pmsh -a|-b|-c <file>|-e|-f|-i|-m|-n|-o <option>|-s|-u|-v|-x|-C|-E|-I|-B|-V[-U <user>]
(Privilege Manager for Unix only.) The Privilege Manager Bourne Shell (pmsh) command is a fully featured version of sh, that provides transparent authorization and auditing for all commands submitted during the shell session. pmsh supports the standard options for sh.
Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:
Once allowed by the shell, or authorized by the policy server, all commands are executed locally as the user running the shell program.
pmsh has the following options:
|-a||Flag variables for export when assignments are made to them.|
|-b||Enable asynchronous notification of background job completion. (UNIMPLEMENTED) .|
|-B||Allows the shell to run in the background.|
|-c <file>||read commands from an file instead of from standard input.|
|-C||Do not overwrite existing files with `>'.|
|-e||Exit immediately if any untested command fails in non-interactive mode. The exit status of a command is considered to be explic- itly tested if the command is part of the list used to control an if, elif, while, or until; if the command is the left hand oper- and of an ``&&'' or ``||'' operator; or if the command is a pipe- line preceded by the ! operator. If a shell function is executed and its exit status is explicitly tested, all commands of the function are considered to be tested as well.|
|-E||Enable the built-in emacs(1) command line editor (disables the -V option if it has been set; set automatically when interactive on terminals).|
|-f||Disable pathname expansion..|
|-h||A do-nothing option for POSIX compliance.|
|-i||Force the shell to behave interactively.|
|-I||Ignore EOF's from input when in interactive mode.|
|-m||Turn on job control (set automatically when interactive).|
|-n||If not interactive, read commands but do not execute them. This is useful for checking the syntax of shell scripts.|
|-o <option>||Sets the specified shell option. A list of shell options can be displayed using the set -o builtin command.|
|-p||Turn on privileged mode. This mode is enabled on startup if either the effective user or group ID is not equal to the real user or group ID. Turning this mode off sets the effective user and group IDs to the real user and group IDs. When this mode is enabled for interactive shells, the file /etc/suid_profile is sourced instead of ~/.profile after /etc/profile is sourced, and the contents of the ENV variable are ignored.|
|-s||Read commands from standard input (set automatically if no file arguments are present). This option has no effect when set after the shell has already started running (i.e., when set with the set command).|
|-u||Write a message to standard error when attempting to expand a variable, a positional parameter or the special parameter ! that is not set, and if the shell is not interactive, exit immediately.|
|-v||The shell writes its input to standard error as it is read. Useful for debugging.|
|-V||Enable the built-in vi command-line editor (disables -E if it has been set).|
|-x||Write each command (preceded by the value of the PS4 variable subjected to parameter expansion and arithmetic expansion) to standard error before it is executed. Useful for debugging.|
|-U <user>||Request to run the command as the specified user. The policy server decides whether to honor this request.|
pmsh supports the following builtin commands:
., :, [, alias, bg, break, cd, chdir, command, continueecho, eval, exec, exit, export, false, fg, getopts, hash, jobskill, local, printf, pwd, read, readonly, return, set, shift, testtimes, trap, true, type, ulimit, umask, unalias, unset, wait
(Privilege Manager for Unix only.) Use the pmshellwrapper program as a wrapper for any valid login shell on a host. It provides full keystroke logging for any normal shell, but does not provide authorization of the commands run from the shell.
To use pmshellwrapper, you must create a link for the real shell you want to use. For example:
ln –s /opt/quest/libexec/pmshellwrapper /opt/quest/bin/pmshellwrapper_bash
When the user runs pmshell_bash, it transparently converts this to pmrun bash.
pmsrvcheck --csv [ --verbose ] | --help | --pmpolicy | --primary | --secondary
Use pmsrvcheck to verify that a policy server is setup properly. It produces output in either human-readable or CSV format similar to that produced by the preflight program.
The pmsrvcheck command checks:
pmsrvcheck produces output in either human-readable or CSV format similar to the pre-flight output.
pmsrvcheck has the following options:
|--cvs||Displays csv, rather than human-readable output.|
|--help||Displays usage information.|
|--pmpolicy||Verifies that Privilege Manager policy is in use by the policy servers.|
|--primary||Verifies a primary policy server.|
|--secondary||Verifies a secondary policy server.|
|--verbose||Displays verbose output while checking the host.|
|--version||Displays the Privilege Manager for Unix version number and exits.|
pmsrvconfig -h | --help [-abipqtv] [-d variable=value] [-f path] [-l license_file] [-m sudo | pmpolicy] [-n group_name | -s hostname] [-x [policy_server_host ...]] [-bpvx] -u [--accept] [--batch] [--define variable=value] [--import path] [--interactive] [--license license_file] [--name group_name | --secondary hostname] [--pipestdin] [--plugin] [--policymode sudo | pmpolicy] [--tunnel] [--unix [policy_server_host ...]] [--verbose] [--batch] [--plugin] [--unix] [-- verbose] --unconfig
Use the pmsrvconfig command to configure or reconfigure a policy server. You can run it in interactive or batch mode to configure a primary or secondary policy server.
pmsrvconfig has the following options:
|-a | --accept||Accept the End User License Agreement (EULA), /opt/quest/qpm4u/qpm4u_eula.txt.|
|-b | --batch||Runs in batch mode; does not use colors or require userinput.|
|-d variable=value | --define variable=value||Specifies a variable for the pm.settings file and its associated value.|
|-h | --help||Displays usage information.|
|-i | --interactive||Runs in interactive mode; prompts for configuration parameters instead of using the default values.|
|-f path | --import path||Imports policy data from the specified path. The path may be set to either a file or a directory when using the pmpolicy type; the path must be set to a file when using the sudo policy type.|
|-l | --license||Specifies the full pathname of an .xml license file. You can specify this option multiple times with different license files.|
|-m sudo | pmpolicy | --policymode sudo | pmpolicy||Specifies the type of security policy: sudo or pmpolicy. The default is sudo.|
|-n | --name group_name||Uses group_name as the policy server group name.|
|-p | --plugin||Configures the Sudo Plugin.|
|-q | --pipestdin||Pipes password to stdin if password is required.|
|-s | --secondary primary_hostname||Configures host to be a secondary policy server where primary_hostname is the primary policy server.|
|-t | --tunnel||Configures host to allow Privilege Manager for Unix connections through a firewall.|
|-u | --unconfig||Unconfigures a Privilege Manager for Unix server.|
|-v | --verbose||Displays verbose output while configuring the host.|
|-x | --unix [policy_server_host ...]||
Configures Privilege Manager for Sudo on the local policy server; that is, configures pmlocald and pmrun to run on this host. If you do not specify a policy server host, it uses the local host name.
The following example accepts the End User License Agreement (EULA) and imports the sudoers file from /root/tmp/sudoers as the initial policy:
# pmsrvconfig –a –f /root/tmp/sudoers
By using the –a option, you are accepting the terms and obligations of the EULA in full.
By default, the primary policy server you configure uses the host name as the policy server group name. To provide your own group name, use the –n command option, like this:
# pmsrvconfig –a –n <MyPolicyGroup>
where <MyPolicyGroup> is the name of your policy group.
See Configure the Primary Policy Server for Privilege Manager for Unix and Policy Servers are Failing for other usage examples.
Directory where pmsrvconfig logs are stored: /opt/quest/qpm4u/install