Chat now with support
Chat with Support

Privilege Manager for Unix 7.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

vas_user_in_ADgrouplist

Syntax
int vas_user_in_ADgrouplist ( string username, string domain, list ADgrouplist [, boolean verbose] )
Description

The vas_host_in_ADgrouplist function checks membership of the Active Directory group lists.

Returns the index of the matched list item if found, or -1 if not found.

vas_user_is_member

Syntax
int vas_user_is_member (string username, string groupname [, string domain [, boolean verbose]] )
Description

The vas_user_is_member function checks whether a selected user name and selected domain is a member of the selected group. If domain is empty, it defaults to the joined domain. You can specify the group name as <domain>/<group> or <group>@<domain>.

Returns:

  • 0: user not in group
  • 1: user in group
  • -1: error

Privilege Manager for Unix programs

This section describes each of the Privilege Manager for Unix programs and their options. The following table indicates which Privilege Manager for Unix component installs each program.

Table 48: Privilege Manager programs
Name Description Server Agent Sudo

pmbash

Is a wrapper for the GNU Bourne Again SHell that provides transparent authorization and auditing for all commands submitted during the shell session.

X

X

-

pmcheck

Verifies the syntax of a policy file.

X - X
pmclientd

The Privilege Manager for Unix Client daemon that listens on the configured policy server port and responds to a remote request.

X X -
pmclientinfo

Displays configuration information about a client host.

X X -
pmcp

Privilege Manager for Unix remote file copy command.

X X -
pmcsh

Privilege Manager for Unix C Shell provides transparent authorization and auditing for all commands submitted during the shell session.

X X -
pmincludecheck

Used by pmsrvconfig script on the primary server only. When configuring a primary server in pmpolicy type, if you do not have a policy file to import into the repository, then pmincludecheck initializes the policy from the current set of default policy files provided in the installation.

X - -
pminfo

Registers the local host with the Privilege Manager for Unix 5.5 policy server.

Note that pminfo is obsolete as of version 5.6 and is included for backwards compatibility only.

X X -
pmjoin

Configures a Privilege Manager for Unix agent to communicate with the servers in the group.

X X -
pmkey

Generates and installs configurable certificates.

X X X
pmksh

Privilege Manager for Unix K Shell provides transparent authorization and auditing for all commands submitted during the shell session.

X X -
pmless

A terminal pager program that allows you to view (by not modify) the contents of a text file one screen at a time.

X X -
pmlicense

Displays current license information and allows you to update a license (an expired one or a temporary one before it expires) or create a new one.

X - -
pmlist Lists the commands that the user is permitted to run. X X -
pmloadcheck

Controls load balancing and failover for connections made from the host to the configured policy servers.

X X -
pmlocald

The Privilege Manager for Unix Local daemon which runs programs when instructed to do so by the appropriate policy server daemon.

X X -
pmlog

Displays entries in a Privilege Manager for Unix event log.

X - -
pmlogadm

Manages encryption options on the event log.

X - -
pmlogsearch

Searches all logs in a policy group based on specified criteria.

X - -

pmlogsrvd

The Privilege Manager for Unix log access daemon, the service responsible for committing events to the Privilege Manager for Unix event log and managing the database storage used by the event log.

X

 

 

pmmasterd

The Privilege Manager for Unix Master daemon which examines each user request and either accepts or rejects it based upon information in the Privilege Manager configuration file. You can have multiple pmmasterd daemons on the network to avoid having a single point of failure.

X - X
pmmg

A special version of an emacs text editor to use with Privilege Manager for Unix (gnu-style key bindings).

X X -
pmpasswd

Generates an encrypted password which can be used in the configuration file.

X - -
pmpolicy

A command-line utility for managing the Privilege Manager for Unix security policy. This utility checks out the current version, checks in an updated version, and reports on the repository.

X - -
pmpolicyconvert

Utility that allows you to verify, and if necessary, convert any number of policy files for use with Privilege Manager for Unix V5.5 (or later).

X - -
pmpolsrvconfig

Configures (or unconfigures) a primary or secondary policy server. Allows you to grant a user access to a repository.

X - -
pmremlog

Provides a wrapper for the pmlog and pmreplay utilities to access the event (audit) and keystroke (I/O) logs on any server in the policy group.

X - -
pmreplay

Replays an I/O log file allowing you to review what happened during a previous privileged session.

X - -
pmresolvehost

Verifies the host name or IP resolution for the local host or a selected host.

X X X
pmrun

Allows a user to run a command from their local machine as root. The policy server daemon, pmmasterd, examines each request from pmrun, and either accepts or rejects it based upon the policies specified in the policy file.

X X -

pmscp

Allows Privilege Manager for Unix to launch the remote scp daemons.

X

-

-

pmserviced

The Privilege Manager for Unix Service daemon listens on the configured ports for incoming connections for the Privilege Manager for Unix daemons. pmserviced uses options in pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon.

X X X
pmsh

Privilege Manager for Unix Bourne Shell that provides transparent authorization and auditing for all commands submitted during the shell session.

X X -
pmshellwrapper

A wrapper for any valid login shell on a host.

X X -
pmsrvcheck

Checks the Privilege Manager for Unix policy server configuration to ensure it is setup properly.

X - -
pmsrvconfig

Configures a primary or secondary policy server.

X - -
pmsrvinfo Verifies the policy server configuration. X - -
pmstatus

Verifies connectivity between Privilege Manager for Unix and the pmlocald and pmmasterd daemons on the specified hosts.

X X -
pmsum

Generates a simple checksum of a binary.

X - -
pmsysid

Displays the Privilege Manager for Unix system ID.

X X X
pmtunneld

The Privilege Manager for Unix Tunnel daemon that acts as a proxy for pmrun when pmlocald communicates with pmrun through a firewall.

X X -
pmumacs

A special version of a microemacs text editor to use with Privilege Manager for Unix (gosling-style key bindings).

X X -
pmverifyprofilepolicy

Verifies the syntax and structure of the policy file and checks whether a particular command will be accepted or rejected.

X - -

pmvi

Allows users to access a specific file as root but no other root functions.

 

 

 

pmbash

Syntax
pmbash -c <command>|-i|-l|-r|-s|-B|[-+]O <option>
Description

The Privilege Manager for Unix Bourne Again SHell (pmbash) command is a wrapper program for the GNU Bourne Again SHell (bash), that provides transparent authorization and auditing for all commands submitted during the shell session. pmbash supports the standard options for bash.

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

  • forbidden by the shell without further authorization to the policy server
  • allowed by the shell without further authorization to the policy server
  • presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.

Unlike the other Privilege Manager for Unix shells, pmbash is not a standalone shell. It is a wrapper that runs the system version of the bash shell while logging keystrokes and authorizing shell commands via Privilege Manager for Unix. Command authorization is limited to external commands: pmbash, cannot authorize shell built-in commands.

Options

pmbash has the following options.

Table 49: Options: pmsh
Option Description

-B

Allows the shell to run in the background.

-c <command>

Runs the specified command from the next argument.

-i

Runs the shell in interactive mode even when input is not from a terminal.

-l

Acts as a login shell, the shell will read the contents of /etc/profile and $HOME/.profile if they exist.

[+-]O <shopt_option>

Sets or clears one of the shell options accepted by the shopt built-in command.

-r

Runs the shell in restricted mode.
The shell reads commands from standard input even when there are additional non-option arguments.

Additional long options may also be specified, see the bash manual for details.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating