Before you configure Privilege Manager for Unix, make sure
- TCP/IP is configured and running on all relevant machines.
- Applications, files, and accounts you wish to access using Privilege Manager for Unix are available from all servers.
- pmrun is in a directory in the user's PATH and is executable. pmrun is owned by root, and has the SETUID bit turned on.
- pmmasterd and pmlocald are set up in /etc/services (this is created by the pmsrvconfig installation script).
This is a sample services file:
pmmasterd 12345/tcp
pmlocald 12346/tcp
- The /etc/opt/quest/qpm4u/pm.settings file has been set up (this is done by pmsrvconfig).
This is a sample pm.settings file, showing you the defaults for each setting:
kerberos NO
encryption AES
reconnectClient NO
reconnectAgent NO
clientVerify NONE
FailOverTimeOut 10
Certificates NO
selecthostrandom YES
shortnames YES
syslog YES
pmservicedLog /var/log/pmserviced.log
masterport 12345
localport 12346
tunnelport 12347
masters qpm4u
pmmasterdlog /var/log/pmmasterd.log
pmmasterdEnabled YES
pmmasterdOpts -ar
policymode pmpolicy
pmlogGroup pmlog
The topics that follow walk you through some detailed examples for the configuration file policy.
To install the configuration file examples on your machine
- Checkout the policy file:
# pmpolicy checkout -d /tmp/example
- Copy example to the checkout directory and rename to pm.conf.
cp /opt/quest/qpm4u/examples/exampleX.conf /tmp/example/policy_pmpolicy/pm.conf
where X in exampleX.conf is 1, 2, 3,...10.
- Edit the configuration file and change the user name to a user name on your machine.
# vi /tmp/example/policy_pmpolicy/pm.conf
- Commit the changes and enter a commit log message:
# pmpolicy commit -d /tmp/example
** Validate options [ OK ]
** Commit copy in directory:/tmp/example/policy_pmpolicy
** Check directory [ OK ]
** Perform syntax check [ OK ]
** Verify files to commit [ OK ]
Please enter the commit log message: Changed user name
** Commit change from working copy [ OK ]
** Committed revision 4
- Run a command using pmrun using the user name you specified. For example:
$ pmrun ls -l /tmp
When you use pmrun to run a command, pmmasterd starts up and looks in the Privilege Manager for Unix configuration file for the conditions under which it should accept or reject the request.
The following configuration file fragment allows Dan to run programs as root:
if(user=="dan")
{ runuser="root";
accept;
}
Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes.
The syntax of the configuration language is similar to the C programming language:
- Each statement ends with a ; (semicolon)
- = (single equals) assigns values to variables
- == (double equals) compares values for equality
- ( ) (parentheses) enclose the conditional expressions in an if statement
- { } (braces) group statements together
- " " (double quotes) enclose strings
- White space, tab stops, or indentation are ignored
In the example above, the braces { } group the two statements that run if the conditions in the if statement are met. The accept statement causes pmmasterd to accept the request, and asks pmlocald to run whatever command Dan requests as root.
Use the pmcheck program to check the example for errors. pmcheck gives you a line number and brief description for each error found.
Note that pmcheck assumes that the configuration file exists in /etc/opt/quest/qpm4u/policy/pm.conf unless you specify otherwise on the command line with a -f filename argument.
For example, if pmcheck finds a syntax error on line 2 of the configuration file, it prints out a message similar to the following:
% pmcheck Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012 Parse error in "/etc/opt/quest/qpm4u/policy/pm.conf", line 1: syntax error near ';' File /etc/opt/quest/qpm4u/policy/pm.conf contains 1 error.
If pmcheck finds no errors, it displays a message similar to this:
% pmcheck
Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012
File /etc/opt/quest/qpm4u/policy/pm.conf contains 0 errors.
Try running a few more commands, such as date, hostname, and your favorite shell (such as, csh, sh, or ksh) by preceding the command with pmrun. For example:
# pmrun date
By default, pmmasterd rejects all requests. It only accepts requests if it reaches an accept statement after the appropriate conditions are met in the configuration file. When pmmasterd rejects a request, it does not run the requested program and it sends the user an explanatory message.
pmmasterd can also reject commands explicitly. The following fragment rejects Dan’s request to run commands outside of regular office hours:
accept [from ["user"][, ["submithost"][, ["command"]
[, ["runhost"]]]]] [when conditional-expression]
[with optional-statements-before-execution];
reject ["reject-text"] [from ["user"][, ["submithost"]
[, ["command"][, ["runhost"]]]]]
[when conditional-expression];
if(user=="dan") {
# Explicitly disallow commands run outside of
#regular office hours
if(dayname=="Sat" || dayname=="Sun" ||
!timebetween(800,1700))
reject;
runuser="root";
accept;
}
Once it reaches a reject statement, pmmasterd reads no further statements; the request ends as soon as it is rejected. Note that no braces { } enclose the reject statement, since it is the only statement that occurs inside the inner if statement. Note also the use of the || ("or") and ! ("not") operators in the if statement which translates as "if the current day is Saturday or Sunday, or if the current time is not between 8:00 a.m. and 5:00 p.m., then reject the request."
Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes. Check the configuration file for errors with pmcheck. Then try to run commands with pmrun. For more information about using pmcheck, see Example 1: Basics.
Try changing the times specified to timebetween, to cause requests to be accepted or rejected.
