Description
Type integer READONLY
pmshell_exe contains a constant value that identifies a normal executable command. Use it to compare with the value of the pmshell_cmdtype variable.
Example
if (defined pmshell_cmd){
if (pmshell_cmdtype == pmshell_exe)
{
if (basename(runcommand) in shell_sub_list) {
accept;
}
}
}
Description
Type integer READONLY
pmshell_interpreter is only defined if the command is running from within a Privilege Manager for Unix shell program. If the shell subcommand is an interpreted script (that is, the first line of the file contains a directive in the format #!<path>) then this variable contains the pathname of the interpreter identified by this directive. Use this variable to detect and reject a user from running an unrestricted shell script from within a restricted shell program.
Example
if (defined pmshell)
{
printf("Starting %s shell\n", pmshell_prog);
accept;
}
if ((defined pmshell_cmd) && (pmshell_cmd == true))
{
# if running a restricted shell, then don't allow the user to run a shell
# script unless it's a Privilege Manager for Unix shell
if (pmshell_restricted && (pmshell_cmdtype == pmshell_script))
{
if (dirname(pmshell_interpreter) != "/opt/quest/bin")
{
reject "Restricted shell only permits you to run a shell in the
/opt/quest/bin directory";
}
}
Description
Type string READONLY
pmshell_prog is only defined if a Privilege Manager for Unix shell program is running. If a shell is running, it is set to the name of the shell program (pmsh, pmcsh, pmksh, pmloginshell, or pmbash).
Example
if (defined pmshell)
{
printf("Starting %s shell\n", pmshell_prog);
accept;
}
Description
Type integer READONLY
pmshell_script is a constant value that identifies a shell script. Use it for comparison with the value of the pmshell_cmdtype variable.
Example
if (defined pmshell_cmd && (pmshell_cmdtype == pmshell_script))
{
#forbid any shell scripts unless interpreter is a program in /opt/quest/bin
if (dirname (pmshell_interpreter) != "/opt/quest/bin"))
{
reject "You cannot run this script";
}
}