Use the pmshell_forbid list variable in the policy file to define a list of commands you want the shell to forbid without any further authorization by the policy server. The shell program interprets this list as a list of regular expressions. Privilege Manager for Unix checks each command a user enters against this list. If a match is found, it rejects the command without further authorization. These commands do not result in a reject entry in the event log as they are forbidden by the shell. You can also configure the message that is displayed when it issues one of these commands.
Use the pmshell_allow list variable in the policy file to define a list of commands you want the shell to allow without any further authorization by the policy server. The shell program interprets this list as a list of regular expressions. Privilege Manager for Unix checks each command the user enters against this list. If a match is found, it allows the command without further authorization. These commands do not result in an accept entry in the event log as they are allowed by the shell.
Use the pmshell_allowpipe variable in the policy file to configure a list of commands you want the shell to allow without further authorization by the policy server if the input to the command is a pipe. The shell program interprets this list as a list of regular expressions. Privilege Manager for Unix checks each command a user enters against this list if the input to the command is a pipe. If a match is found, it allows the command without further authorization.
These commands do not result in an accept entry in the event log as they are allowed by the shell. This allows the shell to authorize commands only within a particular context.
For example, if the allowed pipe command list contains grep, as in:
grep "root" /etc/shadow
the shell authorizes the grep command as its input does not come from a pipe.
On the other hand, if you enter:
cat /etc/shadow | grep "root"
the shell only authorizes the cat command. The grep command is allowed without authorization.
Built-in shell commands are functions defined internally to the shell. You can apply a policy to shell built-in commands by setting pmshell_checkbuiltins=1. The shell does not create a new UNIX process to run a built-in command and does not access or run any program outside the shell to run a built-in command. The shell built-in commands usually include functions like echo and cd. The full list of shell built-in commands depends on the shell you are using; to see the command list for a particular shell, run the shell with the -? argument.
By default, shell built-in commands are not authorized to the policy server or checked against the allow and forbid lists.
You can set a flag to force the shell to treat all shell built-in commands as if they are normal, executable commands. If this flag is set, all built-in commands are compared with the forbid and allow lists, and if no match is found, they are presented to the policy server for authorization.
