Step-by-Step Task Processing
To make the following information more concise and easier to understand, this guide assumes that Privilege Management for Unix and Linux is installed on all of the machines that are involved. The guide also presumes that the network is functioning and there are sufficient resources (memory and disk space) to run the application and log what is required. Error processing within Privilege Management for Unix and Linux reports these problems when they occur.
This section describes the process that occurs when a task is submitted in Privilege Management for Unix and Linux, and indicates which modes use each part of the process.
There are three modes for Privilege Management for Unix and Linux:
- Normal Mode: In this mode, all tasks are performed including those that are run by pblocald.
- Optimized Run Mode: In this mode, after pbmasterd has accepted a request, the specified task runs directly on the submit host, without invoking pblocald. Doing this enables the administrator to use pbmasterd to validate a command, log the commands that are started in the event log, and record an I/O log for the secured task. The optimized run mode also reconfirms the password, performs time-out processing, and logs the status.
- Local Mode: In this mode, after pbmasterd has accepted a request, the specified task runs directly on the submit host, without invoking pblocald. This mode enables the administrator to use pbmasterd to authorize a command, log the accepted task. All other Privilege Management for Unix and Linux functionality is bypassed.
The following table summarizes the steps that are used for each of the three modes. An X represents a task that is processed by a specific mode, and N/A means that the task does not apply in the specified mode.
|Process Task||Normal Mode||Optimized Run Mode||Local Mode|
|Secure task submitted||X||X||X|
|Policy Server daemon starts||X||X||X|
|Policy file processing||X||X||X|
|Local daemon started||X||N/A||N/A|
|Log daemon started||pblocald||pbrun||pbrun|
|Secured task runs||X||X||X|
|Secured task ends||X||X||X|
|pblogd completes||Logs exit status and closes the I/O log||Logs exit status and closes the I/O log||Closes I/O log|
The initial step is for a user to execute pbrun. This is done either from the command line as:
or from a shell script such as:
#!/bin/sh /usr/local/bin/pbrun list
where list is the task that is being requested. pbrun checks the settings file and sends the request with other information from the submit host to a policy server daemon that is specified in the submitmasters setting.
The policy server daemon (pbmasterd) listens for requests from pbrun. When a request arrives, the policy server daemon checks its settings file. The policy server host settings file may be different from the settings file on the submit host because they may be on different machines. Validation that pbrun is trying to connect is performed and the rest of the policy server processing continues.
If there is an error at any point in the settings file validation or pbrun connect verification, then pbmasterd stops, and when possible, sends a message for the pbrun session to the user, and validates the client host name checks.
The main action of the policy server daemon is to confirm that the user may run a request, and to modify or set values for the request. Values can be set in the policy file that affect how the policy server daemon runs.
The values that are set in the policy file are shown in the following table:
|eventlog||Specifies the file in which the events are logged.|
|iolog||Identifies the file in which the I/O streams are logged.|
|localmode||Deprecated in favor of Optimized Run Mode Processing. This mechanism allowed execution on local host without the use of pblocald, with the expense of several features not available. Optimized Run Mode Processing enables all the features that localmode lacks, also without using pblocald.|
|lognopassword||Specifies whether passwords should be logged.|
Identifies whether the log server should be allowed to run through pblocald or stay connected to pbmasterd and whether the pblocald should be allowed to connect to pbrun on submit host or stay connected to pbmasterd. In Optimized Run Mode, this has no affect.
|noreconnect||Controls whether the policy server daemon should stay connected.|
If necessary as part of the processing, the policy server daemon communicates with the pbrun session to get further information from the user, such as passwords or input.
If the log daemon is used and the logmktemp () function is called, then pbmasterd starts the log daemon to create a log file on the log host. If the policy language variable lognoreconnect allows it, the log server reconnects to pblocald when the secured task is ready to run.
If the processing of the policy file reaches an accept statement, then pbmasterd tries to connect to pblocald on the run host.
If the processing of the policy file reaches a reject statement, then pbmasterd logs the result (possibly through the log server daemon) and terminates the request.
If the log daemon is being used, then pbmasterd tries to connect to the log daemon on the log host.
Privilege Management for Unix and Linux 8.0.2 adds a new policytimeout mechanism to protect against policies that appear nonresponsive.
As soon as an accept or reject statement executes, policy file processing stops. No further policy file processing takes place.
Local Daemon Started (Normal Mode)
The local daemon listens for requests from pbmasterd. When one arrives, it checks its settings file. The run host settings file may be different from the settings file on the policy server host because they can be on different machines. Validation that pbmasterd is trying to connect is performed and the rest of the local processing continues. The local daemon immediately determines whether it can accept requests from the policy server daemon by comparing the host to the acceptmasters line in the settings file.
If there is an error at any point in the settings file validation or the verification that pbmasterd is trying to connect the local daemon, then the process stops. When possible, a message is sent via the pbmasterd session for the pbrun session to the user. Validate policy server host name checks are also performed.
Log Daemon Started (All Modes)
The log daemon listens for requests from pbmasterd or pblocald. When one arrives, it checks its settings file. The log host settings file can be different from the settings file on the policy server host or run host because they can be on different machines. Validation that pbmasterd or pblocald is trying to connect is performed and the rest of the local processing continues.
If there is an error at any point in the settings file validation or the verification that pbmasterd or pblocald is trying to connect, then the log daemon stops. When possible, a message is sent using the requesting session for the pbrun session to the user. pblocald starts the log daemon in normal mode and pbrun starts the log daemon in local mode and optimization run mode.
If pbmasterd does not need to stay in the middle of the connection between pbrun and pblocald, it instructs pbrun and pblocald to connect directly to each other. pbmasterd then exits.
pbmasterd removes itself when the following are all true:
- A log daemon is used.
- The noreconnect and lognoreconnect variables are false.
If these conditions are not met, then pbmasterd remains in the job stream and passes the data from pbrun to pblocald.
The only reason a policy server daemon would need to stay in the middle of a connection is that the policy server daemon is located between two subnets that do not normally allow traffic between them.
With all sessions now established, the pblocald session determines whether the runconfirmuser variable is set and requests the run host password for the runconfirmuseruser user from the pbrun session. If this request fails three times, then the pblocald session stops.
pblocald does some final checking before starting the actual command. If the runcksum or runcksumlist variable is set, pblocald determines whether the checksum of the command in runcommand matches the value in runcksum or runcksumlist. If the runmd5sum or runmd5sumlist variable is set, pblocald determines whether the MD5 checksum of the command in runcommand matches the value in runmd5sum or runmd5sumlist.
To log the checksum of the runcommand being compared against runcksum, runcksumlist, runmd5sum, or runmd5sumlist, use the policy variable logcksum.
These actions provide protection against viruses, Trojan horses, or other unintentional changes to the program file. pblocald also runs secure command checks. The final checking is done by pblocald for the normal mode and by pbrun in the optimized run mode and local mode.
When the pblocald reaches this point, it can finally execute the command specified in the runcommand variable, pblocald checks that runcommand points to an executable file. If the file is not found or cannot be executed, pblocald stops and an error is sent back to the pbrun session.
pblocald sets up the run environment as follows:
- The runtime environment to execute the command is established according to the values in the runenv list.
- The user that is specified in the runuser variable runs the command.
- The utmp entry is written with the runutmpuser variable value as the user.
- The syslog is updated.
- The group is the value of the rungroup variable.
- The secondary groups are the value of the rungroups variable.
- The arguments to the command are the values that are specified in the runargv variable. The current directory is the value that is specified in the runcwd variable.
- The umask is the value of the runumask variable.
- The nice priority is the value of the runnice variable.
- If the runchroot variable is set, then the top of the file system is set via chroot
- The processing of HUP signals is set based on the value of the runbkgd variable.
- pblocald then starts the command.
If there is a mastertimeout, submittimeout, or runtimeout in effect (as specified in the policy or overridden by a client’s runtimeout keyword in the settings), then the session terminates if there is no input or output activity within the specified number of seconds. These timeouts are effective only after the policy has accepted a request, during the lifetime of the secured task.
The Privilege Management for Unix and Linux 8.0.2 policytimeout() procedure provides a timeout mechanism that is effective during policy processing (before an accept or reject). This allows protection against pbmasterd/policy that appears nonresponsive waiting for user input, infinite loops within the policy, etc.
At some point the task ends, because the command finished, the user interrupted it by pressing CTRL+C, or it was exited in some other way.
pblocald recognizes task completion and stops processing. It captures the reason for the completion (such as a signal or an exit code) and sends it for logging as the exitstatus variable. The exittime and exitdate are also logged. In normal mode, pblocald completes.
If a log server is used, then the I/O log is closed. For normal mode and optimized run mode, the exit status of the secured task is also logged.
If the pbmasterd session is still running, then it shuts down. The pblogd session also shuts down.
pbrun displays the exitstatus of the string of the secured task if the task detects an error or abnormal exit.
The exit status of the secured task is also returned in the pbrun exit status value.
For more information, please see your Unix/Linux man pages.