The run environment for the secured task is normally dictated by the Privilege Management for Unix and Linux policy server policy. It may be desirable to have the runhost dictate the run environment for the secured task. Privilege Management for Unix and Linux version 7.1 and above can use the su - command to create a login shell for the secured task, thus allowing the login mechanism to setup the run environment. The Privilege Management for Unix and Linux policy server host keyword execute_via_su in /etc/pb.settings globally enables using su - to execute the secured task. This keyword can be overridden by the policy variable with the same name execute_via_su. The execute_via_su variable's initial value is based on the keyword setting's value. When execute_via_su is used, any run environment setup in the policy affect the execution of su - rather than the execution of the secured task. This includes the use of runcwd, setenv(), keepenv(), etc., as well as !g!, !G!, etc. Entitlement reports do not indicate that su - is used, however the Accept events in the event log show if su - was used to invoke the secured task. This feature does not work for runusers whose login is disabled (for example, using /sbin/nologin or /bin/false).
|Settings Keyword||Policy Variable||Result uses su -?|