Quest™ Privilege Manager for Unix 6.0

Quest One™ Privilege Manager for Sudo 2.0

Release Notes

August 2013




Welcome to Quest Privilege Manager

New in this Release

Resolved Issues and Enhancements

Known Issues

Upgrade and Compatibility

System Requirements

Product Licensing

Global Operations

Getting Started

For More Information


Welcome to Quest Privilege Manager

Quest Privilege Manager for Unix protects the full power of root from potential misuse or abuse. With Privilege Manager, there’s no need to worry about anyone deleting critical files, modifying file permissions or databases, reformatting disks or doing more subtle damage. Privilege Manager enables you to define a security policy that stipulates who has access to which root functions, as well as when and where they can perform those functions. It controls access to existing programs as well as purpose-built utilities that execute common system administration tasks. At the administrator’s request, Privilege Manager can protect sensitive data from network monitoring by encrypting the root commands or sessions it controls, including control messages and input keyed by users while running commands through Privilege Manager

Quest One Privilege Manager for Sudo helps Unix/Linux organizations take privileged account management through Sudo to the next level: with a central policy server, centralized management of Sudo and sudoers, centralized reporting on sudoers and elevated rights activities, and event and keystroke logging of activities performed through Sudo. With Quest One Privilege Manager for Sudo, Quest provides a plug-in to Sudo 1.8.1 (and later) to make administering Sudo across a few, dozens, hundreds, or thousands of Unix/Linux servers easy, intuitive, and consistent. It eliminates the box-by-box management of Sudo that is the source of so much inefficiency and inconsistency. In addition, the centralized approach delivers the ability to report on the change history of the sudoers policy file


New in this Release

This section lists new features introduced in this release of Privilege Manager.

See Resolved Issues and Enhancements or the list of issues addressed and enhancements implemented in this release.

 Quest Privilege Manager for Unix 6.0 New Features:

 Quest Privilege Manager for Sudo 2.0 New Features:

New features in both Quest Privilege Manager for Unix 6.0 and Quest One Privilege Manager for Sudo 2.0:


Resolved Issues and Enhancements

The following lists issues resolved and enhancements implemented in this release of Privilege Manager.

Quest Privilege Manager for Unix 6.0 Enhancements

Enhancement Defect ID
Support for Quest One Management Console for Unix

Quest One Management Console for Unix supports Privilege Manager for Unix and its associated agents, providing a web-based console for administrators using the Management Console to:

  • remotely deploy the new Privilege Manager agents.
  • centrally manage (create, view, modify, validate) and report on the Privilege Manager policy files.

Reporting can show which users have access to which commands, on which systems for auditing purposes, show who edited the Privilege Manager policy, what was changed, etc. You can also:

  • easily replay and search keystroke logs, filter on date/time, for Unix users
  • automatically check and report on versions of Privilege Manager installed across the enterprise.

Secure access to each function is defined and controlled according to the administrator’s credentials.

Profile-based policy

Several improvements have been made to the default profile-based policy files:

  • The main policy directory now contains four policy files:
    • pm.conf - the main policy file (includes global_profile.conf and profileBasedPolicy.conf)
    • global_profile.conf - defines all the global profile variables
    • profileBasedPolicy.conf - controls Privilege Manager access via the defined profiles (includes profile_customer_policy.conf)
    • profile_customer_policy.conf - allows customizations while reading the profiles by providing functions/procedures which can be customized as required.
  • profile variables have been renamed to follow a more rigorous naming convention.
pmshell displays Memory fault message for all shell sub-commands

An attempt to execute any regular, non-built-in, command after a pmksh had been started, resulted in a Memory fault message and the specified command failed to execute. This issue has been resolved.

pmshell setting HOME env variable to use_rundir

When using pmshell, the HOME environment variable was set to use_rundir constant (!~!) instead of the path for the runuser's home directory. This issue has now been resolved.

New comparehosts function

A comparehosts policy function has been added for comparing a host string (hostname or IP address) to a host pattern (which could be specified as a hostname, IP address, pattern, or netgroup).

Support for AD host group membership

Two new policy functions (vas_host_is_member and vas_host_in_ADgrouplist) have been added to lookup AD host group membership within the policy.

In addition, the default profile-based policy in Privilege Manager for Unix 6.0 uses 4 new profile variables (pf_allowsubmithostsad, pf_allowrunhostsad, pf_forbidsubmithostsad, pf_forbidrunhostsad) to determine profile membership based on AD host groups.

Please refer to the Quest Privilege Manager Administrator's Guide for more information on the new functions and profile variables.

pmlocald libX11.a dependency on AIX

pmlocald on AIX platforms no longer requires X-Windows libraries (libX11.a) to run.

Do not allow command to run unless it exists in the specified directory(s)

A new policy variable, runpaths, may contain a list of pathnames where the run command must be found. If runpaths is defined, pmlocald will refuse to run the command unless it is executed from one of the specified directories.


Quest Privilege Manager for Sudo 2.0 Enhancements

Enhancement Defect ID
Mac OS X support for Privilege Manager for Sudo plug-ins

The Privilege Manager for Sudo plug-ins are now supported on Mac OS X 10.7 and 10.8.

New configuration option to use local sudoers file with centralized keystroke logging

Running pmjoin_plugin with the --io-plugin-only option will configure Sudo to continue using the local sudoers file, but send keystroke logs to a centralized Privilege Manager for Sudo policy server.

Support for visiblepw sudoers policy option

Support for the visiblepw sudoers option (allow the Sudo command if the user must enter a password but is not able to disable echo on the terminal) has been added.

Sudo plug-in offline evaluation

The Sudo plug-in may be configured to always perform local policy evaluation.


Privilege Manager for Unix 6.0 and Privilege Manager for Sudo 2.0 Enhancements

Enhancement Defect ID
Events logged in database format

The Privilege Manager event logs are now stored in database format. Event logs from previous versions of Privilege Manager may be imported into a database format file set using the new pmlogadm command.


The Quest Privilege Manager for Unix and Quest One Privilege Manager for Sudo documentation has been consolidated into a single Administrator's Guide.

pmsrvconfig join password

pmsrvconfig now asks for password confirmation when creating the policy group join password.


Privilege Manager for Unix 6.0 Resolved Issues

Issue Defect ID
pmksh and tracked aliases

pmksh could be vulnerable to session crashes if tracked aliases (ksh trackall option) are used.

pmmasterd and runhost policy variable

The runhost variable was reverting to its original state, nullifying any changes made to runhost within the policy.

keystroke logging, log_passwords, and pf_logpassword

The profile-based profiles were not correctly disabling password logging by default.

pmcheck and split()

On some platforms, the split() function causes pmcheck to segfault when returning a list with more than 16 members.

pmshell and interrupted commands

pmshell sometimes displayed output from a previous command if the command was interrupted with a ^C.

include statement and subtraction

Including the same file more than once in the policy may cause incorrect evaluation of subtraction statements within the included file.


In some instances, Privilege Manager processes might not shutdown correctly if an active session was abnormally terminated (for example, if an active session was running in a Putty window and the window was closed). SIGHUP and SIGINT signals are now ignored in the atexit function to prevent the function from being interrupted.


Running pminfo on a 5.6 agent can overwrite the registration info on a 5.5 master.

thishost setting on the master host

Using the thishost setting in the pm.settings file on a master host caused the master to run agent sessions on the master host instead of on the host where the session was requested.

Solaris Projects

If you are using Solaris Projects, agent sessions on Solaris systems will now set their Project ID to the runuser’s default Project ID.

pmloadcheck man page

The pmloadcheck man page incorrectly specified that the sleep interval specified with the -e flag was in seconds instead of minutes.

pmlist and profile-based policy

The pmlist command reported that time restrictions apply in profiles where they were not enabled. The default profile-based policy has been updated to address this. In addition, several changes have been made to the profile-based policy files to allow for easier customization of the policy.

Note: The updated profile-based policy adheres to a naming convention in which profile and shellprofile variables are prefixed with pf_, and locally defined procedures are prefixed with pr_. Care should be taken to update files if you are importing profiles and shellprofiles from a previous version of the profile-based policy.

pf_authpaths (profile variable), runpaths (policy variable)

Two new list variables have been introduced to specify paths from which commands are permitted to execute. The paths may be specified in the pf_authpaths variable in a profile if you are using the latest profile-based policy, or in the runpaths policy variable otherwise.

If configured, the agent will reject a command unless it is executed from one of the specified paths.

Deprecated Platforms

The following platforms have been deprecated in this release:

  • AIX 4.3.2, 4.3.3, 5.1
  • Debian Linux v5
  • HP-UX 11.00
  • Red Hat Linux 7-9
  • Red Hat Enterprise Server v4 AS/ES/WS
  • Solaris 8 (SPARC 32/64 bit)
  • Solaris 8 (Intel x86/x86_64)
  • SuSE Enterprise Server Linux v8 (IBM zSeries)

Privilege Manager for Sudo 2.0 Resolved Issues

Issue Defect ID
Sudo plug-in with hostname on loopback address

The Sudo plug-in can now be configured on DHCP hosts where the hostname is assigned to a loopback address in the local hosts file, as long as the host's network address can be obtained by resolving the hostname in DNS.

Change to local sudoers file to indicate Privilege Manager control

A comment is now added to the local sudoers file when the Sudo plug-in is configured to indicate that the local sudoers file is no longer used and that the sudoers rules are managed by Privilege Manager for Sudo.

ssh-keyscan binary

pmpreflight now checks that the ssh-keyscan binary is installed.

Deprecated Platforms

The following platforms have been deprecated in this release:

  • Debian GNU/Linux 5 (Intel x86/x86_64)
  • Fedora 14 (Intel x86/x86_64)
  • Fedora 15 (Intel x86/x86_64)
  • Solaris 8 (SPARC 32/64 bit)
  • Solaris 8 (Intel x86/x86_64)
  • Ubuntu 5 (Intel x86/x86_64)
  • Ubuntu 6 (Intel x86/x86_64)
  • Ubuntu 7 (Intel x86/x86_64)
  • XenServer 4.1

Privilege Manager for Unix 6.0 and Privilege Manager for Sudo 2.0 Resolved Issues

Issue Defect ID
keystroke log timestamps and keystroke log replay

If more than 256 seconds elapsed between keystroke logging events, pmmasterd recorded an incorrect timestamp entry which, when replayed with pmreplay, caused the timestamp date to revert to January 1, 1970.

Initialization script fails to start pmserviced on reboot

pmserviced did not start following a system reboot if the file /var/opt/quest/qpm4u/ existed and was pointing to an existing process (other than pmserviced).

Privilege Manager binaries not large file aware

On some operating systems, Privilege Manager binaries are not large file aware.

Deprecated Functionality

The -t option of the pmlog command has been deprecated in Privilege Manager for Unix 6.0.

pmpolicy commit after upgrade

pmpolicy commit commands might fail reporting svn: Can't open file errors if the qpm-server package is uninstalled without removing the policy repository, and then later re-installed.

pmsrvconfig and pmjoin

On 64-bit Linux systems running Linux kernel version 3, the pmsrvconfig and pmjoin configuration scripts fail to correctly identify the architecture and then abort as a result of this.

pmpolicy revert

The pmpolicy revert command always failed, reporting Error: Failed to touch file.

Support for Tectia SSH

Privilege Manager leverages ssh software for internal security policy management. Privilege Manager will now work with Tectia SSH.

Advance Notice of Platform Deprecation

Please note that support for the following platforms will be deprecated in any release of Privilege Manager for Unix later than version 6.0, and in any release of Privilege Manager for Sudo later than version 2.0:

  • AIX 5.3 (32/64 bit)
  • Solaris 9 (SPARC 32/64 bit)
  • Solaris 9 (Intel x86/x86_64)


Known Issues

The following is a list of issues known to exist at the time of in this release of Privilege Manager.

Privilege Manager for Unix 6.0 Known Issues

Known Issue Defect ID
Time restriction interpretation

In the profile-based policy, the time restriction specified in the pf_restrictionhours profile variable is interpreted against the local time configured on the policy server that is evaluating the request, rather than the local time on the client host.

Handshake failed message

Improperly configured clients may display a Connection timed out or Handshake failed messages. This may be caused by an incorrect pmlocaldOpts setting in the pm.settings file.

This can be resolved by removing the pmlocaldOpts setting and restarting the pmserviced daemon.

AlertRaised events not logged to the eventlog

AlertRaised events are not logged to the eventlog. However, pmlocald will still terminate the current session if an alert is raised and alertkeyaction is set to reject.


Privilege Manager for Sudo 2.0 Known Issues

Known Issue Defect ID
Sudo session termination

If a Sudo session is terminated by either closing the terminal window or dropping the SSH connection, Sudo does not notify pmmasterd that the session is finished. Thus, you need to search sessions without the finish event with pmlog (instead of pmlogsearch) on the server where the log resides.

Note: This issue was fixed in Sudo 1.8.4.

AIX platform specific search failure

When you search (using the management console or from the command line using pmlogsearch) specifying both ––text AND ––result options, it fails with message Failed to retrieve selected log information.

sudoers policy

sudoers #include and #includedir statements are not fully supported in the Privilege Manager for Sudo policy.


Privilege Manager for Unix 6.0 and Privilege Manager for Sudo 2.0 Known Issues

Known Issue Defect ID
preflight failures with nss-myhostname plugin

The Privilege Manager preflight may fail on systems that use the nss-myhostname plugin (e.g. Fedora 17 and above), if the hostname is not configured in the local hosts file.

Reported event times offset

Reported event times may be offset if the MCU console server and policy servers are not set to use the same timezone.



Upgrade and Compatibility

Upgrading to Quest Privilege Manager for Unix 6.0

To upgrade from Privilege Manager 5.5 to version 6.0, follow the installation instructions in Upgrading Privilege Manager for Unix 5.5 in the Quest Privilege Manager Administrator's Guide.

We recommend that:

Note: The upgrade process will create symbolic links to ensure that your existing paths function correctly.

Note: Use of the Privilege Manager clients (pmrun and pmshells) with a policy server in Sudo policy mode is not currently supported.

Upgrading to Quest Privilege Manager for Sudo 2.0

The process for upgrading Quest One Privilege Manager for Sudo from an older version is similar to installing it for the first time. The installer detects an older version and automatically upgrades the components. (Please see Quest Privilege Manager Administrator's Guide for more information.)

Note: Use of the Privilege Manager for Sudo plug-ins with a policy server in pmpolicy mode is not currently supported.


System Requirements

Before installing Privilege Manager, ensure your system meets the following minimum hardware and software requirements:


Click here to review a list of Unix and Linux platforms that support Privilege Manager for Unix.

Click here to review a list of Unix, Linux, and Mac platforms that support Privilege Manager for Sudo.

Note: To enable the Management Console for Unix server to interact with the host, you must install both an SSH server (that is, sshd) and an SSH client on each managed host. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.

Note: Management Console for Unix does not support Security-Enhanced Linux (SELinux).

Disk Space 80 MB of disk space for program binaries and manuals for each architecture.

Note: At a minimum, you must have 80 MB of free disk space. The directories in which the binaries are installed must have sufficient disk space available on a local disk drive rather than a network drive. Before you install Quest Privilege Manager for Unix, ensure that the partitions that will contain /opt/quest have sufficient space available.

  • Sufficient space for the keystroke logs, application logs, and event logs. The size of this space depends on the number of servers, the number of commands, and the number of policies configured.

Note: The space can be on a network disk drive rather than a local drive.

  • The server hosting Quest Privilege Manager must be a separate machine dedicated to running the pmmasterd daemon.
Additional Software SSH Server and Client software (including ssh-keyscan binary). Quest Privilege Manager requires ssh client and server software to be installed and configured on all policy server hosts, and ssh client software to be installed on all hosts using the Privilege Manager Sudo plug-ins.

You must enable access to SSH as the root user on the policy server hosts during configuration of the policy servers. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.

Privilege Manager uses TCP/IP to communicate with networked computers, so it is essential that TCP/IP is correctly configured before installing Privilege Manager.

Privilege Manager uses the masterport, port 12345, to communicate with the policy server daemon (pmmasterd).

Management Console for Unix Privilege Manager is integrated with the Quest One Management Console for Unix, a web-based console where you can centrally manage local Unix users and groups, edit your sudoers policy file, and create and view keystroke logs, as well as generate and view comprehensive reports.

Prior to installing the management console, ensure your system meets the minimum hardware and software requirements for your platform. (See the Quest One Management Console for Unix Administrator's Guide for details.)

Processor 4 cores (policy servers)
RAM 4GB (policy servers)

For further information, refer to Planning Deployment in the Quest Privilege Manager Administrator's Guide.


Product Licensing

Refer to Privilege Manager Licensing for more information about licensing Privilege Manager.


Global Operations

This section contains information about installing and operating this product in non-English configurations, such as those needed by customers outside of North America. This section does not replace the materials about supported platforms and configurations found elsewhere in the product documentation.

This release is Unicode-enabled and supports any character set. In this release, all product components should be configured to use the same or compatible character encodings and should be installed to use the same locale and regional options. This release is targeted to support operations in the following regions: North America, Western Europe and Latin America, Central and Eastern Europe, Far-East Asia, Japan.

This release has the following known capabilities or limitations: Quest Authentication Services has been tested with double-byte configured locales on the Linux platform. All of the client side components operate successfully with double-byte characters in all Unix attributes

There is no localization of either the client or Windows user interface.


Getting Started

Contents of the Release Package

The Privilege Manager release package contains the following products::

  1. Quest Privilege Manager for Unix version 6.0 or Quest One Privilege Manager for Sudo version 2.0
  2. Quest One Management Console for Unix version 2.5
  3. Product Documentation, including:

Note: You can find the product documentation in at the following links:

Installation Instructions

For installation instructions, refer to Installation and Configuration, in the Quest Privilege Manager Administrator's Guide.

For information on Quest Privilege Manager licensing and system requirements please refer to Planning Deployment, in the Quest Privilege Manager Administrator's Guide.


For More Information

Get the latest product information, find helpful resources, test the product betas, and join a discussion with the development team and other community members. Join the Community at All Things Unix.

Contact Information

Dell listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit


Technical Support:
Online Support

Product Questions and Sales:
(800) 306 – 9329


About Support

Support is available to customers who have a trial version or who have purchased Quest software and have a valid maintenance contract. The Support Portal at is the definitive resource for technical support with self-help capabilities so you can solve problems quickly and independently 24 hours a day, 365 days a year. The portal also provides direct access to our support engineers through an online service request facility. From one central location, you will find everything you need – support offerings, policies and procedures, contact information, as well as:

1 For trial users please use the Trial Downloads to get the latest generally available version of the software.


Quest Software is now Dell Software




© 2013 Quest Software, Inc.



This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Dell Inc.

The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.


If you have any questions regarding your potential use of this material, contact:


Dell Inc.
Attn: LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656

Refer to our Web site ( for regional and international office information.



Dell, the Dell logo, Quest, Quest Software, the Quest Software logo, and Vintela are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others.