runchroot

String, modifiable

The runchroot variable contains the name of the user’s root directory. A secured task can access only those files that reside within that root directory. To change the root directory for the current task, set runchroot.

There is no read-only version of this variable.

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

To use Privilege Management for Unix and Linux with the directory that is specified in the runchroot variable, the following files must be copied into that directory:

Files Target Directory
/etc/pb.settings runchroot/etc
Key files in /etc (if using Privilege Management for Unix and Linux encryption) runchroot/etc
/usr/lib/symark/pb/* (if using Kerberos, SSL, or LDAP) runchroot/usr/lib/symark/pb

In addition, if the pbrunlog setting has a value, you must create a corresponding directory under the directory that is specified in runchroot. For example, if pbrunlog is set to /var/log/pbrun.log, then create a runchroot/var/log directory.

runchroot = string;

A string that contains a valid absolute path specification. The default value is empty, which implies that the entire run host’s file system is accessible.

runchroot = "/usr/local/newroot";

For more information, please see the following: