Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

use_rungroups

Description

Type sting READONLY

use_rungroups is a read-only variable containing the value "!G!". Use it as a placeholder in the context of any runtime variable to represent the runuser's group list on the runhost. pmlocald replaces any instances of this value found in any runtime variable with the runuser's group list on the runhost.

Example
allowedrequestusers={"root", "admin", "oradmin"}; 
//if requestuser is in allowed list, set runuser to requestuser 
  and set groups to match those on the runhost, adding any 
//other run groups required, and change directory to runuser's home dir 
if (requestuser in allowedrequestusers) 
{ 
   runuser=requestuser; 
   rungroup=use_rungroup; 
   rungroups= {use_rungroups, "oraclegroup"}; 
   runcwd = use_rundir; 
   accept; 
}

use_runshell

Description

Type string READONLY

use_runshell is a read-only variable containing the value "!!!". Use it as a placeholder in the context of any runtime variable to represent the runuser's login shell on the runhost. pmlocald replaces any instances of this value found in any runtime variable with the runuser's login shell on the runhost.

Example
allowedrequestusers={"root", "admin", "oradmin"};
allowedscripts={"appscript1"}; 
//Run a script as the runuser's login shell. 
//If requestuser is in allowed list, set runuser to requestuser, set 
//environment to match runuser's environement, add some necessary  
//environment vars for this script, and run the script as the runuser's shell. 

if ((runcommand in allowedscripts) && (requestuser in allowedrequestusers)) 
{ 
   runuser=requestuser; 
   rungroup=use_rungroup; 
   rungroups= {use_rungroups, "appgroup"}; 
   runcwd = use_rundir; 
   
   //use the runuser's environment 
   profile_use_runuser=true; 
   
   //add an application environment var to runuser's env, based on runuser's 
   //home dir 
   str=sprintf("%s/appdir", use_rundir); 
   setenv("APP_LOCAL_DIR", str); 
   
   //Set the runcommand to use the runuser's shell to run the script 
   runcommand = use_runshell; 
   runargv=replace(runargv, 1, length(runargv)); 
   runargv[0]=use_runshell; 
   runargv=append(runargv, "-c"); 
   runargv=append(runargv, "/appdir/appscript"); 
   accept; 
}

user

Description

Type string READONLY

user containts the submit user's login name.

Example
If ( (user == "matt") && (command == "passwd") ) 
{ 
   printf("matt is not allowed to alter passwords"); 
   reject; 
}
Related Topics

runuser

year

Description

Type integer READONLY

year contains the year in which the request was submitted in the format YY.

Example
if ( (year == "08") || (year == "12") ) 
{ 
   if ( (month == "01") && (day == "29") ) 
   { 
      printf("This year is a leap year, something has gone wrong"); 
      reject; 
   } 
}
Related Topics

dayname

minute

hour

day

month

date

time

Related Documents