Environment Variable Processing Considerations

As discussed earlier, it is possible to install pbrun, pbmasterd, pblocald, and/or pblogd on different machines (that is, the submit host, policy server host, run host, and log host may represent different physical machines). When this is the case, each of these separate machines can have its own set of users, groups, and environment variables, which can differ from host to host.

If pbrun, pbmasterd, and/or pblocald are installed on different machines, then the environment variables on those machines can contain different values.

For instance, a user might have one home directory on the submit host and another on the run host. In another example, a user group list on policy server host can be different from the same user group list on the run host. This situation might arise if the policy server host is not an NIS client or has fewer entries in its /etc/passwd file.

As shown in the following figure, security policy file processing always takes place on the policy server host machine, while task execution takes place on the run host machine. When the policy server host and run host represent different machines, by default, it is the user and group information on the policy server host machine that is accessed during security profile file processing. If it is necessary to access users or groups only on the run host machine, then special pass-through values must be used. When these values are encountered during security profile file processing, pbmasterd passes through the value to the run host machine to be resolved when the task is run.

A diagram of security policy file processing on the Policy Server host machine and task execution on the run host machine.

The execute_via_su mechanism enables the runhost's environment for the runuser, overriding the run environment that the policy on the policy server has set up. Note also that the runenvironmentfile feature can also be used to add runhost specific environment variables.

For more detailed information on using pass-through values, see Task Information Variables.

Support for Multiple-Byte Character Sets

The Endpoint Privilege Management for Unix and Linux policy language supports the processing of UTF-8 encoded multiple-byte character strings. In addition, several variables (indicated by i18n_ in their names) format UTF-8 encoded date and time values according to the operating system’s locale settings.