Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Variable scope

All variables are global in scope unless declared from within a function or procedure.

If a variable is first declared in a function or procedure, it has local scope within that particular function or procedure and is deleted once the function or procedure returns.

Example
gvar1="global"; 

procedure p1() { 
   gvar1="changed in f1";        #gvar1 has global scope 
   pvar1="local_to_p1";          #pvar1 is local to procedure p1() p2(); 
} 

procedure p2() { 
   gvar1="changed in f2"; # gvar1 is still global 
   print((defined pvar1? pvar1 : "undefined")); 
                          # this line prints "undefined" since 
                          # pvar1 is now out of scope 
}

Global input variables

The following predefined global variables are initialized from the submit-user’s environment. You can use these variables in the decision making process in the policy file but you cannot change their value.

Table 29: Global input variables
Variable Data type Description

alertkeymatch

sting

The pattern matched by pmlocald.

argc

integer

Number of arguments in the request.

argv

list

List of arguments in the request.

bkgd

boolean

Reflects the "-b" background argument of a pmrun call.

client_parent_pid

integer

Process ID of the client's parent process.

client_parent_uid

integer

User ID associated with the client's parent process.

client_parent_procname

string

Process name of a client's parent process.

clienthost

string

Originating login host.

command

string

Pathname of the request.

cwd

string

Current working directory.

date

string

Current date.

day

integer

Current day of month as integer.

dayname

string

Current day of the week.

domainname

string

The Active Directory domain name for the submit user if Authentication Services is configured.

env

list

List of submit user’s environment variables.

false

integer

Constant value.

FEATURE_LDAP

integer

Read-only constant used with feature_enabled() function.

FEATURE_VAS

integer

Read-only constant used with feature_enabled() function.

gid

integer

Group ID of the submitting user’s primary group on sudo host.

group

string

Submit user’s primary group.

groups

list

Submit user’s secondary groups.

host

string

Host destined to run the request.

hour

integer

Current hour.

masterhost

sting

Host on which the master process is running.

masterversion

string

Privilege Manager for Unix version of masterhost.

minute

integer

Current minute.

month

integer

Current month.

nice

integer

nice value of the submit user’s login.

nodename

string

Hostname of pmrun agent.

optarg

integer

Contains the parameter for the last argument or empty string.

opterr

integer

Determines whether to display errors from the getopt functions.

optind

integer

Contains the current argument list index. Use with getopt functions.

optopt

string

Contains the letter of the last option that had an issue. Use with getopt functions.

optreset

boolean

Restarts the getopt functions from the beginning.

optstrictparameters

boolean

Lets getopt_long() recognize non-compliant argument parameter forms.

pid

integer

Process ID of the master process.

pmclient_type

integer

The type of client that sent the request.

pmclient_type_pmrun

integer

Read-only constant for pmrun type clients.

pmclient_type_sudo

integer

Read-only constant for sudo type clients.

pmshell

integer

Identifies a Privilege Manager for Unix shell program.

pmshell_builtin

integer

A constant value that identifies a shell builtin command.

pmshell_cmd

integer

Identifies a command run from a Privilege Manager for Unix shell program.

pmshell_cmdtype

integer

Identifies type of a shell subcommand.

pmshell_exe

integer

A constant value that identifies a normal executable command.

pmshell_interpreter

integer

Identifies the program directive of a shell script.

pmshell_prog

string

Name of the Privilege Manager for Unix shell program.

pmshell_script

integer

A constant value that identifies a shell script.

pmshell_uniqueid

string

uniqueid of the Privilege Manager for Unix shell program.

pmversion

string

Privilege Manager for Unix version string of client.

ptyflags

string

Identifies ptyflags of the request.

requestlocal

integer

Indicates if the request is local.

requestuser

string

User that the submit user wants to run the request.

rlimit_as

string

Controls the maximum memory that is available to a process.

rlimit_core

string

Controls the maximum size of a core file.

rlimit_cpu

string

Controls the maximum size CPU time of a process.

rlimit_data

string

Controls the maximum size of data segment of a process.

rlimit_fsize

string

Controls the maximum size of a file.

rlimit_locks

string

Control the maximum number of file locks for a process.

rlimit_memlock

string

Controls the maximum number of bytes of virtual memory that can be locked.

rlimit_nofile

string

Controls the maximum number of files a user may have open at a given time.

rlimit_nproc

string

Controls the maximum number of processes a user may run at a given time.

rlimit_rss

string

Controls the maximum size of the resident set (number of virtual pages resident at a given time) of a process.

rlimit_stack

string

Controls the maximum size of the process stack.

samaccount

string

The sAMAccountName for the submit user if Authentication Services is configured.

selinux

integer

Identifies whether a client is running an SELinux environment.

status

integer

Exit status of the most recent system command.

submithost

string

Name of the submit host.

submithostip

string

IP address of the submit host.

thishost

string

The value of the thishost setting in pm.settings on the client.

time

string

Current time of request.

true

integer

Read-only constant with a value of 1.

ttyname

string

ttyname of the submit request.

tzname

string

Name of the time zone on the server at the time the event was read from the event log by pmlog.

uid

integer

User ID of the submitting user on host.

umask

integer

umask of the submit user.

unameclient

list

Uname output on host.

unamemaster

list

Unameoutput on policy server host.

uniqueid

string

Uniquely identifies a request in the event log.

use_rundir

string

Contains the value "!~!" and represents the runuser’s home directory on the runhost.

use_rungroup

string

Contains the value "!g!" and represents the runuser’s primary group on the runhost.

use_rungroups

string

Contains the value "!G!" and represents the runuser’s secondary group list on the runhost.

use_runshell

string

Contains the value "!!!" and represents the runuser’s login shell on the runhost.

user

string

Submit user.

year

integer

Year of the request (YY).

alertkeymatch

Description

Type string READONLY

alertkeymatch contains the pattern matched by pmlocald. This variable is not available for use in the policy file, it is only available in the event log. To view the event log, use the pmlog -l command.

Example
#view all alerts recorded in the audit log that match the pattern "passwd" 
pmlog -l -c 'alertkeymatch == "passwd"'
Related Topics

alertdate

alertkeysequence

alertkeyaction

alerttime

argc

Description

Type integer READONLY

argc contains the number of arguments supplied for the original command. This includes the command name itself. For example, if the original command is pmrun ls -al, then argc is set to 2.

Example
# if any arguments are passed to a vi editor program, like vi
# then verify the path is not in a list of forbidden directories 
if ((basename(command) in vi_program_list) && (argc > 1)) 
{ 
   count=0; 
   while (count < length(forbid_dir_list)) 
   { 
      if (glob(forbid_dir_list[count], dirname(argv[1]))) 
      { 
         reject "You are not allowed to edit a file in this directory"; 
       } 
      count=count+1; 
   } 
}
Related Topics

argv

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation