accept Statement

  • Version 4.0 and earlier: accept statement does not support ACL.
  • Version 5.0 and later: accept statement supports ACL.

Description

When an accept statement is encountered, security policy file processing terminates immediately, pblocald starts, and the secured task is executed by pblocald.

Syntax

All versions:

accept;

 

Version 5.0 and later:

accept [from ["user"][, ["submithost"][, ["command"]
[, ["runhost"]]]]] [when conditional-expression]
[with optional-statements-before-execution];

Definition

  • user is a user name, list of user names, or left blank to imply any user.
  • submithost is a submit host name, list of submit hosts, or left blank to imply any submit host.
  • command is a command, list of commands, or left blank to imply any command.
  • runhost is a run host, list of run hosts, or left blank to imply any run host.
  • conditional-expression is an expression that evaluates true or false.
  • optional-statements-before-execution is one or more Endpoint Privilege Management for Unix and Linux Policy Language statements that executes before the requested command is executed. For multiple statements, separate each statement with a comma.

Examples

All versions:

if (user == "HelpDesk1") accept;

If user is equal to HelpDesk1, the task is accepted and allowed to execute. Security policy file processing immediately terminates. pblocald starts, and the information is sent from the policy server for pblocald to start the executable specified in the variable runcommand. It is run by pblocald with the arguments specified in the runargv variable and run as the user specified in the runuser variable. Other run variables can be set.

Version 5.0 and later:

Accept all commands for user1 from any submit host and for any run host:
accept from "user1";
Accept all commands for user1 when the request comes from submit host host1 for any run host:
accept from "user1", "host1";
Accept the date command from user1 from any submit host and for any run host:
accept from "user1",,"date";
Accept all commands from user3, from any submit host and for any run host, when the time is between 9:00 A.M. and 5:00 P.M.:
accept from "user3" when timebetween(900, 1700);
Accept a sh command from user1 or user3, from any submit host and for any run host, and turn on I/O logging:
accept from {"user1", "user3"},,"sh" with iolog = "/var/log/pb.iolog.sh";
Accept all commands from all users, from any submit host and for any run host, when the time is between 9:00 A.M. and 5:00 P.M.:
accept when timebetween(900, 1700);