Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us


pmmasterd [ -z on|off[:pid] ] [ -v ]| [ [ -ars ] [ -e logfile ] ]

The Privilege Manager master daemon (pmmasterd) is the policy server decision-maker. pmmasterd receives requests from pmrun or the Sudo Plugin and evaluates them according to the security policy. If the request is accepted, pmmasterd asks pmlocald or the Sudo Plugin to run the request in a controlled account such as root.

A connection is maintained between pmmasterd and the Sudo Plugin for the duration of the session. This also occurs between pmmasterd and pmlocald, if keystroke logging is enabled. When the pmmasterd connection is maintained throughout the session, keystroke and event log data is forwarded on this connection.

If keystroke logging is not enabled, pmlocald reconnects to pmmasterd at the end of the session to write the event log record showing the final completion code for the command executed by pmlocald. If pmlocald is unable to reconnect, it writes instead to a holding file, pm.eventhold.hostname. It then attempts to write the pmevents.db record to the host the next time pmmasterd connects to pmlocald. Multiple files can accrue and they will all be delivered to the proper host when the connection is restored.

The policy server master daemon typically resides on a secure machine. You can have more than one policy server master daemon on different hosts for redundancy or to serve multiple networks.

pmmasterd logs all errors in a log file if you specify the -e filename option.


pmmasterd has the following options:

Table 74: Options: pmmasterd
Option Description
-a Sends job acceptance messages to syslog.
-e filename Logs any policy server master daemon errors in the file specified.
-r Sends job rejection messages to syslog.
-s Sends any policy server master daemon errors to syslog.
-v Displays the version number of pmmasterd and exits.
-z Enables/disables tracing for this program and optionally for a currently running process. (Refer to Enabling Program-level Tracing before using this option.)

  • Privilege Manager policy file (pmpolicy type): /etc/opt/quest/qpm4u/policy/pm.conf
  • Privilege Manager policy file (sudo type): /etc/opt/quest/qpm4u/policy/sudoers


pmmg /full_path_name

(Privilege Manager for Unix only.) The pmmg text editor is a special version of the mg text editor that you can use securely with Privilege Manager programs; it is a small version of gnu emacs with gnu-style emacs key bindings. You must specify a full pathname as an argument when starting pmmg. Also, you will not be able to access any files other than the ones you specified at startup time. Nor will you be allowed to spawn any processes.

When you the pmmg program with Privilege Manager, it allows you to access a specific file as root, but not other root functions.



The pmpasswd program generates an encrypted password which can be used in a custom configuration script. When you type pmpasswd, it asks you to type the password twice, then prints out the encrypted version. You can use the encrypted version as the first argument to the getstringpasswd function in the configuration file.

For more information, see getstringpasswd.


pmplugininfo -v | [-z on|off[:<pid>]]] | -c [-h <host>]

(Privilege Manager for Sudo only.) Run the pmplugininfo command on a Sudo Plugin host to display information about the policy server group that the host has joined.


pmplugininfo has the following options:

Table 75: Options: pmplugininfo
Option Description
-c Displays output in CSV, rather than human-readable format.
-h hostname Specifies hostname to interrogate for policy group information.
-v Displays product version and exits.
-z Enables/disables debug tracing. (Refer to Enabling Program-level Tracing before using this option.)


The following is an example of the human-readable output:

Joined to a policy group             : YES 
Name of policy group                 : adminGroup1 
Hostname of primary policy server    : adminhost1
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating