Type list READ/WRITE
runargv specifies the complete argument list for the session. This variable is initialized from the value of the incoming argv variable.
# Setting the runargv in the policy file can be used to add additional
# command line arguments to programs
if (command == "runTest")
{
runargv=replace(runargv,1,length(runargv));
runargv=append(runargv, "-u", user };
}Type boolean WRITABLE
runbkgd determines whether a command is run in the background. If set to True, the command will ignore the SIGHUP (hangup) signal. This variable is initialized from the value of the incoming variable bkgd.
This variable does not affect commands run via sudo.
Type string READ/WRITE
runchroot emulates the behavior of the system chroot command; that is, it runs a command with a specified root directory. Ordinarily, file names are looked up starting at the root of the directory structure, ('/'). Setting runchroot to a different value changes the root directory, a directory that must exist.
if (basename(runcommand) == "customapplication")
{
runchroot="/home/customapplicationv";
}Type string READ/WRITE
If runcksum is defined, pmlocald verifies the value of this variable against the checksum of the runcommand and rejects the request if it does not match. Set this variable to the value produced by running the pmsum command on the agent with the full pathname of the runcommand.
You can use this method to detect a program that has been changed without authorization, and a program that a user is attempting to run from an unauthorized path.
# Generate a checksum value for the program "/usr/bin/passwd" on the agent:host1
# for use in the policy file on the policy server.
pmsum /usr/bin/passwd
# The pmsum command displays the output:
fbc9cf01 /usr/bin/passwd
# Update the security policy using this checksum:
if (( basename(runcommand) == "passwd" ) && (host == "host1"))
{
runcksum="fbc9cf01";
}© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center