Other Security Issues

runsecurecommand

  • Version 4.0.0 and later: runsecurecommand setting available.

The runsecurecommand setting enables the administrator to perform an extra check on the security of the requested command. This check helps to ensure that someone other than root or the runuser (for example, sys or oracle) could not have compromised the command.

When set to yes, the runcommand and all directories above it are checked to determine if anyone other than root or the runuser has write permission. If the command file or any of the directories above it are writable by anyone other than root or the runuser, then the run host refuses to run the command. The policy language variable runsecurecommand can be set to true by the configuration policy on the policy server host for the same effect.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

runsecurecommand yes
runsecurecommand no
  • Run hosts
  • Submit hosts, when using local mode

rejectnullpasswords

  • Version 4.0.0 and later: rejectnullpasswords setting available.

Some systems allow the use of null passwords in their password databases. When null passwords are allowed, a carriage-return at a password prompt matches that null password. If you want to always reject attempts to enter a password for an account with a null password, you can set rejectnullpasswords to yes.

rejectnullpasswords yes
rejectnullpasswords no
  • Policy server hosts
  • Submit hosts
  • Run hosts

enforceRunCwd

  • Version 5.0.2 and earlier: enforceRunCwd setting not available.
  • Version 5.0.3 and later: enforceRunCwd setting available.

The enforceRunCwd setting enforces the runcwd when set to yes or when it is not set. When set to yes and the user does not have permission for the runcwd, the task is rejected. When the secured task cannot change to the runcwd directory (because of bad permissions, or because the directory does not exist), then the enforceRunCwd setting determines whether the secured task should be run from /tmp, or whether it should be denied.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

enforceRunCwd <yes|no>
  • yes: Enforce the runcwd and do not run the command in /tmp.
  • no: Revert to the old behavior and run the command in /tmp.
enforceRunCwd yes
enforceRunCwd yes

Run hosts

warnuseronerror

  • Version 4.0.0 and later: warnuseronerror setting available.

Privilege Management programs, such as pbrun, pblogd, and pbmasterd, can produce diagnostic message about security problems. These messages include file systems that are writable, the pb.conf file being writable, and so forth.

Because a user might be able to use that information to damage a system, the full diagnostic messages are recorded only in the log files. The user sees the generic message, Security error, please see your administrator.

To enable the user see the full diagnostic messages, set warnuseronerror to yes.

There is a limitation to this setting. When an error about the security of the settings file occurs, the user is never notified.

warnuseronerror yes
warnuseronerror no
  • Policy server hosts
  • Run hosts
  • Submit hosts

showunsecurewarnings

  • Version 5.1.1 and earlier: showunsecurewarnings setting not available.
  • Version 5.1.2 and later: showunsecurewarnings setting available.

Privilege Management programs, such as pbrun and pbmasterd, can produce diagnostic message about security problems. These messages include information about licensing files and expiration.

This setting supersedes the value of warnuseronerror only if the messages do not pose a security risk. When showunsecurewarnings is enabled, all messages that can safely be displayed on the client system are displayed. Display of secure messages still depends on the value of warnuseronerror.

To allow the user to see the unsecure diagnostic messages, set showunsecurewarnings to yes.

showunsecurewarnings yes

No default value

  • Policy server hosts
  • Run hosts
  • Submit hosts

clientdisableoptimizedrunmode

  • Version 5.2 and earlier: clientdisableoptimizedrunmode setting not available.
  • Version 6.0 and later: clientdisableoptimizedrunmode setting available.

Privilege Management for Unix and Linux optimized run mode feature enables a task to be run on the submit host after being validated by the Policy Server host, without invoking pblocald.

When set to yes, the clientdisableoptimizedrunmode setting disables optimized run mode for all pbrun invocations on the affected host. This setting is equivalent to invoking pbrun with the --disable_ optimized_runmode command line option.

clientdisableoptimizedrunmode yes
clientdisableoptimizedrunmode no

Submit hosts

For more information, please see the following:

masterdisableoptimizedrunmode

  • Version 5.2 and earlier: masterdisableoptimizedrunmode setting not available.
  • Version 6.0 and later: masterdisableoptimizedrunmode setting available.

Privilege Management for Unix and Linux optimized run mode feature enables a task to be run on the submit host after being validated by the policy server host, without invoking pblocald.

When set to yes, the clientdisableoptimizedrunmode setting disables optimized run mode for all pbrun invocations that are accepted by the affected policy server host. This setting is equivalent to invoking pbmasterd with the --disable_optimized_runmode command line option.

masterdisableoptimizedrunmode yes
masterdisableoptimizedrunmode no

Policy server hosts

For more information, please see the following:

execute_via_su

  • Version 7.0 and earlier: execute_via_su setting not available.
  • Version 7.1.0 and later: execute_via_su setting available.

The run environment for the secured task is normally dictated by the policy server policy. It may be desirable to have the runhost dictate the run environment for the secured task. Privilege Management for Unix and Linux v7.1 and above can use the su - command to create a login shell for the secured task, thus allowing the login mechanism to setup the run environment. The policy server host keyword execute_via_su in /etc/pb.settings globally enables using su - to execute the secured task.

This keyword can be overridden by the policy variable with the same name execute_via_su. The execute_ via_su variable's initial value is based on the keyword setting's value. When execute_via_su is used, any run environment setup in the policy affects the execution of su - rather than the execution of the secured task. This includes the use of runcwd, setenv(), keepenv(), etc as well as !g!, !G!, etc. Entitlement reports do not indicate that su - is used, however the Accept events in the event log show that su - is used to invoke the secured task.

This feature does not work for runusers whose login is disabled (for example, via /sbin/nologin or /bin/false).

On some operating systems, the su program does not pass the tty through to the command executed. The execute_ via_su feature should not be used with secured tasks that require a tty on those operating systems.

Settings Keyword Policy Variable Result uses su -?

unset

unset

unset

unset

TRUE

FALSE

no

YES

no

No

No

No

unset

TRUE

FALSE

no

YES

no

Yes

Yes

Yes

unset

TRUE

FALSE

YES

YES

no

execute_via_su yes
execute_via_su no

Policy server hosts

credentialtimeout

Use the command pbadmin --auth --login to cache credentials to facilitate working with remote services. The credentialtimeout setting is the maximum length of time (in seconds) that the authentication credential is cached.

credentialtimeout 900
credentialtimeout 1800

For more information, please see Authentication Credential Cache Options .

logfilepermissions

The logfilepermissions setting specifies the permissions that Privilege Management for Unix and Linux uses when creating certain files such as generated pbreport files, I/O logs, and flat file event logs. The default permission is 600 and you can not specify permission less secure than 644.

logfilepermissions 600

All servers