Chat now with support
Chat with Support

Privilege Manager for Unix 7.2.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Configuration prerequisites

Before you configure Privilege Manager for Unix, make sure

  • TCP/IP is configured and running on all relevant machines.
  • Applications, files, and accounts you wish to access using Privilege Manager for Unix are available from all servers.
  • pmrun is in a directory in the user's PATH and is executable. pmrun is owned by root, and has the SETUID bit turned on.
  • pmmasterd and pmlocald are set up in /etc/services (this is created by the pmsrvconfig installation script).

    This is a sample services file:

    pmmasterd 12345/tcp 
    pmlocald 12346/tcp
  • The /etc/opt/quest/qpm4u/pm.settings file has been set up (this is done by pmsrvconfig).

    This is a sample pm.settings file, showing you the defaults for each setting:

    kerberos NO
    encryption AES
    reconnectClient NO
    reconnectAgent NO
    clientVerify NONE
    FailOverTimeOut 10
    Certificates NO
    selecthostrandom YES
    shortnames YES
    syslog YES
    pmservicedLog /var/log/pmserviced.log
    masterport 12345
    localport 12346
    tunnelport 12347
    masters qpm4u
    pmmasterdlog /var/log/pmmasterd.log
    pmmasterdEnabled YES
    pmmasterdOpts -ar
    policymode pmpolicy
    pmlogGroup pmlog

Configuration file examples

The topics that follow walk you through some detailed examples for the configuration file policy.

To install the configuration file examples on your machine

  1. Checkout the policy file:
    # pmpolicy checkout -d /tmp/example
  2. Copy example to the checkout directory and rename to pm.conf.
    cp /opt/quest/qpm4u/examples/exampleX.conf /tmp/example/policy_pmpolicy/pm.conf

    where X in exampleX.conf is 1, 2, 3,...10.

  3. Edit the configuration file and change the user name to a user name on your machine.
    # vi /tmp/example/policy_pmpolicy/pm.conf
  4. Commit the changes and enter a commit log message:
    # pmpolicy commit -d /tmp/example
    ** Validate options                                                       [ OK ]
    ** Commit copy in directory:/tmp/example/policy_pmpolicy                 
    
       ** Check directory                                                     [ OK ]
       ** Perform syntax check                                                [ OK ]
       ** Verify files to commit                                              [ OK ]
       Please enter the commit log message: Changed user name
       ** Commit change from working copy                                     [ OK ]
       ** Committed revision 4
  5. Run a command using pmrun using the user name you specified. For example:
    $ pmrun ls -l /tmp

Example 1: Basics

When you use pmrun to run a command, pmmasterd starts up and looks in the Privilege Manager for Unix configuration file for the conditions under which it should accept or reject the request.

The following configuration file fragment allows Dan to run programs as root:

if(user=="dan") 
   { runuser="root"; 
   accept; 
}

Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes.

The syntax of the configuration language is similar to the C programming language:

  • Each statement ends with a ; (semicolon)
  • = (single equals) assigns values to variables
  • == (double equals) compares values for equality
  • ( ) (parentheses) enclose the conditional expressions in an if statement
  • { } (braces) group statements together
  • " " (double quotes) enclose strings
  • White space, tab stops, or indentation are ignored

In the example above, the braces { } group the two statements that run if the conditions in the if statement are met. The accept statement causes pmmasterd to accept the request, and asks pmlocald to run whatever command Dan requests as root.

Use the pmcheck program to check the example for errors. pmcheck gives you a line number and brief description for each error found.

Note that pmcheck assumes that the configuration file exists in /etc/opt/quest/qpm4u/policy/pm.conf unless you specify otherwise on the command line with a -f filename argument.

For example, if pmcheck finds a syntax error on line 2 of the configuration file, it prints out a message similar to the following:

% pmcheck Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012 Parse error in "/etc/opt/quest/qpm4u/policy/pm.conf", line 1: syntax error near ';' File /etc/opt/quest/qpm4u/policy/pm.conf contains 1 error.

If pmcheck finds no errors, it displays a message similar to this:

% pmcheck 
Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012 

File /etc/opt/quest/qpm4u/policy/pm.conf contains 0 errors.

Try running a few more commands, such as date, hostname, and your favorite shell (such as, csh, sh, or ksh) by preceding the command with pmrun. For example:

# pmrun date

Example 2: Accept or reject requests

By default, pmmasterd rejects all requests. It only accepts requests if it reaches an accept statement after the appropriate conditions are met in the configuration file. When pmmasterd rejects a request, it does not run the requested program and it sends the user an explanatory message.

pmmasterd can also reject commands explicitly. The following fragment rejects Dan’s request to run commands outside of regular office hours:

accept [from ["user"][, ["submithost"][, ["command"]
[, ["runhost"]]]]] [when conditional-expression]
[with optional-statements-before-execution];
reject ["reject-text"] [from ["user"][, ["submithost"]
[, ["command"][, ["runhost"]]]]]
[when conditional-expression];
if(user=="dan") {
   # Explicitly disallow commands run outside of
   #regular office hours
   if(dayname=="Sat" || dayname=="Sun" ||
      !timebetween(800,1700))
      reject;
   runuser="root";
   accept;
}

Once it reaches a reject statement, pmmasterd reads no further statements; the request ends as soon as it is rejected. Note that no braces { } enclose the reject statement, since it is the only statement that occurs inside the inner if statement. Note also the use of the || ("or") and ! ("not") operators in the if statement which translates as "if the current day is Saturday or Sunday, or if the current time is not between 8:00 a.m. and 5:00 p.m., then reject the request."

Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes. Check the configuration file for errors with pmcheck. Then try to run commands with pmrun. For more information about using pmcheck, see Example 1: Basics.

Try changing the times specified to timebetween, to cause requests to be accepted or rejected.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating