Description
Type list READ/WRITE
pmshell_forbid contains a list of regular expressions loaded on startup by the Privilege Manager for Unix shell programs: pmsh, pmcsh, pmksh, and pmbash. The list may contain regular expressions.
Any command entered by the user during the shell session, that matches one of these expressions, will be forbidden without any further authorization by the pmmasterd, and will not be logged as an event. All shell subcommands are matched with this list before checking the allowed list. By default, the variable contains an empty list.
Example
pmshell_forbid = {"kill","passwd"};
Description
Type list READONLY
pmshell_readonly is only defined if the command is a shell subcommand running from within a Privilege Manager for Unix shell program (pmsh, pmcsh, and pmksh). You can set this variable to a list of environment variables to mark as readonly in the shell. It defaults to an empty list.
Example
if (defined pmshell)
{
#set some application specific readonly variables for the shell
pmshell_readonly={"PATH", "SHELL", "APPL_HOME"};
}
Description
Type string READ/WRITE
The pmshell_reject string is displayed by the Privilege Manager for Unix shell programs (pmsh, pmcsh, pmksh, and pmbash) for any shell subcommands rejected because they are listed in pmshell_forbid. The default is "Request Rejected".
Example
pmshell_reject = "Your request has been rejected by the shell";
Description
Type integer READ/WRITE
If pmshell_restricted is set to true, then the Privilege Manager for Unix shell program is run as a restricted shell. This means that the user cannot:
-
change directory
-
change the PATH, SHELL, or ENV variables
-
run any command that is not found in the PATH
-
run any command identified by full pathname
-
Overwrite any existing files using output redirection (such as, echo "" > /etc/passwd)
These restrictions are applied without any further authorization by the policy server. The default for this variable is false.
This variable is applicable to the pmsh, pmcsh, pmksh, and pmbash programs.
Example
if (user != "root")
{
pmshell_restricted = true;
}