Task Information Variables

Privilege Management for Unix and Linux uses task information variables to store information about a specific task request. Using the Security Policy Scripting Language, a security administrator can query this information and use it to make security decisions about a task request. These values are logged in the event logs and I/O logs.

The run variables do not apply to pbssh. If these run variables are present in the policy, they do not have any effect on pbssh and are ignored.

The following table lists these variables.

Table 17. Task Information Variables

Task Information Variable Run Version of Variable Description
argc --- Number of arguments that are supplied with the current command.
argv runargv Argument values that are associated with the current command.
bkgd runbkgd Controls whether background command ignores HUP signals.
browserhost --- The host name of the machine that connects to pbguid.
clienthost ---

The name of the client (submit) host as resolved on the client host.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

command runcommand Name of the current command.
cwd runcwd Full path of the current working directory.
env runenv List of environment variables that are associated with the current task.
group rungroup Name of user’s primary group.
groups rungroups List of all groups the current user belongs to.
host runhost Name of the machine that the task executes on.
--- runhostip IP address of the run host.
localmode runlocalmode Controls whether the secured task replaces pbrun on the submit host, for local tasks. pblocald is not invoked.
With the exception of pbsh and pbksh, localmode is deprecated in favor of optimized run mode.
--- logcksum

Indicates which checksum value is added to the event log.

mastertimelimit  

Specifies a time limit, between pbmasterd and pblocald, for a task request.

Version 4.0 and earlier: variable not available.

Version 4.0 and later: variable available.

mastertimeout  

Specifies the amount of idle time in seconds, between pbmasterd and pblocald.

Version 4.0 and earlier: variable not available.

Version 4.0 and later: variable available.

--- logservers

A list of log hosts for pblocald to use for event and I/O logging.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

nice runnice Nice values for the secured task.
optimizedrunmode runoptimizedrunmode Controls whether optimized run mode is allowed for this task.
--- pblocaldnoglob Stops pblocald from expanding arguments to the target program.
--- pbrisklevel Risk rating that is passed to BeyondInsight.
--- pidmessage Optional message to issue when a job starts.
requestuser --- The user that is specified in the pbrun -u argument.
rlimit_as runrlimit_as

Controls the maximum memory that is available to a process.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_core runrlimit_core

Controls the maximum size of a core file.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_cpu runrlimit_cpu

Controls the maximum size CPU time of a process.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_data runrlimit_data

Controls the maximum size of a process’ data segment.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_fsize runrlimit_fsize

Controls the maximum size of a file.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_locks runrlimit_locks

Controls the maximum number of file locks for a process.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_memlock runrlimit_memlock

Controls the maximum number of bytes of virtual memory that can be locked.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_nofile runrlimit_nofile

Controls the maximum number of files a user may have open at a given time.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_nproc runrlimit_nproc

Controls the maximum number of process a user may run at a given time.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_rss runrlimit_rss

Controls the maximum size of a process’ resident set (number of virtual pages resident at a given time).

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

rlimit_stack runrlimit_stack

Controls the maximum size of the process stack.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

selinux  

Indicates whether pbrun is confined by SELinux.

Version 5.2 and earlier: variable not available.

Version 6.0 and later: variable available.

--- runchroot Name of the special file system root directory; see the chroot manual page for more information.
--- runcksum Contains a checksum value for the current task.
--- runcksumlist Contains a list of checksum values for the current task.
--- runconfirmmessage Password prompt that is used by pblocald for a final verification of the user.
--- runconfirmuser Controls whether final verification requires a password.
--- runeffectivegroup Controls the effective group ID (egid) of the requested job.
--- runeffectiveuser Controls the effective user ID (euid) of the requested job.
--- runenablerlimits

When true, use the runrlimit_* variables to set up ulimits for the secured task.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

--- runenvironmentfile

Specifies an environment file that contains environment variables to be incorporated into the run environment.

Version 5.2 and earlier: variable not available.

Version 6.0 and later: variable available.

--- runptyflags Flags that are used internally for pty settings; reserved for internal use.
--- runsecurecommand

Checks that the runcommand is writable only by root or the runuser.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

--- runmd5sum Contains an MD5 checksum for the current task.
--- runmd5sumlist Contains a list of MD5 checksum values for the current task.
--- runtimelimit The number of seconds that the job may execute.
--- runtimeout Maximum allowed idle time.
--- runutmpuser utmp user name.
--- shellallowedcommands

Contains a list of strings that contain commands that may be run without any further authorization.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

--- shellcheckbuiltins

If true, directs the shell to check shell built-in commands as if they were standard commands

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

  shellcheckredirections

If true, directs the shell to authorize I/O redirections; if false, always allows I/O redirection.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

  shellforbiddencommands

Contains a list of strings that specify commands for pbksh and pbsh to reject without consulting a Privilege Management for Unix and Linux policy server daemon.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

  shelllogincludefiles

Controls if the contents of included (sourced) shell scripts should be recorded in the I/O logs.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

  shellreadonly

Contains a list of environment variables that pbsh and pbksh set to read-only at startup time.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

  shellrestricted

Controls whether Privilege Management for Unix and Linux shells run in restricted mode.

Version 3.5 and earlier: variable not available.

Version 4.0 and later: variable available.

solarisproject runsolarisproject

Specifies a Solaris project that the secured task should be associated with on a Solaris 9 or higher runhost.

Version 6.0 and earlier: variable not available.

Version 6.1 and later: variable available.

submithost --- Name of the machine from which the current request is submitted.
submithostip --- IP address of the machine from which the current request is submitted.
taskpid --- The PID of the secured task launched by pbrun.
taskttyname ---

Name of the tty device associated with the secured task.

This variable is only available after the secured task is launched and cannot be used in the policy. This is a read-only variable.

Version 6.2.0 and earlier: variable available.

Version 6.2.6 and later: variable available.

timezone --- Standard representation of timezone on submithost.
ttyname --- Name of the tty device from which the current request is submitted.
umask runumask The user’s umask values.
user runuser Specifies the user ID that is associated with the login name of the user that submitted the current task.

Within Privilege Management for Unix and Linux, each secured task has its own set of task information variables. Other secured task requests do not share the information in these variables.

Two copies of task information variables are created and maintained for each task request that Privilege Management for Unix and Linux processes. One set is read-only. These read-only variables contain the original, unmodified information about a task request. The other set, known as run variables, have information identical to their corresponding read-only versions; however, their values can be modified. The information in the modifiable variables is the information that Privilege Management for Unix and Linux actually uses to execute a request once it is accepted. The modifiable task information variables have the same names as their read-only counterparts except they have the prefix run.

These run variables do not apply to pbssh. If these run variables are present in the policy, they do not have any effect on pbssh and are ignored.

There are some special pass-through values that are available for the run versions of some task information variables. These special values are needed when the policy server host and run host represent different systems. In this scenario, processing some functions may fail because the values for those variables need to be retrieved from the run host system rather than the policy server host. The following functions are affected: gethome(), getgroup(), getgroups(), and getshell().

Value Description Example
!g! Returns the run user’s run group on run host. rungroup = "!g!";
!G! Returns all groups that the run user belongs to on run host. rungroups = {"!G!"};
!~! Returns the run user’s home directory on run host. runcwd = "!~!";
!!! Returns the run user’s default shell on run host. runcommand = "!!!";

For more information, please see the following: