Require runas user for dzdo
Specify whether a user must explicitly identify the ‘runas’ user when executing a command with dzdo
.
If you set this group policy to Not configured or Enabled, and a user executes a command with dzdo
and does not explicitly identify the user or group to run as with the -u
or -g
option, adclient
assumes that the command should be run as root
. If the user is not authorized to run the command as root
, dzdo
fails to execute the command and issues an error message.
If you set this group policy to Disabled and a user executes a command with dzdo
that does not explicitly identify the user or group to run as, adclient
attempts to resolve the user. If the command defines a single runas user, dzdo
executes the specified command and sends a message to the log file.
If the command defines multiple runas users, dzdo
cannot resolve the user to run as and attempts to run the command as root. Because the user is not authorized to run the command as root, dzdo
fails to execute the command and issues an error message.
In all cases, a user can execute a command successfully with dzdo
by using the -u
option to explicitly identify the runas user. For example:
[u1@rh6]$dzdo -u qa1 adinfo
This group policy modifies the dzdo.set.runas.explicit
setting in the agent configuration file.