The topics that follow walk you through some detailed examples for the configuration file policy.
To install the configuration file examples on your machine
# pmpolicy checkout -d /tmp/example
cp /opt/quest/qpm4u/examples/exampleX.conf /tmp/example/policy_pmpolicy/pm.conf
where X in exampleX.conf is 1, 2, 3,...10.
# vi /tmp/example/policy_pmpolicy/pm.conf
# pmpolicy commit -d /tmp/example ** Validate options [ OK ] ** Commit copy in directory:/tmp/example/policy_pmpolicy ** Check directory [ OK ] ** Perform syntax check [ OK ] ** Verify files to commit [ OK ] Please enter the commit log message: Changed user name ** Commit change from working copy [ OK ] ** Committed revision 4
$ pmrun ls -l /tmp
When you use pmrun to run a command, pmmasterd starts up and looks in the Privilege Manager for Unix configuration file for the conditions under which it should accept or reject the request.
The following configuration file fragment allows Dan to run programs as root:
if(user=="dan") 
   { runuser="root"; 
   accept; 
}
Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes.
The syntax of the configuration language is similar to the C programming language:
In the example above, the braces { } group the two statements that run if the conditions in the if statement are met. The accept statement causes pmmasterd to accept the request, and asks pmlocald to run whatever command Dan requests as root.
Use the pmcheck program to check the example for errors. pmcheck gives you a line number and brief description for each error found.
Note that pmcheck assumes that the configuration file exists in /etc/opt/quest/qpm4u/policy/pm.conf unless you specify otherwise on the command line with a -f filename argument.
For example, if pmcheck finds a syntax error on line 2 of the configuration file, it prints out a message similar to the following:
% pmcheck Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012 Parse error in "/etc/opt/quest/qpm4u/policy/pm.conf", line 1: syntax error near ';' File /etc/opt/quest/qpm4u/policy/pm.conf contains 1 error.
If pmcheck finds no errors, it displays a message similar to this:
% pmcheck Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012 File /etc/opt/quest/qpm4u/policy/pm.conf contains 0 errors.
Try running a few more commands, such as date, hostname, and your favorite shell (such as, csh, sh, or ksh) by preceding the command with pmrun. For example:
# pmrun date
By default, pmmasterd rejects all requests. It only accepts requests if it reaches an accept statement after the appropriate conditions are met in the configuration file. When pmmasterd rejects a request, it does not run the requested program and it sends the user an explanatory message.
pmmasterd can also reject commands explicitly. The following fragment rejects Dan’s request to run commands outside of regular office hours:
accept [from ["user"][, ["submithost"][, ["command"]
[, ["runhost"]]]]] [when conditional-expression]
[with optional-statements-before-execution];
reject ["reject-text"] [from ["user"][, ["submithost"]
[, ["command"][, ["runhost"]]]]]
[when conditional-expression];
if(user=="dan") {
   # Explicitly disallow commands run outside of
   #regular office hours
   if(dayname=="Sat" || dayname=="Sun" ||
      !timebetween(800,1700))
      reject;
   runuser="root";
   accept;
}
Once it reaches a reject statement, pmmasterd reads no further statements; the request ends as soon as it is rejected. Note that no braces { } enclose the reject statement, since it is the only statement that occurs inside the inner if statement. Note also the use of the || ("or") and ! ("not") operators in the if statement which translates as "if the current day is Saturday or Sunday, or if the current time is not between 8:00 a.m. and 5:00 p.m., then reject the request."
Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes. Check the configuration file for errors with pmcheck. Then try to run commands with pmrun. For more information about using pmcheck, see Example 1: Basics.
Try changing the times specified to timebetween, to cause requests to be accepted or rejected.
This configuration file fragment restricts Dan to running only certain programs (ls, hostname, or kill) as root.
Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes.
if (user=="dan")
   if(command=="ls" || command=="hostname" ||
      command=="kill") {
   { runuser="root";
      accept;
   }
Check the configuration file for errors with pmcheck. For more information about using pmcheck, see Example 1: Basics. Try to run one of the programs permitted, then try something that will be rejected, such as:
pmrun mail
© 2025 One Identity LLC. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookies Preference Center