Chat now with support
Chat with Support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

user

Description

Type string READONLY

user containts the submit user's login name.

Example
If ( (user == "matt") && (command == "passwd") ) 
{ 
   printf("matt is not allowed to alter passwords"); 
   reject; 
}
Related Topics

runuser

year

Description

Type integer READONLY

year contains the year in which the request was submitted in the format YY.

Example
if ( (year == "08") || (year == "12") ) 
{ 
   if ( (month == "01") && (day == "29") ) 
   { 
      printf("This year is a leap year, something has gone wrong"); 
      reject; 
   } 
}
Related Topics

dayname

minute

hour

day

month

date

time

Global output variables

The following predefined global variables are initialized from the submit user's environment. They can be affected by the policy file and are used by pmlocald to set up the runtime environment for the runcommand.

Table 30: Global output variables
Variable Data Type Description

alertkeyaction

string

Action to be taken when alertkeysequence is matched.

alertkeysequence

list

List of patterns to match in a session.

disable_exec

integer

Specifies whether to prevent the runcommand process from executing new processes.

eventlog

string

Pathname of the audit log.

eventloghost

string

Host name list for remote event logging.

execfailedmsg

string

Message to display if runcommand cannot run.

iolog

string

Pathname of the keystroke log.

iolog_encrypt

integer

Specifies whether to encrypt the keystroke log.

iolog_errmax

integer

Max bytes to log for a stderr message.

iolog_opmax

integer

Max chars to log for a stdout message.

iologhost

string

Host name list for remote keystroke logging.

log_passwords

integer

Specifies whether to exclude passwords from the keystroke log.

logomit

list

Variables to omit from the audit and keystroke logs.

logstderr

integer

Specifies whether to keystroke log stderr messages.

logstdin

integer

Specifies whether to keystroke log stdin messages.

logstdout

integer

Specifies whether to keystroke log stdout messages.

notfoundmsg

string

Message to display if the runcommand is not found on the run host.

passprompts

list

Detects presence of password prompts.

pmshell_allow

list

Commands to allow in a Privilege Manager for Unix shell without further authorization.

pmshell_allowpipe

list

Commands to allow in a Privilege Manager for Unix shell without further authorization if input is from a pipe.

pmshell_checkbuiltins

integer

Specifies whether to authorize shell built-in commands in a Privilege Manager for Unix shell.

pmshell_forbid

list

Commands to forbid in a Privilege Manager for Unix shell without further authorization.

pmshell_readonly

list

Variables to mark as read-only in a Privilege Manager for Unix shell.

pmshell_reject

string

Reject message to display when a forbidden command runs in a Privilege Manager for Unix shell.

pmshell_restricted

integer

Specifies whether to run a Privilege Manager for Unix shell in restricted mode.

preserve_clienthost

integer

Specifies whether to use the originating login host name in preference to the submit host.

profile_keepenv

list

A list of values specified by the keepenv() call.

profile_setenv

list

A list of values specified by the setenv() call.

profile_unsetenv

list

A list of values specified by the unsetenv() call.

profile_use_runuser

string

Specifies whether to use the runuser’s environment rather than the submit user’s environment

rejectmsg

string

Message to display when a session is rejected.

runargv

list

List of arguments for the request.

runbkgd

boolean

The run version of bkgd. When set to True, lets the user stop the pmrun call and move it to the background.

runchroot

string

Requests the command to run with a specified root directory.

runcksum

string

Identifies a checksum to use to verify against the runcommand.

runclienthost

string

A modifiable copy of the clienhost input variable.

runcommand

string

Full pathname of the request.

runconfirmuser

string

Specifies whether the agent should request the runuser to authenticate before executing the runcommand.

runcwd

string

Working directory to set for the request.

runenablerlimits

boolean

Lets you use runrlimit variables on the run host.

runenv

list

List of environment variables to set for the request.

rungroup

string

Primary group to set for the request.

rungroups

list

List of secondary groups to set for the request.

runhost

string

Host on which to run the request.

runnice

integer

Nice value to apply for the request.

runpaths

list

A list of permitted paths for commands.

runptyflags

string

Pty flags to apply for the request.

runrlimit_as

string

Controls the maximum memory that is available to a process.

runrlimit_core

string

Controls the maximum size of a core file.

runrlimit_cpu

string

Controls the maximum size CPU time of a process.

runrlimit_data

string

Controls the maximum size of data segment of a process.

runrlimit_fsize

string

Controls the maximum size of a file.

runrlimit_locks

string

Control the maximum number of file locks for a process.

runrlimit_memlock

string

Controls the maximum number of bytes of virtual memory that can be locked.

runrlimit_nofile

string

Controls the maximum number of files a user may have open at a given time.

runrlimit_nproc

string

Controls the maximum number of processes a user may run at a given time.

runrlimit_rss

string

Controls the maximum size of the resident set (number of virtual pages resident at a given time) of a process.

runrlimit_stack

string

Controls the maximum size of the process stack.

runtimeout

integer

Specifies the number of seconds of idle time before ending the session.

runumask

integer

Umask value to apply for the request.

runuser

string

User to run the request.

runutmpuser

string

Utmp user to use when logging to utmp.

subprocuser

string

User name to run subprocesses of the policy server master daemon.

tmplogdir

string

Directory used for temporary storage of I/O log files if a remote log host is specified in iologhost.

alertkeyaction

Description

Type string READ/WRITE

alertkeyaction contains the action to be taken if a command matches a pattern configured in alertkeysequence. The alertkeyaction can be defined as "reject", "log" or any custom string. The default value is "log".

Example
switch (user) { 
   case "root" : alertkeyaction = "ignore"; break; 
   default : alertkeyaction = "log"; break; 
}
Related Topics

alertdate

alertkeysequence

alertkeymatch

alerttime

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating