The following predefined global variables are initialized from the submit user's environment.
| Variable | Data Type | Description |
|---|---|---|
| alertkeyaction | string | Action to be taken when alertkeysequence is matched. |
| alertkeysequence | list | List of patterns to match in a session. |
| disable_exec | integer | Specifies whether to prevent the runcommand process from executing new processes. |
| eventlog | string | Pathname of the audit log. |
| eventloghost | string | Host name list for remote event logging. |
| execfailedmsg | string | Message to display if runcommand cannot run. |
| iolog | string | Pathname of the keystroke log. |
| iolog_encrypt | integer | Specifies whether to encrypt the keystroke log. |
| iolog_errmax | integer | Max bytes to log for a stderr message. |
| iolog_opmax | integer | Max chars to log for a stdout message. |
| iologhost | string | Host name list for remote keystroke logging. |
| log_passwords | integer | Specifies whether to exclude passwords from the keystroke log. |
| logomit | list | Variables to omit from the audit and keystroke logs. |
| logstderr | integer | Specifies whether to keystroke log stderr messages. |
| logstdin | integer | Specifies whether to keystroke log stdin messages. |
| logstdout | integer | Specifies whether to keystroke log stdout messages. |
| notfoundmsg | string | Message to display if the runcommand is not found on the run host. |
| passprompts | list | Detects presence of password prompts. |
| pmshell_allow | list | Commands to allow in a Privilege Manager for Unix shell without further authorization. |
| pmshell_allowpipe | list | Commands to allow in a Privilege Manager for Unix shell without further authorization if input is from a pipe. |
| pmshell_checkbuiltins | integer | Specifies whether to authorize shell built-in commands in a Privilege Manager for Unix shell. |
| pmshell_forbid | list | Commands to forbid in a Privilege Manager for Unix shell without further authorization. |
| pmshell_readonly | list | Variables to mark as read-only in a Privilege Manager for Unix shell. |
| pmshell_reject | string | Reject message to display when a forbidden command runs in a Privilege Manager for Unix shell. |
| pmshell_restricted | integer | Specifies whether to run a Privilege Manager for Unix shell in restricted mode. |
| preserve_clienthost | integer | Specifies whether to use the originating login host name in preference to the submit host. |
| profile_keepenv | list | A list of values specified by the keepenv() call. |
| profile_setenv | list | A list of values specified by the setenv() call. |
| profile_unsetenv | list | A list of values specified by the unsetenv() call. |
| profile_use_runuser | string | Specifies whether to use the runuser’s environment rather than the submit user’s environment |
| rejectmsg | string | Message to display when a session is rejected. |
| runargv | list | List of arguments for the request. |
|
boolean |
The run version of bkgd. When set to True, lets the user stop the pmrun call and move it to the background. | |
| runchroot | string | Requests the command to run with a specified root directory. |
| runcksum | string | Identifies a checksum to use to verify against the runcommand. |
| runclienthost | string | A modifiable copy of the clienhost input variable. |
| runcommand | string | Full pathname of the request. |
| runconfirmuser | string | Specifies whether the agent should request the runuser to authenticate before executing the runcommand. |
| runcwd | string | Working directory to set for the request. |
|
boolean |
Lets you use runrlimit variables on the run host. | |
| runenv | list | List of environment variables to set for the request. |
| rungroup | string | Primary group to set for the request. |
| rungroups | list | List of secondary groups to set for the request. |
| runhost | string | Host on which to run the request. |
| runnice | integer | Nice value to apply for the request. |
| runpaths | list | A list of permitted paths for commands. |
| runptyflags | string | Pty flags to apply for the request. |
|
string |
Controls the maximum memory that is available to a process. | |
|
string |
Controls the maximum size of a core file. | |
|
string |
Controls the maximum size CPU time of a process. | |
|
string |
Controls the maximum size of data segment of a process. | |
|
string |
Controls the maximum size of a file. | |
|
string |
Control the maximum number of file locks for a process. | |
|
string |
Controls the maximum number of bytes of virtual memory that can be locked. | |
|
string |
Controls the maximum number of files a user may have open at a given time. | |
|
string |
Controls the maximum number of processes a user may run at a given time. | |
|
string |
Controls the maximum size of the resident set (number of virtual pages resident at a given time) of a process. | |
|
string |
Controls the maximum size of the process stack. | |
| runtimeout | integer | Specifies the number of seconds of idle time before ending the session. |
| runumask | integer | Umask value to apply for the request. |
| runuser | string | User to run the request. |
| runutmpuser | string | Utmp user to use when logging to utmp. |
| subprocuser | string | User name to run subprocesses of the policy server master daemon. |
|
string |
Directory used for temporary storage of I/O log files if a remote log host is specified in iologhost. |
Type string READ/WRITE
alertkeyaction contains the action to be taken if a command matches a pattern configured in alertkeysequence. The alertkeyaction can be defined as "reject", "log" or any custom string. The default value is "log".
switch (user) {
case "root" : alertkeyaction = "ignore"; break;
default : alertkeyaction = "log"; break;
}Type list READ/WRITE
alertkeysequence contains a list of regular expressions, against which pmlocald checks the standard input commands entered by the user during a session. If a match is found, then an alert is raised in the event log.
Switch (user) {
case "root": alertkeysequence={"passwd"};
alertkeyaction="log";
break;
default : alertkeysequence={"passwd", "shutdown"};
alertkeyaction="reject";
break;
}Type integer READ/WRITE
Use disable_exec to prevent the runcommand process from executing new UNIX processes. For example, you can prevent a vi session from executing shell commands. This variable is only supported if the underlying operating system supports the noexec feature; that is, Linux, Solaris, HP-UX, and AIX. If set to true(1), Privilege Manager for Unix sets the LD_PRELOAD environment variable, which causes the runcommand to be loaded with a Privilege Manager for Unix library that overrides the system exec functions, and thus prevents the runcommand from using exec to create a new process.
if (basename(runcommand) in editor_program_list)
{
disable_exec=true;
}© ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 쿠키 기본 설정 센터