Chat now with support
Chat with Support

Privilege Manager for Unix 7.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Configuration file examples

The topics that follow walk you through some detailed examples for the configuration file policy.

To install the configuration file examples on your machine

  1. Checkout the policy file:
    # pmpolicy checkout -d /tmp/example
  2. Copy example to the checkout directory and rename to pm.conf.
    cp /opt/quest/qpm4u/examples/exampleX.conf /tmp/example/policy_pmpolicy/pm.conf

    where X in exampleX.conf is 1, 2, 3,...10.

  3. Edit the configuration file and change the user name to a user name on your machine.
    # vi /tmp/example/policy_pmpolicy/pm.conf
  4. Commit the changes and enter a commit log message:
    # pmpolicy commit -d /tmp/example
    ** Validate options                                                       [ OK ]
    ** Commit copy in directory:/tmp/example/policy_pmpolicy                 
    
       ** Check directory                                                     [ OK ]
       ** Perform syntax check                                                [ OK ]
       ** Verify files to commit                                              [ OK ]
       Please enter the commit log message: Changed user name
       ** Commit change from working copy                                     [ OK ]
       ** Committed revision 4
  5. Run a command using pmrun using the user name you specified. For example:
    $ pmrun ls -l /tmp

Example 1: Basics

When you use pmrun to run a command, pmmasterd starts up and looks in the Privilege Manager for Unix configuration file for the conditions under which it should accept or reject the request.

The following configuration file fragment allows Dan to run programs as root:

if(user=="dan") 
   { runuser="root"; 
   accept; 
}

Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes.

The syntax of the configuration language is similar to the C programming language:

  • Each statement ends with a ; (semicolon)
  • = (single equals) assigns values to variables
  • == (double equals) compares values for equality
  • ( ) (parentheses) enclose the conditional expressions in an if statement
  • { } (braces) group statements together
  • " " (double quotes) enclose strings
  • White space, tab stops, or indentation are ignored

In the example above, the braces { } group the two statements that run if the conditions in the if statement are met. The accept statement causes pmmasterd to accept the request, and asks pmlocald to run whatever command Dan requests as root.

Use the pmcheck program to check the example for errors. pmcheck gives you a line number and brief description for each error found.

Note that pmcheck assumes that the configuration file exists in /etc/opt/quest/qpm4u/policy/pm.conf unless you specify otherwise on the command line with a -f filename argument.

For example, if pmcheck finds a syntax error on line 2 of the configuration file, it prints out a message similar to the following:

% pmcheck Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012 Parse error in "/etc/opt/quest/qpm4u/policy/pm.conf", line 1: syntax error near ';' File /etc/opt/quest/qpm4u/policy/pm.conf contains 1 error.

If pmcheck finds no errors, it displays a message similar to this:

% pmcheck 
Version 6.0.0 (003) licensed until Thu Nov 1 06:00:00 2012 

File /etc/opt/quest/qpm4u/policy/pm.conf contains 0 errors.

Try running a few more commands, such as date, hostname, and your favorite shell (such as, csh, sh, or ksh) by preceding the command with pmrun. For example:

# pmrun date

Example 2: Accept or reject requests

By default, pmmasterd rejects all requests. It only accepts requests if it reaches an accept statement after the appropriate conditions are met in the configuration file. When pmmasterd rejects a request, it does not run the requested program and it sends the user an explanatory message.

pmmasterd can also reject commands explicitly. The following fragment rejects Dan’s request to run commands outside of regular office hours:

accept [from ["user"][, ["submithost"][, ["command"]
[, ["runhost"]]]]] [when conditional-expression]
[with optional-statements-before-execution];
reject ["reject-text"] [from ["user"][, ["submithost"]
[, ["command"][, ["runhost"]]]]]
[when conditional-expression];
if(user=="dan") {
   # Explicitly disallow commands run outside of
   #regular office hours
   if(dayname=="Sat" || dayname=="Sun" ||
      !timebetween(800,1700))
      reject;
   runuser="root";
   accept;
}

Once it reaches a reject statement, pmmasterd reads no further statements; the request ends as soon as it is rejected. Note that no braces { } enclose the reject statement, since it is the only statement that occurs inside the inner if statement. Note also the use of the || ("or") and ! ("not") operators in the if statement which translates as "if the current day is Saturday or Sunday, or if the current time is not between 8:00 a.m. and 5:00 p.m., then reject the request."

Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes. Check the configuration file for errors with pmcheck. Then try to run commands with pmrun. For more information about using pmcheck, see Example 1: Basics.

Try changing the times specified to timebetween, to cause requests to be accepted or rejected.

Example 3: Command constraints

This configuration file fragment restricts Dan to running only certain programs (ls, hostname, or kill) as root.

Type this fragment into the /etc/opt/quest/qpm4u/policy/pm.conf file, or copy it from the examples directory in the Privilege Manager for Unix distribution directory. Replace "dan" with your own user name in quotes.

if (user=="dan")
   if(command=="ls" || command=="hostname" ||
      command=="kill") {
   { runuser="root";
      accept;
   }

Check the configuration file for errors with pmcheck. For more information about using pmcheck, see Example 1: Basics. Try to run one of the programs permitted, then try something that will be rejected, such as:

pmrun mail
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating