Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

client_parent_uid

Description

Type integer READONLY

User ID associated with the client's parent process.

Example
# only allow requests submitted from a login shell 
# (parent process name starts with a dash) 
if (client_parent_procname[0] == "-") { 
   printf("process info -- name:[%s], pid[%d], uid[%d]\n" 
      client_parent_procname, client_parent_pid, client_parent_uid); 
   reject "only requests from login shells are allowed"; 
}

client_parent_procname

Description

Type string READONLY

Process name of a client's parent process.

Example
# only allow requests submitted from a login shell
# (parent process name starts with a dash) 
if (client_parent_procname[0] == "-") { 
   printf("process info -- name:[%s], pid[%d], uid[%d]\n" 
      client_parent_procname, client_parent_pid, client_parent_uid); 
   reject "only requests from login shells are allowed"; 
}

clienthost

Description

Type string READONLY

clienthost contains the host name/IP address of the requesting host. For a typical pmrun command, this will be identical to the submithost variable. For a Privilege Manager shell running as a login shell (for example, pmksh, pmcsh, pmsh, pmloginshell), this will contain the host name from which the user is logging in, which may not be a Privilege Manager host. For example, if the user logs in by means of a telnet session from a Windows® PC, then the clienthost variable will contain the host name of the Windows® PC. Always use short names when checking the clienthost variable, as some login programs may truncate the full host name.

Example
# reject commands being issued from unknown workstations 
workstations = {"sun34","sun35","sun36"}; 
if (!(clienthost in workstations)) 
   reject;

command

Description

Type string READONLY

The name of the command being executed.

NOTE: The command variable generally contains the full path name of the command being executed. Use the basename() function to get the command name without the full path.

Example
admincommands = {"hostname","kill","shutdown"}; 
if (basename(command) in admincommands) 
{ 
   runuser = "root"; 
   accept; 
}
Related Topics

runcommand

Related Documents