Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Privilege Manager Variables

Privilege Manager Variables

This appendix provides detailed information about the variables that you use to construct the security policy file.

NOTE: The examples in this section contain details and instructions for the Privilege Manager for Unix product, and may not be relevant for Privilege Manager for Sudo.

See also Profile Variables for additional information about policy profile variables.

Variable Names

Privilege Manager Variables > Variable Names

Privilege Manager uses a number of predefined global variables and user-defined variables within the policy scripting language.

Here is some general information about user-defined variables:

  • A user-defined variable is declared the first time it is assigned a value. If a variable is referenced before it has been assigned a value, it has the special type of "undefined".
  • A variable name can be any length.
  • You can use any number of user-defined variables.
  • The first character of a variable name must be a letter or an underscore (‘_’).
  • Variable names are case-sensitive; thus, the names "checkhost" and "CHECKHOST" refer to different variables.
  • Keywords are case-sensitive; you must enter them in lower case.
  • Loose typing is applied when variables of different types are used. Thus, if you use mixed types with an operator, such as, an integer and a string with a "+" operator, the parser will attempt to convert the result to a string.

Variable Scope

Privilege Manager Variables > Variable Scope

All variables are global in scope unless declared from within a function or procedure.

If a variable is first declared in a function or procedure, it has local scope within that particular function or procedure and is deleted once the function or procedure returns.

Example
gvar1="global"; 

procedure p1() { 
   gvar1="changed in f1";        #gvar1 has global scope 
   pvar1="local_to_p1";          #pvar1 is local to procedure p1() p2(); 
} 

procedure p2() { 
   gvar1="changed in f2"; # gvar1 is still global 
   print((defined pvar1? pvar1 : "undefined")); 
                          # this line prints "undefined" since 
                          # pvar1 is now out of scope 
}

Global Input Variables

Privilege Manager Variables > Global Input Variables

You initialize the following predefined global variables from the submit-user’s environment. You can use these variables in the decision making process in the policy file but you cannot change their value.

Table 31: Global input variables
Variable Data Type Description
alertkeymatch sting The pattern matched by pmlocald.
argc integer Number of arguments in the request.
argv list List of arguments in the request.
client_parent_pid integer Process ID of the client's parent process.
client_parent_uid integer User ID associated with the client's parent process.
client_parent_procname string Process name of a client's parent process.
clienthost string Originating login host.
command string Pathname of the request.
cwd string Current working directory.
date string Current date.
day integer Current day of month as integer.
dayname string Current day of the week.
domainname string The Active Directory domain name for the submit user if Authentication Services is configured.
env list List of submit user’s environment variables.
false integer Constant value.
FEATURE_LDAP integer Read-only constant used with feature_enabled() function.
FEATURE_VAS integer Read-only constant used with feature_enabled() function.
gid integer Group ID of the submitting user’s primary group on pmrun host.
group string Submit user’s primary group.
groups list Submit user’s secondary groups.
host string Host destined to run the request.
hour integer Current hour.
masterhost sting Host on which the master process is running.
masterversion string Privilege Manager for Unix version of masterhost.
minute integer Current minute.
month integer Current month.
nice integer nice value of the submit user’s login.
nodename string Hostname of pmrun agent.
pid integer Process ID of the master process.
pmclient_type integer The type of client that sent the request.
pmclient_type_pmrun integer Read-only constant for pmrun type clients.
pmclient_type_sudo integer Read-only constant for sudo type clients.
pmshell integer Identifies a Privilege Manager shell program.
pmshell_builtin integer A constant value that identifies a shell builtin command.
pmshell_cmd integer Identifies a command run from a Privilege Manager shell program.
pmshell_cmdtype integer Identifies type of a shell subcommand.
pmshell_exe integer A constant value that identifies a normal executable command.
pmshell_interpreter integer Identifies the program directive of a shell script.
pmshell_prog string Name of the Privilege Manager shell program.
pmshell_script integer A constant value that identifies a shell script.
pmshell_uniqueid string uniqueid of the Privilege Manager shell program.
pmversion string Privilege Manager version string of pmrun.
ptyflags string Identifies ptyflags of the request.
requestlocal integer Indicates if the request is local.
requestuser string User that the submit user wants to run the request.
samaccount string The sAMAccountName for the submit user if Authentication Services is configured.
status integer Exit status of the most recent system command.
submithost string Name of the submit host.
submithostip string IP address of the submit host.
thishost string The value of the thishost setting in pm.settings on the client.
time string Current time of request.
true integer Read-only constant with a value of 1.
ttyname string ttyname of the submit request.
tzname string Name of the time zone on the server at the time the event was read from the event log by pmlog.
uid integer User ID of the submitting user on pmrun host.
umask integer umask of the submit user.
unameclient list Uname output on pmrun host.
uniqueid string Uniquely identifies a request in the event log.
use_rundir string Contains the value "!~!" and represents the runuser’s home directory on the runhost.
use_rungroup string Contains the value "!g!" and represents the runuser’s primary group on the runhost.
use_rungroups string Contains the value "!G!" and represents the runuser’s secondary group list on the runhost.
use_runshell string Contains the value "!!!" and represents the runuser’s login shell on the runhost.
user string Submit user.
year integer Year of the request (YY).

Related Documents