pmmasterd [ -z on|off[:pid] ] [ -v ]| [ [ -ars ] [ -e logfile ] ]
The Privilege Manager master daemon (pmmasterd) is the policy server decision-maker. pmmasterd receives requests from pmrun or the Sudo Plugin and evaluates them according to the security policy. If the request is accepted, pmmasterd asks pmlocald or the Sudo Plugin to run the request in a controlled account such as root.
A connection is maintained between pmmasterd and the Sudo Plugin for the duration of the session. This also occurs between pmmasterd and pmlocald, if keystroke logging is enabled. When the pmmasterd connection is maintained throughout the session, keystroke and event log data is forwarded on this connection.
If keystroke logging is not enabled, pmlocald reconnects to pmmasterd at the end of the session to write the event log record showing the final completion code for the command executed by pmlocald. If pmlocald is unable to reconnect, it writes instead to a holding file, pm.eventhold.hostname. It then attempts to write the pmevents.db record to the host the next time pmmasterd connects to pmlocald. Multiple files can accrue and they will all be delivered to the proper host when the connection is restored.
The policy server master daemon typically resides on a secure machine. You can have more than one policy server master daemon on different hosts for redundancy or to serve multiple networks.
pmmasterd logs all errors in a log file if you specify the -e filename option.
pmmasterd has the following options:
|-a||Sends job acceptance messages to syslog.|
|-e filename||Logs any policy server master daemon errors in the file specified.|
|-r||Sends job rejection messages to syslog.|
|-s||Sends any policy server master daemon errors to syslog.|
|-v||Displays the version number of pmmasterd and exits.|
|-z||Enables/disables tracing for this program and optionally for a currently running process. (Refer to Enabling Program-level Tracing before using this option.)|
(Privilege Manager for Unix only.) The pmmg text editor is a special version of the mg text editor that you can use securely with Privilege Manager programs; it is a small version of gnu emacs with gnu-style emacs key bindings. You must specify a full pathname as an argument when starting pmmg. Also, you will not be able to access any files other than the ones you specified at startup time. Nor will you be allowed to spawn any processes.
When you the pmmg program with Privilege Manager, it allows you to access a specific file as root, but not other root functions.
The pmpasswd program generates an encrypted password which can be used in a custom configuration script. When you type pmpasswd, it asks you to type the password twice, then prints out the encrypted version. You can use the encrypted version as the first argument to the getstringpasswd function in the configuration file.
For more information, see getstringpasswd.
pmplugininfo -v | [-z on|off[:<pid>]]] | -c [-h <host>]
(Privilege Manager for Sudo only.) Run the pmplugininfo command on a Sudo Plugin host to display information about the policy server group that the host has joined.
pmplugininfo has the following options:
|-c||Displays output in CSV, rather than human-readable format.|
|-h hostname||Specifies hostname to interrogate for policy group information.|
|-v||Displays product version and exits.|
|-z||Enables/disables debug tracing. (Refer to Enabling Program-level Tracing before using this option.)|
The following is an example of the human-readable output:
Joined to a policy group : YES Name of policy group : adminGroup1 Hostname of primary policy server : adminhost1