-
Title
How to execute Quest Privilege Manager for Unix without pmrun? For Versions 5.0 and 5.1. -
Description
How to execute commands using Quest Privilege Manager for Unix without pmrun?
-
Resolution
Ã
This example policy snippet will allow members of the "admin" group (assigned to a user either as a primary or supplementary group) to execute a Privilege Manager shell with limited root access to a defined list of commands. Each command executed from within the shell will be logged in the eventlog. Optional I/O logging can be added if desired.
1. Add the below policy snippet to the beginning of your policy file "/etc/opt/quest/qpm4u/pm.conf".
# Configure Privilege Manager Shell
if (basename(command) == "pmksh")
{
# Verify the user is a member of the "admin" group
if ( "admin" in groups )
{
print("Starting Privilege Manager Shell");
# Start the shell using the users own account
runuser=user;
rungroup=user;
accept;
}
else
{
print("You are not authorized to run this shell");
reject;
}
}
# Process all commands executed from within a PM shell
# pmksh is only defined for Privilege Manager shell requests
else if (defined pmksh_command)
{
# List of authorized commands allowed to run within the shell
privileged_cmds = {
"service",
"kill",
"id"
};
# Run the authorized privileged commands as root
if ( command in privileged_cmds )
{
runuser="root";
rungroup="root";
accept;
}
# Run all other commands as the users own account
else
{
runuser=user;
rungroup=user;
accept;
}
}
2. Save the updated policy file and check for any policy errors prior to making any customizations by running;
# pmcheck
3. The policy example permits any user belonging to the "admin" group to run a privilege Manager shell. The "admin" group can be substituted for another group by updating the below line;
if ( "admin" in groups)
4. Specify the commands you would like the users of the "admin" group to be able to run as the "root" user by adding the commands to the below list. All other commands will be executed using the users own account and not "root".
privileged_cmds = {
"service",
"kill",
"id"
};
6. Once any necessary changes have been made to the authorized group and commands, save the policy and check for any errors by running the following command;
# pmcheck
7. To verify the policy, login as a user belonging to the specified authorized group ("admin" unless changed) and run the following commands to start the shell and check that it is running as the root user;
# pmksh
# id uid=0(root) gid=0(root)
To optionally configure a Privilege Manager shell as a users login shell, follow the below additional steps;
8. Add the full path of the PM shell to /etc/shells e.g;
# echo "/opt/quest/bin/pmsh" >> /etc/shells
9. Change the users shell to the PM shell. e.g;
# usermod -s /opt/quest/bin/pmsh <username>
-
Attachments
-
Additional Information
For a solution for version 5.5 and above please see SOL53552
https://support.quest.com/Search/SolutionDetail.aspx?id=SOL53552