Use the pmshell_allow list variable in the policy file to define a list of commands you want the shell to allow without any further authorization by the policy server. The shell program interprets this list as a list of regular expressions. Privilege Manager for Unix checks each command the user enters against this list. If a match is found, it allows the command without further authorization. These commands do not result in an accept entry in the event log as they are allowed by the shell.
Use the pmshell_allowpipe variable in the policy file to configure a list of commands you want the shell to allow without further authorization by the policy server if the input to the command is a pipe. The shell program interprets this list as a list of regular expressions. Privilege Manager for Unix checks each command a user enters against this list if the input to the command is a pipe. If a match is found, it allows the command without further authorization. These commands do not result in an accept entry in the event log as they are allowed by the shell. This allows the shell to authorize commands only within a particular context.
For example, if the allowed pipe command list contains grep, as in:
grep "root" /etc/shadow
the shell authorizes the grep command as its input does not come from a pipe.
On the other hand, if you enter:
cat /etc/shadow | grep "root"
the shell only authorizes the cat command. The grep command is allowed without authorization.
Built-in shell commands are functions defined internally to the shell. You can apply a policy to shell built-in commands by setting pmshell_checkbuiltins=1. The shell does not create a new UNIX process to run a built-in command and does not access or run any program outside the shell to run a built-in command. The shell built-in commands usually include functions like echo and cd. The full list of shell built-in commands depends on the shell you are using; to see the command list for a particular shell, run the shell with the –? argument.
By default, shell built-in commands are not authorized to the policy server or checked against the allow and forbid lists.
You can set a flag to force the shell to treat all shell built-in commands as if they are normal, executable commands. If this flag is set, all built-in commands are compared with the forbid and allow lists, and if no match is found, they are presented to the policy server for authorization.
Use the pmshell_readonly list variable to define a list of environment variables in the policy file to be read-only in the shell. You can not change read-only variables during a shell session.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center