How to execute commands using Quest Privilege Manager for Unix without pmrun?
Ã
This example policy snippet will allow members of the "admin" group (assigned to a user either as a primary or supplementary group) to execute a Privilege Manager shell with limited root access to a defined list of commands. Each command executed from within the shell will run as root and will be logged in the eventlog. Optional I/O logging can be added if desired.
1. Add the below policy snippet to the beginning of your policy file "/etc/opt/quest/qpm4u/pm.conf".
# pmshell is only defined for Privilege Manager shell requests
if (defined pmshell)
{
# Configure Privilege Manager Shell
if ( pmshell_cmd == 0)
{
# List of allowed shells
allowed_pmshells = { "pmsh", "pmcsh", "pmksh" };
# Verify the user is a member of the "admin" group and is requesting an allowed shell
if ( "admin" in groups && pmshell_prog in allowed_pmshells )
{
print("Starting Privilege Manager Shell");
pmshell_restricted=0; # Restricted Shell: 0=disable|1=enable
pmshell_checkbuiltins=0; # Force checking of Shell BuiltIns: 0=disable|1=enable
# List of commands allowed to run within the shell without further authorization.
# All other commands will require authorization from the master.
pmshell_allow={
"ls",
"man"
};
runuser="root"; # User account to run the shell
rungroup="root";
accept;
}
else
{
reject "You are not authorized to run this shell";
}
}
# Process all commands executed from within a PM shell
else
{
# List of authorized commands allowed to run within the shell
privileged_cmds = {
"/sbin/service",
"/usr/bin/kill",
"/usr/bin/id"
};
if ( command in privileged_cmds )
{
accept;
}
else
{
reject "You are not authorized to run this command";
}
}
}
2. Save the updated policy file and check for any policy errors prior to making any customizations by running;
# pmcheck
3. The policy example permits any user belonging to the "admin" group to run a privilege Manager shell. The "admin" group can be substituted for another group by updating the below line;
if ( "admin" in groups && pmshell_prog in allowed_pmshells )
4. On starting a new Privilege Manager shell the master will pre authorize a set of commands which the shell can run without requesting authorization from the master before each execution. This is useful for commands which are executed frequently and do not need to be audited by the master. If you have I/O logging enabled these commands will still appear in the I/O log however they will not appear within the event log. Since the shell does not need to contact the master for authorization to execute these commands, using this feature will improve the responsiveness of the shell. Commands can be pre authorized by adding them to the below list;
pmshell_allow={
"ls",
"man"
};
5. All other commands which you would like to be audited and executed within the shell should be added to the below list using the full path;
privileged_cmds = {
"/sbin/service",
"/usr/bin/kill",
"/usr/bin/id"
};
6. Once any necessary changes have been made to the authorized group and commands, save the policy and check for any errors by running the following command;
# pmcheck
7. To verify the policy, login as a user belonging to the specified authorized group ("admin" unless changed) and run the following commands to start the shell and check that it is running as the root user;
# pmksh
# id uid=0(root) gid=0(root)
To optionally configure a Privilege Manager shell as a users login shell, follow the below additional steps;
8. Add the full path of the PM shell to /etc/shells e.g;
# echo "/opt/quest/bin/pmsh" >> /etc/shells
9. Change the users shell to the PM shell. e.g;
# usermod -s /opt/quest/bin/pmsh <username>
For version 5.0 or 5.1 please see SOL64247
https://support.quest.com/Search/SolutionDetail.aspx?id=SOL64247
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center