pmpolicy -v command [args] [-c] [<command>.] -h
pmpolicy is a command line utility for managing the Privilege Manager for Sudo security policy. Use the pmpolicy command to view and edit the policy in use by the group. Any user in the pmpolicy group may run this command on any configured policy server host.
This utility checks out the current version, checks in an updated version, and reports on the repository.
You can use the –c option to display the result of the command in CSV, rather than in a human-readable form. The CVS output displays the following fields: Resultcode, name, description, Output msg.
The pmpolicy utility exits with the following possible exit status codes, unless otherwise stated below:
The following is a summary of the commands and options available to pmpolicy.
NOTE: Run any command with a -h to get more information about it. For example:
pmpolicy <command> -h
|add||Adds a new file from the specified path to the policy repository. |
add -p path -d dir [-n [-l commitmsg]] [-c] [-u <user>]
Records the addition of a new file to the working copy of the policy. Use the -p option to specify the file path (relative to the top-level directory in the policy) to add. Use the -d option to specify the directory of the working copy. The -n option commits the changes to the repository. If you use the -n option, you can also use the -l option to provide a commit log message. If you use -n without the -l, the command interactively prompts you for the commit log message
|checkout||Checks out a working copy of the policy to the specified directory. |
checkout -d <dir> [-c] [-r <revision>]
If the directory does not exist, it is created. If the selected directory exists, the existing contents is overwritten. By default, the latest copy is retrieved; use the –r option to check out a particular revision. You can specify a revision using SVN DATE format, or the HEAD keyword, as well as revision numbers.
|commit||Checks in changes from a working copy to the policy repository. |
commit -d <dir> [-l <commitmsg>] [-c] [-a force|abort|merge|overwrite][-u <user>]
Commits the working copy of the policy from the indicated directory. All files in the indicated directory are checked in to the repository.
This working copy is first verified for syntax errors using the pmcheck utility. The working copy must match the policy type currently in use, otherwise a syntax error will be produced by pmcheck.
If no syntax errors are encountered, it attempts to check in this copy into the repository, honoring the -a option as described below. Exit status of 0 indicates successful check in.
The –a option indicates the action to be taken when checking in a working copy, if the repository has changed since the working copy was checked out, that is, the edits are based on an out-of-date copy of the repository. The resulting differences between the working copy and the repository may or may not conflict.
You can specify the following actions:
pmpolicy commit -d /tmp -a force
|diff||Checks the differences between two revisions of the policy and reports the output to stdout, or to the selected output file. |
diff [-o <outfile>][-c][-f][-p <path>][-d <dir> [-r <v1>]] | [-r [<v1>:[<v2>]]
By default, this option displays the differences between the two selected revisions. If you specify the –f option, it displays the incremental differences between each revision in the specified range. You can specify revisions using any acceptable SVN revision format, such as HEAD, COMMITTED, or DATE format. You can use the –o option to report the "diff" output to a file, rather than to stdout (the default).
Exit status codes:
pmpolicy diff -d /tmp -o /tmp/diffs.txt -r2 pmpolicy diff –r1:2 -o /tmp/diffs.txt
The utility checks out a temporary working copy of the policy and starts the appropriate interactive editor to edit the files.
For a sudo policy, it runs visudo; for a legacy policy it uses $EDITOR.
edit [-a force|abort|merge|overwrite] [-l <commitmsg>] [-p <path>][-u <user>]
This option is useful for manual interactive editing of the policy on the command line.
On completion of the edit, it verifies the syntax of the policy. If no errors are found, it checks the edits back in to the repository. If any errors are found, then it exits without checking in the changes.
|help||Displays usage information.|
|log||Logs revision information about the repository. |
log [-o <outfile>][-c][-e][-r <revision>]
Reports information about the repository to stdout or to the selected output file. This displays details of the user who changed the repository, the version number for this change, along with the time and date of the change.
By default, this option shows details of each revision in the repository, one version per line. If you specify a version, it shows the details of this version. You can use the –o option to report the "log" output to a file, rather than to stdout.
The status is displayed in the following format for CSV output:
pmpolicy log -r 3
|masterstatus||Reports the status of the production copy of the policy used by Privilege Manager for Sudo to authorize commands. |
masterstatus [-o <outfile>] [-c]
The production copy is stored in the following directory by default:
You can use the –o option to report the information to a file instead of to stdout.
It reports the following information:
The information is displayed in the following format for CSV output:
Removes a file from the specified path in the policy repository.
remove -p path -d dir [-n [-l <commitmsg>]] [-c] [-u <user>]
Removes a file from the indicated working copy directory. Use the -p option to specify a path to the file (relative to the top-level directory in the policy). Use the -d option to specify the directory of the working copy. The -n option commits the changes to the repository. If you use the -n option, you can also use the -l option to provide a commit log message. If you use -n without -l, the command interactively prompts you for the commit log message.
|revert||Reverts to the selected revision of the policy.|
revert [-c] [-r <version>][-l <commitmsg>]
Checks out a copy of the selected revision, edits the files, and checks the copy back in as the latest revision.
|status||Verifies the working copy of the policy in the directory indicated. |
status -d <dir> [-c]
Verifies the working copy of the policy in the specified directory. You can use this to verify the status of a working copy that was previously checked out, before attempting to commit any edits. Each file in the selected directory is checked against the latest version in the repository. For example:
pmpolicy status -d /tmp
Exit status codes:
|sync||Checks out the latest version to the production copy of the policy used by Privilege Manager for Sudo to authorize commands. |
Synchronize the local production copy of the policy with the latest revision in the repository.
|-v||Displays the Privilege Manager version.|
pmpolicyplugin [-c] -g | -h | -l | -s | -v
Use the pmpolicyplugin command to display the revision status of the cached security policy on this host or to request an update from the central repository.
pmpolicyplugin has the following options.
|-c||Displays output in CSV, rather than human-readable format.|
|-g||Exports the latest copy of the policy to the production copy (equivalent to pmpolicy sync on a server).|
|-h||Displays usage information.|
|-l||Reports whether a client is configured on this host.|
|-s||Shows details of the production policy on this host (equivalent to pmpolicy masterstatus on a server).|
|-v||Displays Privilege Manager version number.|
See Sudo policy is not working properly for an example of using the pmpolicyplugin command.
pmpoljoin_plugin -j <primaryserver> [-u <localuser][-b][-p] -d [-f] [-b] -v | -h | -[-z on|off[:<pid>]]
Adjunct program to the pmjoin_plugin script. pmpoljoin_plugin is called by the pmjoin_plugin script when configuring a Sudo Plugin host to setup up the required read-only access to the policy repository, so that the client can operate in off-line mode.
pmpoljoin_plugin has the following options.
Runs the script in non-interactive mode.
Default: Runs in interactive mode.
|-d||Unconfigures the client.|
|-f||Does not prompt for confirmation when unconfiguing the client.|
|-h||Shows this usage|
Joins this client to the selected primary server.
Configures a client license on this host if it does not already have a server license; creates a pmclient user and configures read-only access to the repository for this user, using the pmpolicy account on the primary server.
|-q||Reads pmpolicy user's password from stdin.|
Specifies the pmclient user account that will manage the production copy. This user will be created if it does not exist.
|Prints the product version.|
pmpolsrvconfig -p <policygroupname> [-b][-i <path>][-o][-r <dir>] [-t sudo|pmpolicy] [-u <policyuser][-w <userpasswd>] [-g <policygroup>][-l <loggroup>] -s <host> [-b][-q] [-q] -a <user> [-b][-q] [-q] -d [-f] -e <host> [-f] -x [-f] -v -h
The pmpolsrvconfig program is normally run by pmsrvconfig script, not by the user, to configure or un-configure a primary or secondary policy server. But, you can use it to grant a user access to a repository.
pmpolsrvconfig has the following options.
Provides the selected user with access to the existing repository. If the user does not exist, it is created. The host must first have been configured as a policy server.
This user will be added to the pmpolicy group to grant it read/write access to the repository files, and to the pmlog group to grant it read access to the log files.
On a secondary policy server, an ssh key will also be generated to provide access to the pmpolicy user account on the primary policy server. The "join" password is required to copy this ssh key to the primary policy server.
Runs the script in batch mode (that is, no user interaction is possible).
Default: Runs in interactive mode.
Unconfigures the policy server, and deletes the repository if this is a primary server.
If you do not specify the -f option, then it prompts you to confirm the action.
|Removes the selected host from the server group.|
Forces the unconfigure action (that is, no user interaction required)
Default: Prompt for confirmation for -x option.
Specifies the policy group ownership for the repository. If this group does not exist, it is created.
Imports the selected policy into the repository. If this is a directory, the entire contents of the directory will be imported.
Specifies the pmlog group ownership for the keystroke and audit logs
Overwrites the repository if it already exists.
Default: Does not overwrite if the repository already exists.
|Configures a primary policy server for the selected group name.|
|-q||Reads the pmpolicy user's password from stdin.|
Creates the repository in the selected directory.
|-s <host>||Configures a secondary policy server. You must supply the primary policy server host name. The secondary policy server retrieves the details of the policy group from the primary policy server. It creates the policygroup and loggroup groups to match those on the primary policy server and configures the policyuser user to grant it ssh access to the repository on the primary server. The "join" password is required to copy this ssh key to the primary policy server.|
Specifies the security policy type: sudo or pmpolicy.
Default: sudo policy type
Specifies the policy user account that manages the production copy. If this user does not exist, it is created and added to both the policygroup and loggroup groups. This user owns the repository on the primary policy server and provides remote access to the repository files to the secondary policy servers.
|-v||Prints the product version.|
(Optional) Sets new user's password for -a option.
Default: No password is configured.
Unconfigures the policy server. If you do not specify the -f option, you are prompted to confirm the action.