pbrun
Usage: pbrun [-v][-n][-p][-d option] [-h hostname]
[-u username] command [args ...]
The pbrun command is used to request that an application or command be run in a controlled account. The user simply adds pbrun to the beginning of the command line, for example:
pbrun then checks the /etc/pb.settings file to determine the master daemon to which it should send the request. Once it has contacted a master daemon, it sends a request to the daemon to run the application specified. As with the rlogin command, you can type ~^Z to suspend pbrun, or ~. to terminate it. Both must be typed at the beginning of a new line. pbrun has several options:
-d option
This outputs debugging information.
When option is connect this displays debugging information regarding connections between clients and masters. TCP/IP socket information and machine name lookup statistics can be useful for solving DNS and NIS problems. For example:
when option is time or ttime displays debugging information regarding the timing or total time of each subsection of the pbrun command. It is useful for isolating performance bottlenecks between networked machines and solving obscure timing problems.
-h hostname
allows the user to request a particular execution host that will run the request. If present, the -h hostname must come before the command being requested.
-n
redirects the input of pbrun to /dev/null. You sometimes need this option to avoid unfortunate interactions between pbrun and the shell that invokes it. For example, if you are running pbrun and start a pbrun in the background without redirecting its input away from the terminal, it will block even if no reads are posted by the remote command. -n prevents this.
-p
puts pbrun into "pipe mode," in which all interactions with the user's terminal are done without changing any of the terminal parameters. Normally, pbrun puts the terminal into raw mode, so that programs such as text editors, which require raw mode, can run properly under pbrun. Pipe mode is useful when several pbrun commands must be piped together, for example:
-u
username sets the requesting user to be username.
-v
displays the current version number of pbrun.
Reference:
Chapter 20: Reference - Programs
http://www.uiweb.uidaho.edu/pb/pb27-20.htm
Chapter 15: Executing Programs within PowerBroker
http://www.uiweb.uidaho.edu/pb/pb27-15.htm
When pbrun to switch to other user using su, asks for auto prompt "Reason for ID change:" then it logs you with the new user, i want to send this reason from a shell script, previous line would call pbrun su-otheruser,
ReplyDeletepbrun withut password
ReplyDeleteany idea?
ReplyDeleteYou'd better use CaclMgr for privilege delegation on UNIX/Linux and also in Windows 10's ubuntu env, as this software will make your system more secure than you use other privilege delegation software, such as Power Broker and sudo.
ReplyDeleteYou can test CaclMgr and other security solutions I have setup at AWS:
ssh tst1@13.54.182.224
password: "just a test" without the double quotes.
and check README file for more info.
Here is an example of how CaclMgr could protect your privilege delegation passphrase from being attacked by memory snooper:
ReplyDeletetst1@wzisaws:~$ cacl id
Your CaclMgr Passphrase: Killed: Memory Snooper uid=0 pid=25031 command=sleep 4
That's a user in root account doing:
root@wzisaws:25014# ps -ef|grep cacl
root 24422 24381 0 10:40 pts/0 00:00:01 cacl -e root bash
root 25014 24973 1 12:22 pts/1 00:00:03 cacl -e root id
root 25049 24423 0 12:26 pts/0 00:00:00 grep --color=auto cacl
root@wzisaws:25014# pwd
/proc/25014
root@wzisaws:25014# sleep 4 < mem
Killed
root@wzisaws:25014#
and if the root user tries to use strace:
you will see:
tst1@wzisaws:~$ cacl id
Your CaclMgr Passphrase: Killed: Memory Snooper uid=0 pid=25031 command=sleep 4 (▒▒▒
Killed: Memory Snooper uid=0 pid=25052 command=sleep 4 ▒
Killed: strace uid=0 pid=25061 command=strace -f -p 25014