* values and use the run host native ulimits. The default is false.

Example

runenablerlimits = true

runenvironmentfile

Data type

String

Description

The runenvironmentfile variable enables you to specify the absolute path and file name of an environment file. EPM-UL can incorporate the environment variables that are specified in the environment file into the run environment. These environment variables are applied on the run host after the Accept event has been logged.

The runenvironmentfile variable overrides the environmentfile setting in the pb.settings file on the run host.

There is no read-only version of this variable.

The environment file must consist of the following:

  • Comment lines, which have a # character in the first non-whitespace position.
  • Blank lines.
  • Bourne shell compatible environment variable setting lines with the form NAME=VALUE.

Each line in the file must contain less than 1024 characters. Line continuation is not supported. This file must not contain any shell commands or constructs other than the setting of environment variables. Comments must not appear on the same line as an environment variable.

Syntax

runenvironmentfile = string;

Valid values

A string that contains the absolute path and file name of an environment file. The default value is empty.

Example

runenvironmentfile = "/etc/environment";

runfinish_utc

Data type

String, read-only

Description

The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when the request has finished.

Valid values

Any valid date and time.

runmd5sum

Data type

String, modifiable

Description

The runmd5sum variable stores an MD5 checksum value. By default, runmd5sum is an empty string. Run the EPM-UL utility program pbsum -m to populate the string, which generates the application and file MD5 checksum values.

Use checksum values to determine if a file or application has changed by establishing a baseline checksum and then comparing that baseline checksum against a checksum that is generated during security policy file processing. If the checksum values are different, then the file or application has changed since the generation of the baseline checksum, and EPM-UL refuses to run it.

Application checksum values can be used to determine if a virus has infected an application or if the file has been changed.

There is no read-only version of this variable.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runmd5sum = string;

Valid values

A string containing a checksum value generated by pbsum. The default value is empty, which specifies no checksum checking.

Example

runmd5sum = "dda5b3a11ac4e203190fbf0643722a05";

ℹ️

Note

For more information, see pbsum.

runmd5sumlist

Data type

List

Description

The runmd5sumlist variable contains a list of MD5 checksum values. By default, runmd5sumlist is an empty list. Populate it by running the Endpoint Privilege Management for Unix and Linux utility program pbsum -m , which generates application and file MD5 checksum values.

Use MD5 checksum values to determine if the target files or applications have changed by establishing baseline checksum values and then comparing those baseline checksum values against a checksum that is generated during security policy file processing. If the checksum value that was generated during security policy file processing does not match any of the values in runmd5sumlist, then the file or application has changed since generation of the baseline checksum, and Endpoint Privilege Management for Unix and Linux refuses to run it.

Application MD5 checksum values can be used to determine if a virus has infected an application or if the file has been changed.

There is no read-only version of this variable.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runmd5sumlist = list of checksum values;

Valid values

A list of string that represents MD5 checksum values generated by pbsum -m . The default value is empty, which specifies no checksum checking.

Example

runmd5sumlist={"478cd2ea4b868c459d3fcd3132b00853",
"38a0b33c1f5fa6a2ababf0ce386a2494"};

ℹ️

Note

For more information, see the following:

pbsum

runmd5sum

runpamsessionservice

Data type

String, modifiable

Description

The runpamsessionservice variable stores the name of the PAM service which is used to perform account management and session setup and teardown to manage task requests on a run host. It overrides pamsessionservice in pb.settings of the run host.

There is no read-only version of this variable.

Syntax

runpamsessionservice = pam_password_service;

Valid values

A string that contains a name of a valid PAM session service that is present on the run host. There is no default value. If this variable is not defined, the run host’s pb.setting pamsessionservice (if set) is used.

Example

runpamsessionservice = "pbul_pam_stack";

ℹ️

Note

For more information, see the following:

runhost

pamsessionservice

runpamsetcred

Data type

Integer, modifiable

Description

The runpamsetcred variable enables the pam_setcred() function, which is used to establish possible additional credentials of a user. It overrides pamsetcred in pb.settings of the run host.

There is no read-only version of this variable.

Syntax

runpamsessionservice = pam_password_service;

Valid values

NameDescription
1 or trueEnable pam_setcred().
0 or falseDo not enable pam_setcred().

Example

runpamsetcred = 1;

ℹ️

Note

For more information, see the following:

runhost

pamsetcred

runpid

Data type

Number, read-only

Description

The runpid variable contains the PID of the module processing the secured task. In the case of optimized run mode, this PID (for pbrun) is the same as the submitpid. Otherwise, this contains the PID of pblocald.

This read-only variable is not available during the processing of the policy, because it is created after the policy performs an accept. This variable is available in the event log.

There is no run version of this variable.

Valid values

A number that contains a pid.

This is a read-only variable.

ℹ️

Note

For more information, see the following:

logpid

pid

submitpid

taskpid

runptyflags

Data type

Internal

Description

Flags that are used internally for pty settings; reserved for internal use.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

runsecurecommand

Data type

Boolean

Description

The runsecurecommand variable enables you to perform an extra check on the security of the requested command. This check helps ensure that someone other than root or the runuser (for example, sys or oracle), could not have compromised the command.

When set to true, the run command and all directories above it are checked to see if anyone other than root or the run user has write permission. If the command file or any of the directories above it are writable by anyone other than root or the runuser, then the run host refuses to run the command. The runsecurecommand setting can be set to yes on the run host for the same effect.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runsecurecommand = boolean;

Valid values

NameDescription
trueNon-zero. Check that the runcommand is writable only by root or the runuser.
falseZero. No check is performed. The default is false.

Example

runsecurecommand = true;

runtimelimit

Data type

Integer, modifiable

Description

The runtimelimit variable specifies a time limit for a task request. If the job does not finish within the specified number of seconds, then it is terminated. This is similar to runtimeout, but is based on total time rather than idle time.

ℹ️

Note

The runtimelimit variable is not honored in local mode.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runtimelimit = number;

Valid values

NameDescription
positive numberEnable time limit checking.
0 or negative numberDisable time limit checking. This setting is the default.

Example

runtimelimit = 3600;

ℹ️

Note

For more information, see the following:

runtimeout

submittimeout

runtimewarn

runtimewarnlog

runtimeout

Data type

Integer, modifiable

Description

The runtimeout variable specifies the amount of idle time, in seconds, that the submitting user is allowed before the run host terminates the current request. To change the idle time specification, set runtimeout.

There is no read-only version of this variable.

ℹ️

Note

The runtimeout variable is not honored in local mode.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runtimeout = number;

Valid values

NameDescription
positive numberEnable idle checking.
0 or negative numberDisable idle checking. This setting is the default.

Example

runtimeout = 600;

ℹ️

Note

For more information, see the following:

runtimelimit

submittimeout

On runtimeout and runtimeoutoverride, Endpoint Privilege Management for Unix and Linux Administration Guide

runstart_utc

Data type

String, read-only

Description

The UTC time, in YYYY-MM-DDTHH:MM:SS.000Z format, when request is received.

Valid values

Any valid date and time.

runutmpuser

Data type

String, modifiable

Description

The runutmpuser variable contains the User Id that appears in the utmp logs on the run host. By default, runutmpuser is set to the value of the user variable.

To change the name of the user that appears in utmp, set runutmpuser. If user does not exist on the run host, then runutmpuser is set to the value of the runuser variable.

There is no read-only version of this variable.

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Syntax

runutmpuser = string;

Valid values

A string that contains the utmp User Id. The default value is the value of the user variable.

Example

runutmpuser = "root";

Example

runutmpuser = "runuser";

ℹ️

Note

For more information, see the following:

requestuser

runuser

user

selinux

Data type

Integer, read-only

Description

The selinux variable indicates whether the pbrun client that is requesting the secured task is running confined in the SELinux environment. This variable is not present when the submit host is not integrated with SELinux. You can use the isset() function to determine if pbrun is running confined.

Valid values

An integer, as described above. If pbrun is running unconfined, the variable is not present.

Example

if (isset("selinux")
{
print ("SELINUX: ", selinux);
}

shellallowedcommands

Data type

List

Description

This variable contains a list of strings that contain commands that may be run without any further authorization. Each element of the list can contain either a command basename or absolute path. Shell template characters can be used at any point. This variable is used by pbsh and pbksh at startup time.

Syntax

shellallowedcommands = list;

Valid values

A list of strings containing commands.

Example

if (pbclientmode == "shell start")
shellallowedcommands = {"date", "/bin/df", "/usr/local/bin/*"};

ℹ️

Note

For more information, see the following:

pbclientmode

shellcheckbuiltins

shellcheckredirections

shellforbiddencommands

shelllogincludefiles

shellreadonly

shellcheckbuiltins

Data type

Boolean

Description

When set to true, this variable directs the shell to check shell built-in commands as if they were standard commands. This variable is used by pbsh and pbksh at startup time.

Syntax

shellcheckbuiltins = boolean;

Valid values

NameDescription
trueEPM-UL shells authorize and log shell built-in commands.
falseEPM-UL shells do not authorize or log shell built-in commands.

Example

shellcheckbuiltins = true;

shellcheckredirections

Data type

Boolean

Description

When set to true, this variable directs the shell to authorize I/O redirections (for example, <, >, >>). When this variable is set to false, I/O redirection is always allowed. pbsh and pbksh use this variable at startup time.

Syntax

shellcheckredirections = boolean;

Valid values

NameDescription
trueEPM-UL shells authorize and log shell I/O redirection requests.
falseAlways allows I/O redirection.

Example

shellcheckredirections = true;

shellforbiddencommands

Data type

List

Description

This variable contains a list of strings that specify commands that will be rejected by pbksh and pbsh without consulting an Endpoint Privilege Management for Unix and Linux policy server daemon. Each element of the list can contain either a command basename or absolute path. Shell template characters can be used at any point. This variable is used by pbsh and pbksh at startup time.

Syntax

shellforbiddencommands = list;

Valid values

A list of strings as described above.

Example

if (pbclientmode == "shell start")
shellforbiddencommands = {"/etc/*", "/usr/sbin/*",
"format", "/sbin/umount"};

shelllogincludefiles

Data type

Boolean

Description

This variable controls whether the contents of included (sourced) shell scripts should be recorded in the I/O logs.

This is effective only if I/O logging for the shell is enabled. This variable is used by pbsh and pbksh at startup time.

Syntax

shelllogincludefiles = boolean;

Valid values

NameDescription
trueEPM-UL shells authorize and log files that shell scripts and profiles include (source).
falseContents of included shell scripts are not recorded in I/O logs.

Example

if (pbclientmode == "shell start") shelllogincludefiles = true;

shellreadonly

Data type

List

Description

The variable shellreadonly contains a list of environment variables that pbsh and pbksh set to read-only at startup time. If the variable does not exist at start up time, then its entry is ignored. pbsh and pbksh use this variable at startup time.

Syntax

shellreadonly = list;

Valid values

A list of environment variables.

Example

if (pbclientmode == "shell start")
shellreadonly = {"PATH", "IFS", "SHELL", "ENV"};

ℹ️

Note

For more information, see the following:

pbclientmode

shellrestricted

Data type

Boolean

Description

Controls whether Endpoint Privilege Management for Unix and Linux shells run in restricted mode. Restricted mode has the following limitations:

  • The cd command is disabled.
  • The environment variables SHELL, ENV, and PATH are read-only.
  • Command names cannot use absolute or relative paths.
  • The -p option of the built-in command is disabled.
  • I/O redirections (>, >|, >>, and <>) that create files are disabled.

Syntax

shellrestricted = boolean;

Valid values

NameDescription
trueRuns Endpoint Privilege Management for Unix and Linux shells in restricted mode.
falseDisables restricted mode. The default is false.

Example

shellrestricted = true;

solarisproject

Run version

runsolarisproject

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

String, solarisproject is read-only. Runsolarisproject is modifiable.

Description

The solarisproject and runsolarisproject variables specify a Solaris project that the secured task should be associated with on a Solaris 9 or higher runhost. These variables initially contain the project specified on the pbrun commandline, or the empty string "" if not specified on the pbrun commandline. If the project has not been specified (runsolarisproject equals ""), the default project (as defined by Solaris) will be associated with the secured task. If set to a non-valid project name for the runuser, or specified for a non-Solaris runhost, the secured task is not executed.

Valid values

A string containing a valid Solaris project on a Solaris runhost.

Example

runsolarisproject group.acctng

Example

runsolarisproject user.database

Backwards Compatibility

Earlier versions of pbmasterd do not set the solarisproject and runsolarisproject variables; however, the policy can set the runsolarisproject variable.

submithost

Data type

String, read-only

Description

The submithost variable contains the name of the machine from which the current task request was submitted (that is, the submit host). submithost is what the policy server considers the client name to be (based on the current submithost network interface).

The submithost and host and runhost variables are closely related. By default, the host and runhost variables are set to submithost, unless the user requests a specific run host by using the -h argument of the pbrun command.

There is no run version of this variable.

Valid values

A string that contains the fully qualified name of the submit host machine. This is a read-only variable.

ℹ️

Note

For more information, see the following:

host

runhost

masterhost

pid

subprocuser

timezone

submithostip

Data type

String, read-only

Description

The submithostip variable contains the IP address of the machine from which the current task request was submitted (that is, the submit host).

There is no run version of this variable.

Valid values

A string that contains a valid IP address. This is a read-only variable.

ℹ️

Note

For more information, see the following:

host

masterhost

pid

runhost

submithost

subprocuser

timezone

submitpid

Data type

Number, read-only

Description

The submitpid variable contains the PID of the client (pbrun, pbsh, pbksh) submitting the task request.

This read-only variable is available during the processing of the policy, and in the event log.

There is no run version of this variable.

Valid values

A number that contains a PID.

This is a read-only variable.

ℹ️

Note

For more information, see the following

logpid

pid

runpid

taskpid

taskpid

Data type

Number, read-only

Description

The taskpid variable contains the PID of the secured task launched by pbrun, or the session associated with pbksh/pbsh if iologging is on.

This variable is populated when the secured task is executed, and has no value until a session starts and therefore cannot be used in the policy. This variable is shown in the Finish event of the eventlog only when a logserver is used. It can also be used in the new 7.0 syslog formatting settings, syslogsession_start_format and ssyslogsession_finish_format.

For pbksh and pbsh, this variable is only populated if iologging is turned on.

Valid values

A number that contains a PID. This is a read-only variable.

Example

syslogsession_finished_format "Endpoint Privilege Management for Unix and Linux finished %command% pid:%taskpid% on %date% at %hour%:%minute%."

taskttyname

Data type

String, read-only

Description

The taskttyname variable contains the name of the TTY device (that is, the terminal) associated to the secured task launched by pbrun, or the session associated with pbksh/pbsh if iologging is on.

This variable is populated when the secured task is executed, and has no value until a session starts and therefore cannot be used in the policy. This variable is shown in the Finish event of the eventlog only when a logserver is used. It can also be used in the new 7.0 syslog formatting settings, syslogsession_start_format and syslogsession_ finish_format.

For pbksh and pbsh, this variable is only populated if iologging is turned on.

Valid values

A string that contains a TTY name. This is a read-only variable.

timezone

Data type

String, read-only

Description

The timezone variable contains a standard representation of the time zone on the machine from which the current task request was submitted (that is, the submit host). The timezone variable is relevant for users working in a cross-platform environment in which that submit host is a Sun machine that has its time zone set to a geographic region rather than the usual timezone file. Note that this variable applies to Solaris installations. The format of the timezone variable is dependent upon the operating system configuration parameters.

There is no run version of this variable.

Valid values

A string that contains the standard representation of the time zone. The format of the timezone variable is dependent upon operating system configuration parameters. This is a read-only variable.

ℹ️

Note

For more information, see

submithost

runstart_utc

runfinish_utc

logaccept_utc

logreject_utc

logkeystroke_utc

logfinish_utc

logserver_utcoffset

master_utcoffset

ttyname

Data type

String, read-only

Description

The ttyname variable contains the name of the TTY device (that is, the terminal) from which the current task request was submitted on the submit host. If the client is running in pipe mode, then the value is null.

There is no run version of this variable.

Valid values

A string that contains a TTY name. This is a read-only variable.

user

Run version

runuser

This run variable does not apply to pbssh. If it is present in the policy, it could produce undesirable results.

Data type

String. user is read-only. runuser is modifiable.

Description

The user and runuser variables specify the user name that is associated with the login name of the user that submitted the current task request (that is, the submitting user). By default, the current task runs under this user ID.

To change the user ID the current task runs under, set the runuser variable.

Syntax

runuser = string;

Valid values

A string that contains a valid user name on the run host. user is a read-only variable and therefore has no default value. The default value of runuser is empty.

Example

runuser = "root";

ℹ️

Note

For more information, see the following:

requestuser

runeffectivegroup

runutmpuser

umask

Run version

runumask

ℹ️

Note

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

Data type

Number. umask is read-only. runumask is modifiable.

Description

The umask and runumask variables contain umask values for the submitting user. The umask value determines the default file permissions mask (read, write, execute) for newly created files. To change the umask values for the secured task, set runumask.

ℹ️

Note

For more information on umask, refer to the Unix/Linux manual page for umask.

Syntax

runumask = number;

Valid values

A string value containing valid umask values for the submitting user. These variables have no default values. The pbrun command environment initializes these variables.

Example

runumask = 022;

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.