Install Multiple Copies

It is possible to install multiple concurrent Endpoint Privilege Management for Unix and Linux copies on the same machine. To install multiple copies, each copy must be a logically distinct installation. This type of installation is performed by using an installation prefix and/or suffix. Installing multiple, concurrent copies of Endpoint Privilege Management for Unix and Linux affects the following:

pbinstall and pbuninstall
Remote installation using pbmakeremotetar
Program names and execution
Service names and port numbers
NIS(+) netgroups
Endpoint Privilege Management for Unix and Linux settings file
root policy file name
Policy file contents
Key file name
Log file names

For information about prefixed and suffixed installations, see Prefix and Suffix Installation Instructions.

Remote Installation Using pbmakeremotetar with Prefixes and Suffixes

To make a remote tar archive using pbmakeremotetar for a prefixed installation, specify the prefix and/or suffix on the pbmakeremotetar command line with the -p and –s switches (as appropriate). The tar file name that is specified on the command line should be unique to avoid overwriting an existing tar archive.

Program Names and Execution

All program names are prefixed in a prefixed installation. pblogd is {prefix}pblogd, pbdbutil is {prefix}pbdbutil, and so forth. For example, if the prefix is test, pbrun is executed as follows:

testpbrun date

Suffixes are implemented in the same way.

Service Names and Port Numbers

All Endpoint Privilege Management for Unix and Linux service names are prefixed or suffixed, or both. For example, using a prefix of test, the service name for pblogd is testpblogd. The entries are added to /etc/services by pbinstall.

Endpoint Privilege Management for Unix and Linux service names and port numbers (whether prefixed, suffixed, or both) must be added manually to the NIS database on the NIS policy server.

When installing prefixed (and/or suffixed) installations of Endpoint Privilege Management for Unix and Linux on a host with other Endpoint Privilege Management for Unix and Linux installations, unique port numbers must be assigned for each installation. The installers do not check for unique port numbers and specifying overlapping ports may cause Endpoint Privilege Management for Unix and Linux to function incorrectly.

NIS(+) Netgroup Names

All Endpoint Privilege Management for Unix and Linux netgroup names (for example, pblogservers) are prefixed (for example, {prefix}pblogservers). Suffixes are added to the end of Endpoint Privilege Management for Unix and Linux netgroup names.

Settings File

The pb.settings file name is prefixed with the prefix (for example, /etc/{prefix}pb.settings). Suffixes are added to the end of the filename. The installer work file name, pb.cfg, is also prefixed or suffixed.

root Policy Filename

The default root policy file name’s basename is prefixed like any other Endpoint Privilege Management for Unix and Linux component: {prefix}pb.conf. This enables the prefixed installation to have a policy file set that is separate from any other Endpoint Privilege Management for Unix and Linux installation on the system. Suffixes are appended to the policy file name.

Policy File Contents

Client names (pbrun, pbguid, and pbsguid) are prefixed and/or suffixed like any other Endpoint Privilege Management for Unix and Linux program. This means that any policy that checks for any of these clients must also take prefixes and/or suffixes into account.

If any Endpoint Privilege Management for Unix and Linux programs are requested from the policy (that is, pbrun or pbcall), then the references to these programs must also be prefixed and/or suffixed. If the prefix or suffix is not specified, the default (unprefixed) installation of Endpoint Privilege Management for Unix and Linux is used for the called pbrun, most likely with unintended results.

Policy subfiles may or may not be prefixed, depending on the needs of the installation.

Key File Name

The default key file name’s basename is prefixed or suffixed like any other Endpoint Privilege Management for Unix and Linux component: {prefix}pb.key{suffix}. This enables the prefixed or suffixed installation to have its own encryption key and be logically separate from any other Endpoint Privilege Management for Unix and Linux installation on the system. If a different key file is specified in the {prefix}pb.settings{suffix} file and the {prefix}pb.settings{suffix} file is encrypted, then the default named {prefix}pb.key{suffix} must exist and is used to decrypt the {prefix}pb.settings{suffix} file.

Log File Names

For event logs, the default event log file name for a prefixed installation is {prefix}pb.eventlog. Event log files are prefixed and suffixed by default in the same way that the executable files are, unless the file names are overridden in the policy or the pb.settings file.

For error logs, the default error log for the Endpoint Privilege Management for Unix and Linux daemons is {prefix}{daemonname}.log. Suffixes are placed before the .log part of the file name for daemon error log files.

I/O logs are not prefixed or suffixed unless specified in the policy. I/O logs have no default name. The name of these files must be explicitly set in the policy.

Man Pages

If man pages are installed in a prefixed and/or suffixed installation, then the man page file names have the prefix or suffix added to the file name, using the format: {prefix}pbrun{suffix}.1, where 1 is the section number of the man page. The text in the man page is not changed to reflect the prefix and/or suffix. In this example format, the displayed man page shows the command as pbrun, regardless of the prefix or suffix in use.

Sample Policy Files

The sample policy files are not renamed with a prefix or suffix, but the directory that they are stored in is changed to reflect the prefix or suffix. For instance, with a prefix of test, the default location for the sample policy files on Linux is /usr/local/lib/testpbbuilder.