Privilege Management for Unix and Linux Shells

  • Version 3.5 and earlier: Privilege Management for Unix and Linux: shells not available.
  • Version 4.0 and later: Privilege Management for Unix and Linux shells available.

The Privilege Management for Unix and Linux shells provide transparent command line access to Privilege Management for Unix and Linux without the use of pbrun. These shells are based on the public-domain Korn shell and provide the following features:

  • Bourne (pbsh) and Korn (pbksh) variants: The Korn shell variant offers a convenient user interface that includes command history, command editing, and so on. The Bourne shell variant is optimized for shell scripts, size, and performance by leaving out the extra user-interface layer.
  • Transparent authorization for every command, redirection, and built-in command.
  • Control of shell scripts.
  • I/O logging for the entire shell session or for selective commands.
  • Event logging for every command, redirection, and built-in command.
  • No need for wrapped shells.
  • Native-root mode for maintenance.
  • Enabling debug trace logging.

Beginning with Privilege Management for Unix and Linux 5.0, the shells pbsh and pbksh honor the runuser, rungroup, and runumask settings for built-ins and I/O redirection. This feature enables built-ins to run with elevated privileges without having to elevate the privileges of the entire shell. In addition, files that are created with I/O redirection have their ownership and permissions set according to these variables.

Processing

When a shell starts, it first contacts a Policy Server host to establish its initial environment. After the initial environment is established, the Policy Server host is contacted for every command, shell built-in, and shell redirection, depending on the user, the environment, and the shell settings that are described in this section.

Shell Startup

At startup time, the shell contacts a policy server host to establish the initial environment. After the initial environment is set, it does not change for the life of that shell. Shell start is sent to the policy server host with the following characteristics:

  • localmode is set to true; startup is internal to the shell, and must be run in local mode.
  • pbclientmode is set to shell start.
  • Command contains the name of the shell.
  • argv contains the arguments to the shell, including the shell name.

The policy configuration language can determine that this is a shell startup by testing the variable pbclientmode for the value shell start. The shell startup is always run in local mode. The policy can control the shell startup through several variables:

  • shellallowedcommands: A list of commands that the shell can execute without consulting a policy server and without logging. Shell pattern-matching characters are allowed. Judicious use of this list can reduce processing and network overhead. The default is an empty list, which makes the shell consult a policy server host for every command.
  • shellforbiddencommands: A list of commands that the shell should reject without consulting a policy server and without logging. Shell pattern-matching characters are allowed. Judicious use of this list can reduce processing and network overhead. The default is an empty list.
  • shellcheckbuiltins: When set to true, the shell consults a policy server host for every shell built-in command as if it were a command. The default is false.
  • shellcheckredirections: When set to true, the shell consults a policy server host for every redirection attempt as if it were a command. The default is false. The shell redirections that the shells can check include <, > and >>.
  • shelllogincludefiles: When set to true, the shell logs I/O streams for included (sourced) shell scripts, such as .profile. The default is false.
  • shellreadonly: A list of environment variables that are made read-only in the shell session. The default is an empty list.
  • shellrestricted: When set to true, the shell is run as a restricted shell using the shell’s native restrictions. The default is false. These native restrictions include:
    • The change directory built-in command, cd, is disabled.
    • The environment variables SHELL, ENV, and PATH are set to read-only.
    • Command names do not allow absolute or relative paths.
    • Redirections that create files are not allowed (>, >>, <> and >|).
    • The iolog setting contains the full path of an I/O log file that records the entire shell session.

Shell Commands

Every command that the shell processes, except those that are in the shellallowedcommands or shellforbiddencommands lists, are authenticated by a policy server host. The commands are sent to the policy server host with the following characteristics:

  • localmode is set to true: The policy can override this setting by setting runlocalmode to false.
  • pbclientmode is set to shell command.
  • command contains the full path of the command.
  • argv contains the arguments to the command, including the program name.

If you want to log the I/O streams for a specific command, then you can set the iolog variable to an I/O log file name, and the set runlocalmode variable to false.

If the iolog variable is set to an I/O log file name but a log server is not accessible or is not specified in the logservers setting, then the I/O log is stored locally on the machine where the shell is invoked.

If shellallowedcommands and shellforbiddencommands are set, then commands are examined with the following precedence:

  1. Commands that exactly match (no shell pattern-matching characters) in the shellallowedcommands list are accepted.
  2. Commands that exactly match (no shell pattern-matching characters) in the shellforbiddencommands list are rejected.
  3. Commands that match templates (with shell pattern-matching characters) in the shellallowedcommands list are accepted.
  4. Commands that match templates (with shell pattern-matching characters) in the shellforbiddencommands list are rejected.
  5. All other commands are sent to a policy server host.

Shell Built-in Commands

All shells contain built-in commands, that is, commands that are part of the shell rather than separate programs. The built-in commands include:

. exit pwd true
: export read typeset
bg false readonly ulimit
bind fc return umask
break fg set unalias
builtin getopts shift unset
cd hash test wait
continue jobs [ and ] whence
echo kill time  
eval let times  
exec print trap  

 

When shellcheckbuiltins is set to true, the built-in commands are sent to a policy server host with the following characteristics:

  • localmode is set to true; built-in commands are internal to the shell, and must be run in local mode.
  • pbclientmode is set to shell builtin.
  • Command contains the name of the built-in command.
  • argv contains the arguments to the built-in command, including the built-in command name.

Shell Redirections

All shells enable I/O redirection. When shellcheckredirections is set to true, any redirection that reads or writes a file is sent to a policy server host with the following characteristics:

  • localmode is set to true; redirections are internal to the shell, and must be run in local mode.
  • pbclientmode is set to shell redirect.
  • argv[0] contains shell redirect read, shell redirect write, or "".
  • argv[1] contains the name of the file.

Shell Script Processing

When a shell executes an authorized script file, it attempts to execute it in the following sequence:

  1. If the script starts with an interpreter line (#!<program name>), then the shell executes the script with the named program.
  2. If there is no interpreter program, then the shell looks for the environment variable EXECSHELL and executes the script with that value.
  3. If there is no EXECSHELL, then the shell looks for the environment variable SHELL and executes the script with that value.
  4. If there is no SHELL, then the shell executes the program with /bin/sh.

If the script is executed by one of the Privilege Management for Unix and Linux shells, then all of the commands within the script are controlled by Privilege Management for Unix and Linux. If any other program executes the script, then the script is run in its entirety with no further control from Privilege Management for Unix and Linux.

Native Root Mode

All machines experience failures from time to time. When a network fails or no local policy server host is available, root may need to do maintenance, reboot the machine, and so on. In this case, the Privilege Management for Unix and Linux shells, when started by someone logged in as root, allow that user to perform the needed maintenance with minimal interference.

In this mode, the shells allow the native root user to perform all commands. It attempts to record events for all commands, built-in commands, and redirections, using a log server. Similarly, the shells attempt to log the I/O streams for the native root session. If the shell cannot contact a log server, then it logs both the events and the keystrokes to the local file system.

Enable Debug Trace Logging for pbsh and pbksh

You can enable debug trace logging for pbsh and pbksh, and the other Privilege Management for Unix and Linux components that participate in processing the shell commands.

To enable tracing for pbksh:

pbksh --debug=<level number>

The debug trace log can be found in same directory specified in the kshlog setting. To enable tracing for pbsh:

pbsh --debug=<level number>

The debug trace log can be found in same directory specified in the shlog setting.

For more information, please see Debug Trace Logging.