pbrun

pbrun requests that a secure task be run in a controlled environment. The user prefixes the command line with pbrun.

pbrun backup /usr/dev/dat

pbrun checks the settings file for a submitmasters entry or the netgroup @pbsubmitmasters to determine the policy server daemon to which it should send the request. If the policy server daemon accepts the request, then it directs a local daemon to start the task request on the run host.

  • Version 3.5 and earlier: long command options not supported.
  • Version 4.0 and later: long command options supported.
pbrun [options] command [command_arguments]
   -b, --background
   -d, --debug=connect
   -d, --debug=log=<level>
   -d, --debug=mlog=<level>
   -d, --debug=glog=<level>
   -d, --debug=llog=<level>
   -d, --debug=time
   -d, --debug=ttime
   --disable_optimized_mode
   -h, --host=run_host
   -l, --local_mode
   -n, --null_input
   -p, --pipe_mode
   --solarisproject projectname
   -u, --user=request_user
   --testmaster=master_host
   -X
pbrun –v | --version
pbrun --help
-b, --background Optional. The target job is directed to ignore hang up signals. This option is particularly useful for running the target program in the background.
-d connect, --debug=connect

Optional. Displays policy server connection information for debugging.

-d log=level, --debug=log=level

Optional. Generate debug trace logs for pbrun and all active Privilege Management for Unix and Linux components that process the command. Specify a level number from 1 (least detail) to 9 (most detail). The resulting logs reside in the same location as the corresponding diagnostics log.

Version 7.5 and earlier: setting not available.

Version 8.0 and later: setting available.

-d glog=level, --debug=glog=level

Optional and only available when running as root. Generate debug trace log for pblogd that processes the command. This setting is made permanent for that log host. Specify a level number from 1 (least detail) to 9 (most detail). The resulting logs reside in the same location as the pblogd diagnostic log file.

Version 7.5 and earlier: setting not available.

Version 8.0 and later: setting available.

-d mlog=level, --debug=mlog=level

Optional and only available when running as root. Generate debug trace log for pbmasterd that processes the command. This setting is made permanent for that policy server host. Specify a level number from 1 (least detail) to 9 (most detail). The resulting logs reside in the same location as the pbmasterd diagnostic log file.

Version 7.5 and earlier: setting not available.

Version 8.0 and later: setting available.

-d time, --debug=time

Optional. Displays pbrun timing information for debugging. This option is intended primarily for BeyondTrust Technical Support.

-d ttime, --debug=ttime

Optional. Display pbrun total run time for debugging.

--disable_optimized_runmode

Disable pbrun optimization and use pblocald even when submit host and run host are the same. This affects only the local submit host.

Version 4.0 and earlier: option not available.

Version 5.0 and later: option available.

-h, --host=run_host Optional. Requests run_host as the run host for the secured task. Ignored if -l is also specified, or if the runlocalmode policy variable is set to true.
-l, --local_mode Optional. Requests that the secured task run locally. Once the policy server host’s policy accepts the request and logs its start, the target program replaces the pbrun on the local machine. This option provides increased efficiency and reduced network traffic, but job termination status and timeout processing. This mode can be disabled in the configuration file by setting allowlocalmode to false. This mode can also be overridden in the policy by setting runlocalmode to 0.
-n, --null_input Optional. Redirects the standard input of pbrun to /dev/null. You sometimes need this option to avoid interactions between pbrun and the shell that invokes it. For example, if you are running pbrun and start pbrun in the background without redirecting its input away from the terminal, it blocks even if no reads are posted by the remote command. These options prevent this situation.
-p, --pipe_mode Optional. Puts pbrun into pipe mode. Forces the secured task to behave as if it is run in a pipeline rather than a terminal session.
--solarisproject projectname

Optional. Associates the Solaris project projectname with the secured task. Requires Solaris version 9 or later on the runhost.

Version 6.0 and earlier: option not available.

Version 6.1 and later: option available.

--testmaster=master_host

Optional and only available when running as root. Requests master_host as the policy server host to test whether a command will be accepted or rejected. The command itself is not executed. Specify either the hostname or the IP address for the master_host.

Version 7.5 and earlier: option not available.

Version 8.0 and later: option available.

-u, --user=request_user Optional. Sets the variable requestuser to request_user. The policy can then decide to honor the request and set runuser and/or runeffectiveuser equal to request_user.
.-v, --version

Optional. Displays the program version and exits.

--help

Optional. Displays the program help message and exits.

-X

Optional. Activates X11 forwarding.

When running pbrun with the -X option, the DISPLAY environment variable needs to be set, and a valid XAuthority token needs to exist in the users .Xauthority file. This can be checked using:

xauth list $DISPLAY
/etc/pb.settings

Local Privilege Management for Unix and Linux submithost settings.

pbrun –h runhost uname -a
For more information, please see the following: