remotesystem
Description
Introduced in Endpoint Privilege Management for Unix and Linux 7.1, remotesystem() is used to run commands on a host other than the policy server host (any Endpoint Privilege Management for Unix and Linux runhost) as part of the policy. This can be called as a procedure (command output is shown on pbrun's terminal) or as a function (command output is captured into a policy variable). This is similar to the system() function/procedure, however the command is run on a different host. The Endpoint Privilege Management for Unix and Linux variable status is set to the return code of the command upon exit. Input to the command comes from the user's keyboard or from the inputstring argument if it is present. Output goes to the user's screen or to the result string variable, if present.
If the specified host is the same as the submithost, the requesting program (pbrun, pbksh, pbsh) executes the command. If the specified host is not the submithost, pblocald is used to execute the command.
This is primarily intended to be used as a function, without interactive keyboard or screen I/O. Limited I/O is allowed, however programs such as vi are not supported.
This policy function requires Endpoint Privilege Management for Unix and Linux 7.1 clients (pbrun, pbsh, pbksh, pbssh, pblocald).
Do not use remotesystem() as a procedure (without the result variable) in a policy that is processing pbguid requests.
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
[result =] remotesystem( hostname, user, environment, timeout, cwd, "command and arguments" [,inputstring]);
Arguments
| hostname | Required. The host on which to run the command. This can be short name, FQDN, or IP address. |
| user | Required. The user to execute the command as. |
| environment | Required. A list specifying the environment variables to execute the command with. |
| timeout | Required. The maximum time in seconds that the remote command is allowed to take. A timeout of zero indicates no timeout. |
| cwd | Required. Directory from which to execute the command. |
| command | Required. The command (possibly including path) and arguments to run. |
| inputstring | Optional. Command input, formatted into a single character string |
Return Values
If the result variable is specified, remotesystem() acts as a function returning the output of the command. If the result variable is not specified, the output from the command that is executed by the remotesystem() procedure appear on stderr of the requesting program (pbrun, pbsh, pbksh, pbssh).
The Endpoint Privilege Management for Unix and Linux variable status is set to the return code. In general, a return code of 0 means the command completed successfully. For a description of non-zero return codes, see the documentation for the command that is being run. A status of -15 indicates a timeout.
processlist = remotesystem( submithost, "root", {"PATH=/bin","TMPDIR=/tmp/"}, 20, "/tmp", "ps -ef", "" );
In this example, the processlist variable is assigned the output from the ps command executed on the submithost. Note that the optional input argument is a set of empty quotes, meaning that the command is not given any input.
processlist = remotesystem( submithost, "root", {"PATH=/bin","TMPDIR=/tmp/"}, 20, "/tmp", "bash -c 'ps -ef | grep ^" +user+"'");
In this example, again, the processlist variable is assigned the output from the ps command executed on the submithost. Note that the optional input argument is not provided, meaning that the submituser's keyboard is connected through to the command. Note that bash -c is used to allow for a shell to process the multiple commands (ps and grep).
