- Version 5.2 and earlier: environmentfile setting not available.
- Version 6.0 and later: environmentfile setting available.
The environmentfile setting enables you to specify the absolute path and file name of an environment file. Privilege Management for Unix and Linux can incorporate the environment variables that are specified in the environment file into the run environment. These environment variables are applied on the run host after the Accept event has been logged.
The environmentfile setting can be overridden in the policy by setting the runenvironmentfile variable.
The environment file must consist of the following:
- Comment lines, which have a # character in the first non-whitespace position
- Blank lines
- Bourne shell compatible environment variable setting lines with the form NAME=VALUE
Each line in the file must contain less than 1024 characters. Line continuation is not supported. This file must not contain any shell commands or constructs other than the setting of environment variables. Comments must not appear on the same line as an environment variable.
This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.
environmentfile "/etc/environment" environmentfile "/etc/environment2"
No default value
For more information, please see "runenvironmentfile" in the Privilege Management for Unix and Linux Policy Language Guide.
- Version 6.0 and earlier: pbrunpath setting not available.
- Version 6.2.5 and later: pbrunpath setting available.
The pbrunpath setting specifies the absolute path to the directory that contains the pbrun and pbssh executable files on the pbguid host. This setting enables the Task Manager feature to work properly.
No default value
- pbguid host
- Run hosts
policydir and policyfile
- Version 4.0.0 and later: policydir and policyfile settings available.
Privilege Management for Unix and Linux uses the settings file /etc/pb.settings (or a prefixed and/or suffixed settings file). By default, the main policy file is /opt/pbul/policies/pb.conf (/etc/pb.conf prior to v9.4.3). You can choose a different configuration policy file by using the policydir and policyfile settings.
The policyfile setting contains the name of a policy file. If the name is an absolute path (starting with a /), then that file name is used. If the policyfile setting does not start with a /, then the value of policydir is prepended to it.
# Use /etc/my.pb.conf as the configuration policy file policyfile /etc/my.pb.conf # Use /usr/local/powerbroker/powerbroker.conf as the configuration # policy file policydir /usr/local/powerbroker policyfile powerbroker.conf
policydir also controls include files in the configuration policy. If a file name in an include statement starts with a /, then that file is used. However, if the file name does not start with a /, the policydir setting is prepended to it.
include "admin.conf"; # Includes /etc/pb.includes/admin.conf
include "/etc/admin.conf"; # Includes /etc/admin.conf
policydir /opt/<prefix>pbul<suffix>/policies (/etc prior to v9.4.3) policyfile /opt/<prefix>pbul<suffix>/policies/<prefix>pb.conf<suffix>
Policy server hosts
- Version 9.4.4 and earlier: policypersistentvariabledb setting not available.
- Version 9.4.5 and later: policypersistentvariabledb setting available.
The policypersistentvariabledb option specifies the path to the Persistent Variable database used in script policy.
- Version 10.2.0 and earlier: tempfilepath setting not available.
- Version 10.3.0 and later: tempfilepath setting available.
The tempfilepath option defines a temporary path to use as the temporary filesystem for PMUL binaries. The value can be any valid directory.
- Version 10.2.0 and earlier: lockfilepath setting not available.
- Version 10.3.0 and later: lockfilepath setting available.
The lockfilepath option defines a lock file path for PMUL binaries, when needed. The value can be any valid secure directory.
Privilege Management for Unix and Linux uses a lockfile when it writes into flat files (e.g. policy file or settings file) on the filesystem. This prevents multiple processes overwriting each other's work. The lockfiletimeout setting specifies the maximum number of seconds for a process to wait for a lock to be free.