Task Information Variables
Endpoint Privilege Management for Unix and Linux uses task information variables to store information about a specific task request. Using the Security Policy Scripting Language, a security administrator can query this information and use it to make security decisions about a task request. These values are logged in the event logs and I/O logs.
The run variables do not apply to pbssh. If these run variables are present in the policy, they do not have any effect on pbssh and are ignored.
The following table lists these variables.
Task Information Variable | Run Version of Variable | Description |
argc | --- | Number of arguments that are supplied with the current command. |
argv | runargv | Argument values that are associated with the current command. |
bkgd | runbkgd | Controls whether background command ignores HUP signals. |
browserhost | --- | The host name of the machine that connects to pbguid. |
clienthost | --- |
The name of the client (submit) host as resolved on the client host. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
command | runcommand | Name of the current command. |
cwd | runcwd | Full path of the current working directory. |
env | runenv | List of environment variables that are associated with the current task. |
group | rungroup | Name of user’s primary group. |
groups | rungroups | List of all groups the current user belongs to. |
host | runhost | Name of the machine that the task executes on. |
--- | runhostip | IP address of the run host. |
localmode | runlocalmode | Controls whether the secured task replaces pbrun on
the submit host, for local tasks. pblocald is
not invoked. With the exception of pbsh and pbksh, localmode is deprecated in favor of optimized run mode. |
logaccept_utc | Log server UTC time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when logging accept | |
--- | logcksum |
Indicates which checksum value is added to the event log. |
logfinish_utc | Log server UTC time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when logging finish. | |
logkeystroke_utc | Log server UTC time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when logging keystroke events. | |
logreject_utc | Log server UTC time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when logging reject events. | |
logserver_utcoffset | Log server timezone offset from UTC, in hours | |
master_utcoffset | Policy server timezone offset from UTC, in hours | |
mastertimelimit |
Specifies a time limit, between pbmasterd and pblocald, for a task request. Version 4.0 and earlier: variable not available. Version 4.0 and later: variable available. |
|
mastertimeout |
Specifies the amount of idle time in seconds, between pbmasterd and pblocald. Version 4.0 and earlier: variable not available. Version 4.0 and later: variable available. |
|
--- | logservers |
A list of log hosts for pblocald to use for event and I/O logging. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
nice | runnice | Nice values for the secured task. |
optimizedrunmode | runoptimizedrunmode | Controls whether optimized run mode is allowed for this task. |
--- | pblocaldnoglob | Stops pblocald from expanding arguments to the target program. |
--- | pbrisklevel | Risk rating that is passed to BeyondInsight. |
--- | pidmessage | Optional message to issue when a job starts. |
requestuser | --- | The user that is specified in the pbrun -u argument. |
rlimit_as | runrlimit_as |
Controls the maximum memory that is available to a process. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_core | runrlimit_core |
Controls the maximum size of a core file. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_cpu | runrlimit_cpu |
Controls the maximum size CPU time of a process. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_data | runrlimit_data |
Controls the maximum size of a process’ data segment. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_fsize | runrlimit_fsize |
Controls the maximum size of a file. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_locks | runrlimit_locks |
Controls the maximum number of file locks for a process. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_memlock | runrlimit_memlock |
Controls the maximum number of bytes of virtual memory that can be locked. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_nofile | runrlimit_nofile |
Controls the maximum number of files a user may have open at a given time. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_nproc | runrlimit_nproc |
Controls the maximum number of process a user may run at a given time. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_rss | runrlimit_rss |
Controls the maximum size of a process’ resident set (number of virtual pages resident at a given time). Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
rlimit_stack | runrlimit_stack |
Controls the maximum size of the process stack. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
runfinish_utc | runhost time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when request has finished. | |
runstart_utc | runhost utc time, in 'YYYY-MM-DDTHH:MM:SS.000Z' format, when request is received. | |
selinux |
Indicates whether pbrun is confined by SELinux. Version 5.2 and earlier: variable not available. Version 6.0 and later: variable available. |
|
--- | runchroot | Name of the special file system root directory; see the chroot manual page for more information. |
--- | runcksum | Contains a checksum value for the current task. |
--- | runcksumlist | Contains a list of checksum values for the current task. |
--- | runconfirmmessage | Password prompt that is used by pblocald for a final verification of the user. |
--- | runconfirmuser | Controls whether final verification requires a password. |
--- | runeffectivegroup | Controls the effective group ID (egid) of the requested job. |
--- | runeffectiveuser | Controls the effective user ID (euid) of the requested job. |
--- | runenablerlimits |
When true, use the runrlimit_* variables to set up ulimits for the secured task. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
--- | runenvironmentfile |
Specifies an environment file that contains environment variables to be incorporated into the run environment. Version 5.2 and earlier: variable not available. Version 6.0 and later: variable available. |
--- | runptyflags | Flags that are used internally for pty settings; reserved for internal use. |
--- | runsecurecommand |
Checks that the runcommand is writable only by root or the runuser. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
--- | runmd5sum | Contains an MD5 checksum for the current task. |
--- | runmd5sumlist | Contains a list of MD5 checksum values for the current task. |
--- | runtimelimit | The number of seconds that the job may execute. |
--- | runtimeout | Maximum allowed idle time. |
--- | runutmpuser | utmp user name. |
--- | shellallowedcommands |
Contains a list of strings that contain commands that may be run without any further authorization. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
--- | shellcheckbuiltins |
If true, directs the shell to check shell built-in commands as if they were standard commands Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
shellcheckredirections |
If true, directs the shell to authorize I/O redirections; if false, always allows I/O redirection. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
|
shellforbiddencommands |
Contains a list of strings that specify commands for pbksh and pbsh to reject without consulting an Endpoint Privilege Management for Unix and Linux policy server daemon. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
|
shelllogincludefiles |
Controls if the contents of included (sourced) shell scripts should be recorded in the I/O logs. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
|
shellreadonly |
Contains a list of environment variables that pbsh and pbksh set to read-only at startup time. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
|
shellrestricted |
Controls whether Endpoint Privilege Management for Unix and Linux shells run in restricted mode. Version 3.5 and earlier: variable not available. Version 4.0 and later: variable available. |
|
solarisproject | runsolarisproject |
Specifies a Solaris project that the secured task should be associated with on a Solaris 9 or higher runhost. Version 6.0 and earlier: variable not available. Version 6.1 and later: variable available. |
submithost | --- | Name of the machine from which the current request is submitted. |
submithostip | --- | IP address of the machine from which the current request is submitted. |
taskpid | --- | The PID of the secured task launched by pbrun. |
taskttyname | --- |
Name of the tty device associated with the secured task. This variable is only available after the secured task is launched and cannot be used in the policy. This is a read-only variable. Version 6.2.0 and earlier: variable available. Version 6.2.6 and later: variable available. |
timezone | --- | Standard representation of timezone on submithost. |
ttyname | --- | Name of the tty device from which the current request is submitted. |
umask | runumask | The user’s umask values. |
user | runuser | Specifies the user ID that is associated with the login name of the user that submitted the current task. |
Within Endpoint Privilege Management for Unix and Linux, each secured task has its own set of task information variables. Other secured task requests do not share the information in these variables.
Two copies of task information variables are created and maintained for each task request that Endpoint Privilege Management for Unix and Linux processes. One set is read-only. These read-only variables contain the original, unmodified information about a task request. The other set, known as run variables, have information identical to their corresponding read-only versions; however, their values can be modified. The information in the modifiable variables is the information that Endpoint Privilege Management for Unix and Linux actually uses to execute a request once it is accepted. The modifiable task information variables have the same names as their read-only counterparts except they have the prefix run.
These run variables do not apply to pbssh. If these run variables are present in the policy, they do not have any effect on pbssh and are ignored.
There are some special pass-through values that are available for the run versions of some task information variables. These special values are needed when the policy server host and run host represent different systems. In this scenario, processing some functions may fail because the values for those variables need to be retrieved from the run host system rather than the policy server host. The following functions are affected: gethome(), getgroup(), getgroups(), and getshell().
Value | Description | Example |
!g! | Returns the run user’s run group on run host. | rungroup = "!g!"; |
!G! | Returns all groups that the run user belongs to on run host. | rungroups = {"!G!"}; |
!~! | Returns the run user’s home directory on run host. | runcwd = "!~!"; |
!!! | Returns the run user’s default shell on run host. | runcommand = "!!!"; |
For more information, see the following:
- On when and how to use special run variable values, Environment Variable Processing Considerations
- On the gethome(), getgroup(), getgroups(), and getshell() functions, Built-in Functions and Procedures