Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Running a Shell in Restricted Mode

Set pmshell_restricted=1 to configure the shell to run in restricted mode. Restricted mode applies these restrictions to the shell:

  • A user cannot change directory.
  • A user cannot change the value of these parameters: PATH, SHELL or ENV. You must set these up using the secure profile (if the user is running a login shell), or by setting these variables in the policy file.
  • A user cannot run any command that is identified by an absolute or relative pathname, including absolute paths defined in shell aliases. The user can only run shell built-in commands or executable files that are in the read-only PATH. For example, the following commands are not allowed:
    • /usr/bin/ls
    • ./script.sh
    • alias ll='/bin/ls -F'

    NOTE: The commands ls and script.sh are allowed if /usr/bin and . are in the PATH; the command ll would not be allowed because the substituted command is an absolute path.

  • A user cannot use I/O redirection with the ">" or "<" characters.

    For example, the following command will fail:

    echo "hello" > /tmp/file
  • A user cannot run in privileged mode (if supported by the shell).

If the shell is run as a login shell for a user, then during the login process, the relevant system and user profiles are loaded for that particular shell. During this sequence, the shell checks the ownership and permissions of each startup file loaded.

Any restrictions configured for the shell are not applied while loading a secure profile; that is, a file owned by root and only writable by root. Any restrictions configured for the shell are only applied if the profile is not secure. For example, if PATH is configured as a read-only variable in the policy file, and the built-in command cd is forbidden, then the PATH initialization in the secure system profile /etc/profile is allowed without restriction or authorization, but any attempt to change the PATH variable or to run the cd command in the insecure user’s personal profile, or during the interactive login session will be forbidden.

Additional Shell Considerations

The order in which the restrictions are applied to the shell are:

  1. forbidden commands list
  2. allowed commands list
  3. allowed pipe list, if the input is a pipe

The shell, and the commands run from within it, are executed as the selected runuser and rungroup for the shell program. Once the shell is running, you cannot change the runuser or rungroup for authorized commands within the shell. To run an individual shell command as a different user, run the pmrun <cmd>.

You can change the arguments to a command running within a shell, the environment variables, and the priority for a command. For example, if you configure the shell to authorize built-in commands, then you can prevent a user from changing to any directory other than the user’s home directory by removing all except the first argument from the cd command. For example:

if (runcommand=="cd")
{
   len=length(runargv);
   runargv=replace(runargv,1,len);
}

The exec command is always forbidden if an attempt is made to run it from the top-level interactive shell process, as this would overlay the existing controlled Privilege Manager shell with an unrestricted shell. For example, an attempt to run this command from an interactive shell is forbidden:

exec /bin/sh

A Privilege Manager-enabled shell requires two connections to the policy server host. One is used for keystroke logging by the shell program itself, and one is used for authorization of commands executed during the shell session.

Example
allowed_pmshells = { "pmsh", "pmcsh", "pmksh" };
# pmshell only defined if a shell or cmd within a shell
if (defined pmshell)
{
   # Configure Privilege Manager Shells
   if ( pmshell_cmd == 0) {
      if ( pmshell_prog in allowed_pmshells ) {
         print("Starting Privilege Manager Shell");

         pmshell_restricted=0;
            # Restricted Shell: 0=disable|1=enable
         pmshell_checkbuiltins=0;
            # Force checking of Shell BuiltIns: 0=disable|1=enable
      pmshell_allow={"ls", "man"};
            # list of commands to accept without further authorization.
      accept;
   }
   else {
      reject "You are not authorized to run this shell";
   }
}
# Authorize all commands executed from within a shell
else {
   # Define list of commands allowed to run as the root user.
   privileged_cmds = { "/sbin/service", "/usr/bin/kill", "/usr/bin/id" };
      if ( command in privileged_cmds ) {
         runuser = "root";
         rungroup = "root";
      }
      print("Executing command as user: " + runuser);
      accept;
   }
}

Configuring Privilege Manager for Policy Scripting

Advanced Privilege Manager for Unix Configuration > Configuring Privilege Manager for Policy Scripting

NOTE: If you have successfully completed the Privilege Manager installation and you are new to Privilege Manager for Unix, Quest recommends that you work through the semi-interactive lessons in Policy Scripting Tutorial. This will help familiarize you with the basic functionality of Privilege Manager.

Configuration Prerequisites

Before you configure Privilege Manager, make sure

  • TCP/IP is configured and running on all relevant machines.
  • Applications, files, and accounts you wish to access using Privilege Manager are available from all servers.
  • pmrun is in a directory in the user's PATH and is executable. pmrun is owned by root, and has the SETUID bit turned on.
  • pmmasterd and pmlocald are set up in /etc/services (this is created by the pmsrvconfig installation script).

    This is a sample services file:

    pmmasterd 12345/tcp 
    pmlocald 12346/tcp
  • The /etc/opt/quest/qpm4u/pm.settings file has been set up (this is done by pmsrvconfig).

    This is a sample pm.settings file, showing you the defaults for each setting:

    kerberos NO
    encryption AES
    reconnectClient NO
    reconnectAgent NO
    clientVerify NONE
    FailOverTimeOut 10
    Certificates NO
    selecthostrandom YES
    shortnames YES
    syslog YES
    pmservicedLog /var/log/pmserviced.log
    masterport 12345
    localport 12346
    tunnelport 12347
    masters qpm4u
    pmmasterdlog /var/log/pmmasterd.log
    pmmasterdEnabled YES
    pmmasterdOpts -ar
    policymode pmpolicy
    pmlogGroup pmlog

Related Documents