Saturday, July 31, 2010

What is pbrun command?

pbrun

Usage: pbrun [-v][-n][-p][-d option] [-h hostname]
          [-u username] command [args ...]


The pbrun command is used to request that an application or command be run in a controlled account. The user simply adds pbrun to the beginning of the command line, for example:
    pbrun backup /usr /dev/dat
pbrun then checks the /etc/pb.settings file to determine the master daemon to which it should send the request. Once it has contacted a master daemon, it sends a request to the daemon to run the application specified. As with the rlogin command, you can type ~^Z to suspend pbrun, or ~. to terminate it. Both must be typed at the beginning of a new line. pbrun has several options:
-d option
This outputs debugging information.
When option is connect this displays debugging information regarding connections between clients and masters. TCP/IP socket information and machine name lookup statistics can be useful for solving DNS and NIS problems. For example:
    pbrun -d connect ls
when option is time or ttime displays debugging information regarding the timing or total time of each subsection of the pbrun command. It is useful for isolating performance bottlenecks between networked machines and solving obscure timing problems.
    pbrun -d time ls
-h hostname
allows the user to request a particular execution host that will run the request. If present, the
-h hostname must come before the command being requested.
-n
redirects the input of
pbrun to /dev/null. You sometimes need this option to avoid unfortunate interactions between pbrun and the shell that invokes it. For example, if you are running pbrun and start a pbrun in the background without redirecting its input away from the terminal, it will block even if no reads are posted by the remote command. -n prevents this.
-p
puts
pbrun into "pipe mode," in which all interactions with the user's terminal are done without changing any of the terminal parameters. Normally, pbrun puts the terminal into raw mode, so that programs such as text editors, which require raw mode, can run properly under pbrun. Pipe mode is useful when several pbrun commands must be piped together, for example:
    pbrun -p ls /etc/secure | pbrun -p dbadd listing
-u
username
sets the requesting user to be username.
-v
displays the current version number of
pbrun.

Reference:
Chapter 20: Reference - Programs
http://www.uiweb.uidaho.edu/pb/pb27-20.htm

Chapter 15: Executing Programs within PowerBroker
http://www.uiweb.uidaho.edu/pb/pb27-15.htm

5 comments:

  1. When pbrun to switch to other user using su, asks for auto prompt "Reason for ID change:" then it logs you with the new user, i want to send this reason from a shell script, previous line would call pbrun su-otheruser,

    ReplyDelete
  2. You'd better use CaclMgr for privilege delegation on UNIX/Linux and also in Windows 10's ubuntu env, as this software will make your system more secure than you use other privilege delegation software, such as Power Broker and sudo.
    You can test CaclMgr and other security solutions I have setup at AWS:
    ssh tst1@13.54.182.224
    password: "just a test" without the double quotes.
    and check README file for more info.

    ReplyDelete
  3. Here is an example of how CaclMgr could protect your privilege delegation passphrase from being attacked by memory snooper:
    tst1@wzisaws:~$ cacl id
    Your CaclMgr Passphrase: Killed: Memory Snooper uid=0 pid=25031 command=sleep 4

    That's a user in root account doing:
    root@wzisaws:25014# ps -ef|grep cacl
    root 24422 24381 0 10:40 pts/0 00:00:01 cacl -e root bash
    root 25014 24973 1 12:22 pts/1 00:00:03 cacl -e root id
    root 25049 24423 0 12:26 pts/0 00:00:00 grep --color=auto cacl
    root@wzisaws:25014# pwd
    /proc/25014
    root@wzisaws:25014# sleep 4 < mem
    Killed
    root@wzisaws:25014#
    and if the root user tries to use strace:
    you will see:
    tst1@wzisaws:~$ cacl id
    Your CaclMgr Passphrase: Killed: Memory Snooper uid=0 pid=25031 command=sleep 4 (▒▒▒
    Killed: Memory Snooper uid=0 pid=25052 command=sleep 4 ৤▒
    Killed: strace uid=0 pid=25061 command=strace -f -p 25014

    ReplyDelete