Type list READ/WRITE
pmshell_allow contains a list of regular expressions identifying Privilege Manager shell subcommands that are pre-authorized. The list may contain regular expressions.
This variable is applicable to pmsh, pmcsh, pmksh, and pmbash.
On startup, the Privilege Manager shell programs load this list. Any shell subcommand entered by the user that matches one of these expressions is pre-authorized, that is, it will be allowed to run locally without any further authorization by pmmasterd, and will not be logged as an event. By default, the list is empty.
pmshell_allow = {"ls","grep"};
Type list READ/WRITE
pmshell_allowpipe identifies the list of Privilege Manager shell subcommands that are pre-authorized if the input to the command is from a pipe. The list may contain regular expressions.
This variable is applicable to pmsh, pmcsh, pmksh, and pmbash.
On startup, the Privilege Manager shells load this list. For any shell subcommand entered by the user that takes its input from a pipe, if the command matches one of these expressions, it will be allowed to run locally without any further authorization by the pmmasterd, and will not be logged as an event. By default, the list is empty.
For example, if this list contains the string "more", the "more" command will be pre-authorized in the context of the command ls | more but will require authorization in the context of the command more /tmp/file.
pmshell_allow = {"grep","cat", "more"};
Type integer READ/WRITE
If pmshell_checkbuiltins is set to true, the Privilege Manager shell program will check all shell builtin commands as if they were not built-ins. That is, it will match each one against the forbidden list, then the allowed list, and if no match is found, then the command will be authorized with pmmasterd. To see a full list of the builtin commands for a particular shell program, run the shell program with the -? option. The default value for this variable is false.
This variable is applicable to the pmsh, pmksh, and pmcsh programs.
if (defined pmshell_cmd){ if (user !in safe_shell_list) { #check builtins pmshell_checkbuiltins=true; } }
Type list READ/WRITE
pmshell_forbid contains a list of regular expressions loaded on startup by the Privilege Manager shell programs: pmsh, pmcsh, pmksh, and pmbash. The list may contain regular expressions.
Any command entered by the user during the shell session, that matches one of these expressions, will be forbidden without any further authorization by the pmmasterd, and will not be logged as an event. All shell subcommands are matched with this list before checking the allowed list. By default, the variable contains an empty list.
pmshell_forbid = {"kill","passwd"};
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité