policytimeout

The new Privilege Management for Unix and Linux 8.0.2 policytimeout() procedure adds an overall policy timeout mechanism so that pbmasterd can abort the request when the policy processing takes an inordinate amount of time.

For example, when submitconfirmuser() is used, but the submitting user (or process) does not enter a password.

This prevents pbmasterd processes that appear to be unresponsive when the policy is waiting for user input which may never arrive. When the policy timeout is encountered, the request is rejected, with the exitstatus set to:

policy timeout (<seconds> seconds) reached for <submitting user> on host <submithost> for command <command and args>

That message is also logged to pbmasterd.log.

This timeout mechanism terminates pbmasterd any time that the policy processing takes longer than the timeout value specified.

This includes any user input functions, infinite loops, long running external programs run with system() and remotesystem(), DNS and NFS hangs, and lengthy policies.

When the policytimeout() procedure is called at the beginning of the policy it applies to the entire policy. If called later, it applies to the rest of the policy.

If the function is not called, or called with a value of 0, there is no timeout and pbmasterd processes the entire policy (including waiting for user input) before terminating.

The policytimeout() procedure can be called many times, each time overriding the value previously set.

This timeout is canceled when an accept or reject is encountered (for example, the policy is completed). Note that this timeout does not affect the runconfirmuser mechanism, which is processed after an accept. This timeout does not affect the secured task once accepted. For example, this cannot protect against a user not providing username/password input for pbrun telnet <host>. pbmasterd informs Privilege Management for Unix and Linux 8.0.2 clients (pbrun, pbksh, pbsh, pbssh) of the timeout, and those clients also timeout. Note that the exact timing of pbmasterd timing out and the client timing out is not exact.

pbmasterd and the client process the timeout independently, and either may terminate before the other. Older clients cannot process such a timeout, and may appear unresponsive when pbmasterd terminates during expected user input. pbmasterd does not have a mechanism to interrupt an older client that is expecting input.

When remotesystem() is used with the submithost, the policy timeout is independent of the timeout specified in the remotesystem function call. The first of those timeouts to be encountered is the one that is processed.

When remotesystem() is used with a host other than the submithost, only the timeout specified in the remotesystem function call is used. If that is 0 (meaning no timeout), and the policy server encounters the policy timeout, the remote host may have a hung pblocald process.

policytimeout( <timeout_value_in_seconds> );

timeout_value_in_seconds Required. Specifies the policy timeout value in seconds.

Not applicable

policytimeout(25);
submitconfirmuser(user);
accept;
tmout=2;
policytimeout(tmout);
submitconfirmuser(user);
accept;
policytimeout(25);
...
policytimeout(40);
...
policytimeout(0);
...

For more information, please see remotesystem.