runchroot
Data Type
String, modifiable
Description
The runchroot variable contains the name of the user’s root directory. A secured task can access only those files that reside within that root directory. To change the root directory for the current task, set runchroot.
There is no read-only version of this variable.
This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.
To use Endpoint Privilege Management for Unix and Linux with the directory that is specified in the runchroot variable, the following files must be copied into that directory:
| Files | Target Directory |
|---|---|
| /etc/pb.settings | runchroot/etc |
| Key files in /etc (if using Endpoint Privilege Management for Unix and Linux encryption) | runchroot/etc |
| /usr/lib/symark/pb/* (if using Kerberos, SSL, or LDAP) | runchroot/usr/lib/symark/pb |
In addition, if the pbrunlog setting has a value, you must create a corresponding directory under the directory that is specified in runchroot. For example, if pbrunlog is set to /var/log/pbrun.log, then create a runchroot/var/log directory.
Syntax
runchroot = string;
Valid Values
A string that contains a valid absolute path specification. The default value is empty, which implies that the entire run host’s file system is accessible.
runchroot = "/usr/local/newroot";
