Set pmshell_restricted=1 to configure the shell to run in restricted mode. Restricted mode applies these restrictions to the shell:
alias ll='/bin/ls -F'
The commands ls and script.sh are allowed if /usr/bin and . are in the PATH; the command ll would not be allowed because the substituted command is an absolute path.
For example, the following command will fail:
echo "hello" > /tmp/file
If the shell is run as a login shell for a user, then during the login process, the relevant system and user profiles are loaded for that particular shell. During this sequence, the shell checks the ownership and permissions of each startup file loaded.
Any restrictions configured for the shell are not applied while loading a secure profile; that is, a file owned by root and only writable by root. Any restrictions configured for the shell are only applied if the profile is not secure. For example, if PATH is configured as a read-only variable in the policy file, and the built-in command cd is forbidden, then the PATH initialization in the secure system profile /etc/profile is allowed without restriction or authorization, but any attempt to change the PATH variable or to run the cd command in the insecure user’s personal profile, or during the interactive login session will be forbidden.
The order in which the restrictions are applied to the shell are:
The shell, and the commands run from within it, run as the selected runuser and rungroup for the shell program. Once the shell is running, you cannot change the runuser or rungroup for authorized commands within the shell. To run an individual shell command as a different user, run the pmrun <cmd>.
You can change the arguments to a command running within a shell, the environment variables, and the priority for a command. For example, if you configure the shell to authorize built-in commands, then you can prevent a user from changing to any directory other than the user’s home directory by removing all except the first argument from the cd command. For example:
if (runcommand=="cd") { len=length(runargv); runargv=replace(runargv,1,len); }
The exec command is always forbidden if an attempt is made to run it from the top-level interactive shell process, as this would overlay the existing controlled Privilege Manager for Unix shell with an unrestricted shell. For example, an attempt to run this command from an interactive shell is forbidden:
exec /bin/sh
A Privilege Manager for Unix-enabled shell requires two connections to the policy server host. One is used for keystroke logging by the shell program itself, and one is used for authorizing commands to be run during the shell session.
allowed_pmshells = { "pmsh", "pmcsh", "pmksh" }; # pmshell only defined if a shell or cmd within a shell if (defined pmshell) { # Configure Privilege Manager for Unix Shells if ( pmshell_cmd == 0) { if ( pmshell_prog in allowed_pmshells ) { print("Starting Privilege Manager for Unix Shell"); pmshell_restricted=0; # Restricted Shell: 0=disable|1=enable pmshell_checkbuiltins=0; # Force checking of Shell BuiltIns: 0=disable|1=enable pmshell_allow={"ls", "man"}; # list of commands to accept without further authorization. accept; } else { reject "You are not authorized to run this shell"; } } # Authorize all commands executed from within a shell else { # Define list of commands allowed to run as the root user. privileged_cmds = { "/sbin/service", "/usr/bin/kill", "/usr/bin/id" }; if ( command in privileged_cmds ) { runuser = "root"; rungroup = "root"; } print("Executing command as user: " + runuser); accept; } }
If you have successfully completed the Privilege Manager for Unix installation and you are new to Privilege Manager for Unix, One Identity recommends that you work through the semi-interactive lessons in Policy scripting tutorial. This will help familiarize you with the basic functionality of Privilege Manager for Unix.
Before you configure Privilege Manager for Unix, make sure
This is a sample services file:
pmmasterd 12345/tcp pmlocald 12346/tcp
This is a sample pm.settings file, showing you the defaults for each setting:
kerberos NO encryption AES reconnectClient NO reconnectAgent NO clientVerify NONE FailOverTimeOut 10 Certificates NO selecthostrandom YES shortnames YES syslog YES pmservicedLog /var/log/pmserviced.log masterport 12345 localport 12346 tunnelport 12347 masters qpm4u pmmasterdlog /var/log/pmmasterd.log pmmasterdEnabled YES pmmasterdOpts -ar policymode pmpolicy pmlogGroup pmlog
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center