Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Allowed Commands

Use the pmshell_allow list variable in the policy file to define a list of commands you want the shell to allow without any further authorization by the policy server. The shell program interprets this list as a list of regular expressions. Privilege Manager checks each command the user enters against this list. If a match is found, it allows the command without further authorization. These commands do not result in an accept entry in the event log as they are allowed by the shell.

Allowed Piped Commands

Use the pmshell_allowpipe variable in the policy file to configure a list of commands you want the shell to allow without further authorization by the policy server if the input to the command is a pipe. The shell program interprets this list as a list of regular expressions. Privilege Manager checks each command a user enters against this list if the input to the command is a pipe. If a match is found, it allows the command without further authorization. These commands do not result in an accept entry in the event log as they are allowed by the shell. This allows the shell to authorize commands only within a particular context.

For example, if the allowed pipe command list contains grep, as in:

grep "root" /etc/shadow

the shell authorizes the grep command as its input does not come from a pipe.

On the other hand, if you enter:

cat /etc/shadow | grep "root"

the shell only authorizes the cat command. The grep command is allowed without authorization.

Check Shell Built-in Commands

Built-in shell commands are functions defined internally to the shell. You can apply policy to shell built-in commands by setting pmshell_checkbuiltins=1. The shell does not create a new UNIX® process to run a built-in command and does not access or execute any program outside the shell to run a built-in command. The shell built-in commands usually include functions like echo and cd. The full list of shell built-in commands depends on the shell you are using; to see the command list for a particular shell, run the shell with the –? argument.

By default, shell built-in commands are not authorized to the policy server or checked against the allow and forbid lists.

You can set a flag to force the shell to treat all shell built-in commands as if they are normal, executable commands. If this flag is set, all built-in commands are compared with the forbid and allow lists, and if no match is found, they are presented to the policy server for authorization.

Read-Only Variable List

Use the pmshell_readonly list variable to define a list of environment variables in the policy file to be read-only in the shell. You can not change read-only variables during a shell session.

Related Documents