Description
Type integer READONLY
pmshell_interpreter is only defined if the command is running from within a Privilege Manager for Unix shell program. If the shell subcommand is an interpreted script (that is, the first line of the file contains a directive in the format #!<path>) then this variable contains the pathname of the interpreter identified by this directive. Use this variable to detect and reject a user from running an unrestricted shell script from within a restricted shell program.
Example
if (defined pmshell)
{
printf("Starting %s shell\n", pmshell_prog);
accept;
}
if ((defined pmshell_cmd) && (pmshell_cmd == true))
{
# if running a restricted shell, then don't allow the user to run a shell
# script unless it's a Privilege Manager for Unix shell
if (pmshell_restricted && (pmshell_cmdtype == pmshell_script))
{
if (dirname(pmshell_interpreter) != "/opt/quest/bin")
{
reject "Restricted shell only permits you to run a shell in the
/opt/quest/bin directory";
}
}
Description
Type string READONLY
pmshell_prog is only defined if a Privilege Manager for Unix shell program is running. If a shell is running, it is set to the name of the shell program (pmsh, pmcsh, pmksh, pmloginshell, or pmbash).
Example
if (defined pmshell)
{
printf("Starting %s shell\n", pmshell_prog);
accept;
}
Description
Type integer READONLY
pmshell_script is a constant value that identifies a shell script. Use it for comparison with the value of the pmshell_cmdtype variable.
Example
if (defined pmshell_cmd && (pmshell_cmdtype == pmshell_script))
{
#forbid any shell scripts unless interpreter is a program in /opt/quest/bin
if (dirname (pmshell_interpreter) != "/opt/quest/bin"))
{
reject "You cannot run this script";
}
}
Description
Type string READONLY
pmshell_uniqueid is only defined if the command is a shell subcommand running from a Privilege Manager for Unix shell (pmsh, pmcsh, pmksh, and pmbash). It contains the uniqueid of the session running the shell program. It allows the individual commands running within the shell to be identified as part of the same shell session when viewing the audit log entries.
Example
#shell script example to print out all shell commands for each shell run on
#15 january 2009
#constraint to select pmshell programs running on selected date
constraint="(date=\"2009/01/15\") && (pmshell==1) && (pmshell_cmd==0))"
#format to display user and shell program name
userformat="sprintf(\"User:%s, shell:%s\", user, pmshell_prog)"
#format to display shell subcommand name and time
shellformat="sprintf(\" Time:%s, ShellCommand:%s\n", time, runcommand)"
#find the unique IDs for all shell sessions
allids=`/bin/sh –c "pmlog –p 'sprintf(\"%s\", uniqueid)' –c '${constraint}'"`
#for each shell session, print out the username and shell program name,
#and display each shell command run from the shell, with the time it was
#executed for one in $allids
do
cmd="pmlog –p '${userformat}' –c 'uniqueid==\"${one}\"'"
/bin/sh –c "${cmd}"
cmd="pmlog –p '${shellformat}' -c 'pmshell_uniqueid==\"${one}\"'"
/bin/sh –c "$cmd"
done
