#=================================================================
# Privilege Manager for Unix example configuration file
# One Identity 2013
#
# Example File : example10
#
# This file should have permissions of 600
# (rw-------).
# It must be owned by root.
#=================================================================
#=================================================================
# This example shows how to implement a menu system with 4 choices.
# Also, if the "adduser" program is to be run, a password must be
# entered correctly.
# For experimental purposes, replace "dan", "cory", and "robyn" with
# user names from your own site.
if(command=="adminmenu") {
print("========= Admin Menu =========");
print("1) Add users");
print("2) Start a backup");
print("3) Change ownership of a file");
print("4) Fix line printer queues");
choice = input("Please choose one: ");
switch(choice) {
case "1":
# Reject the request if the password "123456" is not entered
# correctly. The user gets only 2 chances to type in the
# password. The encrypted version of the password seen here
# was generated using pmpasswd. If you store encrypted
# passwords in your config file, make sure you turn off read
# permission on the file so that people cannot use password
# cracking programs to guess them.
if(!getstringpasswd("m9xxg7B4.v8Ck", "Type in the adduser password: ",2))
reject;
runcommand = "/usr/local/bin/adduser";
runuser = "root";
break;
case "2":
runcommand = "/usr/local/bin/dobackup";
runuser = "backup";
break;
case "3":
runcommand = "/usr/bin/chown";
runuser = "root";
break;
case "4":
runcommand = "/usr/lib/lpadmin";
runuser = "root";
break;
default:
printf("\"%s\" was not a valid choice. Sorry.\n", choice);
reject;
}
if (choice == "3") {
file_name=input("Please enter the new owner's name then file name: ");
arguments = split(file_name);
runargv = insert(arguments, 0, "Spacer");
}
print("** Command to be run :", runcommand);
print("** User to run command as :", runuser);
accept;
}
#=================================================================
For details on using this sample policy file, see Lesson 10: Basic menus.
Advanced Privilege Manager for Unix Configuration
Privilege Manager for Unix shells provide a means of auditing and controlling a user’s login session in a way that is transparent to the user, without the user having to preface commands with pmrun.
Privilege Manager for Unix provides enabled versions of these standard shells: pmksh, pmsh, pmcsh, and pmbash. Each shell uses the same policy file variables to control the behavior of the shell.
By default, all built-in shell commands are allowed to run without any further authorization by the shell; however, you must authorize all non-built-in shell commands. Once authorized, all commands are run locally by the shell with the authority of the user running the shell.
You can configure the level of control required for commands running from a shell in the policy file by configuring the policy file to either forbid commands or allow them to be run by the shell program without any further authorization to the policy server. You can also configure the policy file to authorize them as they are presented to the policy server for audit logging. Furthermore, you can configure keystroke logging for the shell session to be logged to a single I/O log file.
Use a Privilege Manager for Unix shell to control or log Privilege Manager for Unix sessions, regardless of how you are logged in (for example, telnet, ssh, rsh, rexec).
You can use one of these Privilege Manager for Unix-enabled shells to create a fully featured shell environment for a user:
-
pmksh: a Privilege Manager for Unix-enabled version of Korn Shell
-
pmsh: a Privilege Manager for Unix-enabled version of Bourne Shell
-
pmcsh: a Privilege Manager for Unix version of C Shell
-
pmbash: a Privilege Manager for Unix version of Bourne Again Shell
Each shell provides command control for every command entered by a user during a login session. You can configure each command the user enters to be authorized with the policy server before it runs. This includes the shell built-in commands.
You can configure keystroke logging for the entire login session and login to a single file.
Alternatively, you can use pmshellwrapper to act as a Privilege Manager for Unix wrapper for any valid shell program on a host, or create a custom Privilege Manager for Unix shell by means of a shell script. In these cases, however, the individual commands run during the login session are not controlled by Privilege Manager for Unix.
To use pmshellwrapper, create a link using the name of the system shell you want to run. For example, to create a wrapper for bash, enter:
ln -s /opt/quest/libexe/pmshellwrapper/opt/quest/libexe/pmshellwrapper_bash
When you run the pmshellwrapper_bash program, it transparently runs pmrun bash instead.
For example, to create a custom Privilege Manager for Unix shell (a shell script that runs the actual shell using pmrun), run:
#!/bin/ksh
tty 2>/dev/null 1>/dev/null
x=$?
if [ $x -ne 0 ]
then
exec /opt/quest/bin/pmrun ksh "$@"
else
exec /opt/quest/bin/pmrun -c -ksh "$@"
fi
Add the full pathname of the shell program to the /etc/shells file if you are using pmksh, pmsh, pmcsh, pmbash, or pmshellwrapper on your system.