The following predefined global variables are initialized from the submit user's environment.
Variable | Data Type | Description |
---|---|---|
alertkeyaction | string | Action to be taken when alertkeysequence is matched. |
alertkeysequence | list | List of patterns to match in a session. |
disable_exec | integer | Specifies whether to prevent the runcommand process from executing new processes. |
eventlog | string | Pathname of the audit log. |
eventloghost | string | Host name list for remote event logging. |
execfailedmsg | string | Message to display if runcommand cannot run. |
iolog | string | Pathname of the keystroke log. |
iolog_encrypt | integer | Specifies whether to encrypt the keystroke log. |
iolog_errmax | integer | Max bytes to log for a stderr message. |
iolog_opmax | integer | Max chars to log for a stdout message. |
iologhost | string | Host name list for remote keystroke logging. |
log_passwords | integer | Specifies whether to exclude passwords from the keystroke log. |
logomit | list | Variables to omit from the audit and keystroke logs. |
logstderr | integer | Specifies whether to keystroke log stderr messages. |
logstdin | integer | Specifies whether to keystroke log stdin messages. |
logstdout | integer | Specifies whether to keystroke log stdout messages. |
notfoundmsg | string | Message to display if the runcommand is not found on the run host. |
passprompts | list | Detects presence of password prompts. |
pmshell_allow | list | Commands to allow in a Privilege Manager for Unix shell without further authorization. |
pmshell_allowpipe | list | Commands to allow in a Privilege Manager for Unix shell without further authorization if input is from a pipe. |
pmshell_checkbuiltins | integer | Specifies whether to authorize shell built-in commands in a Privilege Manager for Unix shell. |
pmshell_forbid | list | Commands to forbid in a Privilege Manager for Unix shell without further authorization. |
pmshell_readonly | list | Variables to mark as read-only in a Privilege Manager for Unix shell. |
pmshell_reject | string | Reject message to display when a forbidden command runs in a Privilege Manager for Unix shell. |
pmshell_restricted | integer | Specifies whether to run a Privilege Manager for Unix shell in restricted mode. |
preserve_clienthost | integer | Specifies whether to use the originating login host name in preference to the submit host. |
profile_keepenv | list | A list of values specified by the keepenv() call. |
profile_setenv | list | A list of values specified by the setenv() call. |
profile_unsetenv | list | A list of values specified by the unsetenv() call. |
profile_use_runuser | string | Specifies whether to use the runuser’s environment rather than the submit user’s environment |
rejectmsg | string | Message to display when a session is rejected. |
runargv | list | List of arguments for the request. |
boolean |
The run version of bkgd. When set to True, lets the user stop the pmrun call and move it to the background. | |
runchroot | string | Requests the command to run with a specified root directory. |
runcksum | string | Identifies a checksum to use to verify against the runcommand. |
runclienthost | string | A modifiable copy of the clienhost input variable. |
runcommand | string | Full pathname of the request. |
runconfirmuser | string | Specifies whether the agent should request the runuser to authenticate before executing the runcommand. |
runcwd | string | Working directory to set for the request. |
boolean |
Lets you use runrlimit variables on the run host. | |
runenv | list | List of environment variables to set for the request. |
rungroup | string | Primary group to set for the request. |
rungroups | list | List of secondary groups to set for the request. |
runhost | string | Host on which to run the request. |
runnice | integer | Nice value to apply for the request. |
runpaths | list | A list of permitted paths for commands. |
runptyflags | string | Pty flags to apply for the request. |
string |
Controls the maximum memory that is available to a process. | |
string |
Controls the maximum size of a core file. | |
string |
Controls the maximum size CPU time of a process. | |
string |
Controls the maximum size of data segment of a process. | |
string |
Controls the maximum size of a file. | |
string |
Control the maximum number of file locks for a process. | |
string |
Controls the maximum number of bytes of virtual memory that can be locked. | |
string |
Controls the maximum number of files a user may have open at a given time. | |
string |
Controls the maximum number of processes a user may run at a given time. | |
string |
Controls the maximum size of the resident set (number of virtual pages resident at a given time) of a process. | |
string |
Controls the maximum size of the process stack. | |
runtimeout | integer | Specifies the number of seconds of idle time before ending the session. |
runumask | integer | Umask value to apply for the request. |
runuser | string | User to run the request. |
runutmpuser | string | Utmp user to use when logging to utmp. |
subprocuser | string | User name to run subprocesses of the policy server master daemon. |
string |
Directory used for temporary storage of I/O log files if a remote log host is specified in iologhost. |
Type string READ/WRITE
alertkeyaction contains the action to be taken if a command matches a pattern configured in alertkeysequence. The alertkeyaction can be defined as "reject", "log" or any custom string. The default value is "log".
switch (user) { case "root" : alertkeyaction = "ignore"; break; default : alertkeyaction = "log"; break; }
Type list READ/WRITE
alertkeysequence contains a list of regular expressions, against which pmlocald checks the standard input commands entered by the user during a session. If a match is found, then an alert is raised in the event log.
Switch (user) { case "root": alertkeysequence={"passwd"}; alertkeyaction="log"; break; default : alertkeysequence={"passwd", "shutdown"}; alertkeyaction="reject"; break; }
Type integer READ/WRITE
Use disable_exec to prevent the runcommand process from executing new UNIX processes. For example, you can prevent a vi session from executing shell commands. This variable is only supported if the underlying operating system supports the noexec feature; that is, Linux, Solaris, HP-UX, and AIX. If set to true(1), Privilege Manager for Unix sets the LD_PRELOAD environment variable, which causes the runcommand to be loaded with a Privilege Manager for Unix library that overrides the system exec functions, and thus prevents the runcommand from using exec to create a new process.
if (basename(runcommand) in editor_program_list) { disable_exec=true; }
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center