Type integer READONLY
pmshell_cmdtype is only defined if the command is a shell subcommand running from a Privilege Manager shell.
This variable is only applicable to the pmsh, pmcsh, pmksh, and pmbash programs.
It is set to one of these constant values: pmshell_builtin, pmshell_script, or pmshell_exe.
if (defined pmshell_cmd){ if (user !in safe_shell_list) { #check builtins pmshell_checkbuiltins=true; } }
Type integer READONLY
pmshell_exe contains a constant value that identifies a normal executable command. Use it to compare with the value of the pmshell_cmdtype variable.
if (defined pmshell_cmd){ if (pmshell_cmdtype == pmshell_exe) { if (basename(runcommand) in shell_sub_list) { accept; } } }
Type integer READONLY
pmshell_interpreter is only defined if the command is running from within a Privilege Manager shell program. If the shell subcommand is an interpreted script (that is, the first line of the file contains a directive in the format #!<path>) then this variable contains the pathname of the interpreter identified by this directive. Use this variable to detect and reject a user from running an unrestricted shell script from within a restricted shell program.
if (defined pmshell)
{
printf("Starting %s shell\n", pmshell_prog);
accept;
}
if ((defined pmshell_cmd) && (pmshell_cmd == true))
{
# if running a restricted shell, then don't allow the user to run a shell
# script unless it's a Privilege Manager shell
if (pmshell_restricted && (pmshell_cmdtype == pmshell_script))
{
if (dirname(pmshell_interpreter) != "/opt/quest/bin")
{
reject "Restricted shell only permits you to run a shell in the
/opt/quest/bin directory";
}
}
Type string READONLY
pmshell_prog is only defined if a Privilege Manager shell program is running. If a shell is running, it is set to the name of the shell program (pmsh, pmcsh, pmksh, pmloginshell, or pmbash).
if (defined pmshell) { printf("Starting %s shell\n", pmshell_prog); accept; }
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité