Local Mode Processing

Deprecated in favor of Optimized Run Mode.

In local mode, after pbmasterd has accepted a request, the specified task runs directly on the submit host, without invoking pblocald and without using Optimized Run Mode. This feature enables the administrator to use pbmasterd to authorize a command and to log the accepted task in the event log. However, unlike optimized run mode, this mode does not perform timeout processing, log the exit status of the accepted task, or Advanced Control and Audit (ACA). In local mode, the process pbrun is replaced by the secured task, unless the I/O Logging is on.

With the introduction of optimized run mode, the use of local mode is no longer a benefit, since optimized run mode allows the task to run without invoking pblocald (if on the same host), and allows time-out processing, I/O logging, logs the exit status of the task, and allows ACA.

Local mode processing can be controlled in the /etc/pb.settings file (allowlocalmode setting) or in the policy (localmode and runlocalmode variables).

The following figure illustrates the processing when Endpoint Privilege Management for Unix and Linux is running in local mode.

A diagram of how Endpoint Privilege Management for Unix and Linux works

For more information on Optimized Run Mode, see Optimized Run Mode Processing.

Local Mode Availability

Local mode is enabled when the allowlocalmode setting on the submit host, policy server host, and run host is set to yes.

Deprecated in favor of Optimized Run Mode. For more information on Optimized Run Mode, see Optimized Run Mode Processing. pbrun must be invoked with the -l command line option, or the policy must set the runlocalmode variable to true.

Local Mode Effects

Local mode does the same processing on the submit host and the policy server host, including the logging of the accepted request. However, instead of the policy server daemon requesting the pblocald to run the task, the pbrun session is replaced with the task. pblocald is not run when using local mode. pblogd may be run to record the Accept event.

In local mode, the accepted task runs on the submithost. Local mode fails with an error if a different runhost is specified.

Local Mode Limitations

Because the Endpoint Privilege Management for Unix and Linux programs are not active when a program runs with local mode, the following limitations exist:

  • Exit status of the job is not logged.
  • runtimeout and submittimeout cannot be processed.
  • Keystroke actions cannot be processed.
  • The setkeystrokeaction function is not supported in local mode.
  • The program specified by iologcloseaction() policy procedure is not executed.
  • ACA is not compatible with local mode.