-
タイトル
How to execute a Privilege Manager shell with unrestricted root access? -
説明
How to execute a Privilege Manager shell with unrestricted root access?
-
対策
Please follow the below procedure to allow members of the admin group to execute a Privilege Manager shell with unrestricted root access. Each command executed from within the shell will run as root and will be logged in the eventlog and can be view in the Reporting Console.
1. As root, cut and paste the below policy example to the top of your policy file ( /etc/opt/quest/qpm4u/pm.conf ) so that it executes before any other policy logic.
2. Run the pmcheck command as root to check your policy for possible errors.
3. The policy example is restricted to only allow users who are a member of a group called admin to obtain a root shell. To test the policy create a group called admin if one does not already exist and add a non root user to this group. e.g# groupadd admin
# usermod a G admin [user]
4. Login as a user who is a member of the admin group and execute one of the Privilege Manager shells, e.g
# su [user]
# pmkshStarting Privilege Manager Shell
#
5. Using the id command verify that it reports your user is now root.
6. You can verify the id command has been logged in the eventlog by running the command pmlog as root.
7. The command will also show in the Reporting Console the next time the Reporting Console checks the masters for new events. This can be configured by changing the cycletime setting in /etc/opt/quest/pmrc/pmrc.conf, the default is to update hourly. You can force an update at anytime by restart the pmrclogfind processe.g;
# service pmrclogfindctl restart
To optionally configure a Privilege Manager shell as a users login shell, follow the below two additional steps;7.1. Add the full path of the PM shell to /etc/shells
e.g: # echo /opt/quest/bin/pmksh >> /etc/shells
7.2. Change the users shell to the PM shell.
e.g: # usermod s /opt/quest/bin/pmksh [user]
#
# Root Privilege Manager shell example. Insert the below lines to the top of your policy (/etc/opt/quest/qpm4u/pm.conf)
#
# pmshell is only defined for Privilege Manager shell requests
if (defined pmshell) {
# Configure Privilege Manager Shell
if ( pmshell_cmd == 0) {
# List of allowed shells
allowed_pmshells = { pmsh, pmcsh, pmksh };
# Verify the user is a member of the admin group and is requesting an allowed shell
if ( admin in groups && pmshell_prog in allowed_pmshells ) {
print(Starting Privilege Manager Shell);
pmshell_restricted=false; # Do not create a restricted shell
pmshell_checkbuiltins=false; # Do not require authorization for shell builtin commands
# List of commands allowed to run within the shell without further authorization.
pmshell_allow={
ls,
man
};
runuser=root; # User account to run the shell
rungroup=root;
accept;
} else {
reject You are not authorized to run this shell;
}
# Process all commands executed from within a PM shell
} else {
# Allow the user to run any command as root from within the shell
accept;
}
}