pbmasterd

The policy server daemon, pbmasterd, is the Privilege Management for Unix and Linux decision-maker. pbmasterd receives secured task requests from pbrun, pbguid, pbksh, and pbsh and evaluates them according to the policy that is written in the configuration file that is specified in the settings file or /opt/pbul/policies/pb.conf. If the request is accepted, then pbmasterd directs either the client or pblocald to run the request in a controlled account such as root.

Policy server daemons should reside on a secure machine and are started from a socket-listener process (typically inetd, xinetd, or pbmasterd).

pbmasterd expects to find the configuration file in the policyfile setting in the settings file (default /opt/pbul/policies/pb.conf) on the host where pbmasterd resides. There may be more than one policy server daemon on different hosts for redundancy or to serve multiple networks.

pbmasterd logs all diagnostic messages in a log file that is specified by the pbmasterdlog setting or the -e command line argument.

Changes that are made to the pb.settings file after the daemon is started do not affect the operation of the daemon. If you change the pb.settings file, then you must restart the daemon for the changes to take effect. If you do not restart the daemon, then the daemon continues to operate using a snapshot of the pb.settings file that was cached at the time the daemon was started.

  • Version 3.5 and earlier: long command options not supported.
  • Version 4.0 and later: long command options supported.
pbmasterd [options]
   -a, --syslog_accepts
   -d, --daemon
   --disable_optimized_runmode
   -D, --debug=<level>
   -e, --error_log=log_file_name
   -f, --foreground
   -i, --info <argument placeholder characters>
   -p, --port=port
   -r, --syslog_rejects
   -s, --syslog
   -V, --check_version
pbmasterd –v | --version
pbmasterd --help
-a, --syslog_accepts Optional. Sends job accept messages to syslog (unless Privilege Management for Unix and Linux is configured with a log server).
-d, --daemon Optional. Runs as a stand-alone daemon instead of from inetd or xinetd. This mode listens to the port that is defined in the masterport setting or by the -p command line argument.
--disable_optimized_runmode

Optional. Disable pbrun optimization and use pblocald even when submit host and run host are the same.

Version 4.0 and earlier: option not available.

Version 5.0 and later: option available.

-D, --debug=<level>

Generate debug trace logs in the same directory pointed to by pbmasterdlog.

Version 7.5 and earlier: option not available.

Version 8.0 and later: option available.

-e, --error_log=log_file_name Optional. Records diagnostic messages in the file logfile.
-f, --foreground

pbmasterd normally spawns a child process and dissociates from the job that starts it. Although this method is beneficial when running from inetd, xinetd, or the command line, it stops pbmasterd from running under the init daemon (from /etc/inittab). This switch prevents pbmasterd from dissociating and allows it to run from the inittab.

-i -info <argument placeholder characters>

On Linux, macOS, and AIX, the pbmasterd process replaces the argument placeholder characters with information about the submitting request. Prior to evaluating the policy, this includes the submitting user, submit host, pbrun's pid, the word EVALUATING, requestuser, requested argv. After evaluating the policy, this is changed to include submitting user, submit host, pbrun's pid, runuser, runargv.

This allows an administrator to use the ps command to view more information about the running pbmasterd processes.

This feature is not available on HP-UX and Solaris.

-p, --port=port

Optional. When running as a standalone daemon, listen to the provided port instead of the default.

-r, --syslog_rejects Optional. Sends job reject messages to syslog (unless Privilege Management for Unix and Linux is configured with a log server).
-s, --syslog Optional. Sends diagnostic messages to syslog.
-V, --check_version

Optional. Records diagnostic messages if the connecting client’s version does not match the pbmasterd version.

-v, --version

Optional. Displays the program's version and exits.

--help

Optional. Displays the program’s help message and exits.

/opt/pbul/policies/pb.conf

Privilege Management for Unix and Linux configuration file.