• Version 3.5 and earlier: runsecurecommand variable not available.
  • Version 4.0 and later: runsecurecommand variable available.


The runsecurecommand variable enables you to perform an extra check on the security of the requested command. This check helps ensure that someone other than root or the runuser (for example, sys or oracle), could not have compromised the command.

When set to true, the run command and all directories above it are checked to see if anyone other than root or the run user has write permission. If the command file or any of the directories above it are writable by anyone other than root or the runuser, then the run host refuses to run the command. The runsecurecommand setting can be set to yes on the run host for the same effect.

This run variable does not apply to pbssh. If it is present in the policy, it does not have any effect on pbssh and is ignored.

runsecurecommand = boolean;
true Non-zero. Check that the runcommand is writable only by root or the runuser.
false Zero. No check is performed. The default is false.
runsecurecommand = true;