Chat now with support
Chat with Support

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

pmshell_readonly

Description

Type list READONLY

pmshell_readonly is only defined if the command is a shell subcommand running from within a Privilege Manager shell program (pmsh, pmcsh, and pmksh). You can set this variable to a list of environment variables to mark as readonly in the shell. It defaults to an empty list.

Example
if (defined pmshell) 
{ 
   #set some application specific readonly variables for the shell 
   pmshell_readonly={"PATH", "SHELL", "APPL_HOME"}; 
}

pmshell_reject

Description

Type string READ/WRITE

The pmshell_reject string is displayed by the Privilege Manager shell programs (pmsh, pmcsh, pmksh, and pmbash) for any shell subcommands rejected because they are listed in pmshell_forbid. The default is "Request Rejected".

Example
pmshell_reject = "Your request has been rejected by the shell";

pmshell_restricted

Description

Type integer READ/WRITE

If pmshell_restricted is set to true, then the Privilege Manager shell program is run as a restricted shell. This means that the user cannot:

  • change directory
  • change the PATH, SHELL, or ENV variables
  • run any command that is not found in the PATH
  • run any command identified by full pathname
  • Overwrite any existing files using output redirection (such as, echo "" > /etc/passwd)

These restrictions are applied without any further authorization by the policy server. The default for this variable is false.

This variable is applicable to the pmsh, pmcsh, pmksh, and pmbash programs.

Example
if (user != "root") 
{ 
   pmshell_restricted = true; 
}

preserve_clienthost

Description

Type integer READ/WRITE

The clienthost variable normally matches the host name on which the pmrun client was run. To preserve the host name of the login host instead, set the preserve_clienthost variable to true.

Example
print("User has logged in from host:%s\n", clienthost);
Related Documents