The command rights were configured to allow execution in either a restricted shell environment or an unrestricted shell environment. In an unrestricted shell environment—for example, the default shell environment when users are assigned the UNIX Login role—commands that require administrative privileges must be executed by first invoking the dzdo command, which is similar to invoking commands with sudo.
You can control whether users are required to enter a password when they execute privileged commands using dzdo by setting the Authentication required on the Attributes tab when you create a command right. By default, no password is required. If you were adding a new command right that requires authentication, you would click the Attributes tab, select Authentication required then select one of these options:
- User’s password if users are required to enter their own password before executing the command.
- Run as target’s password if users are required to enter the password for the target account that is executing the command.
In most cases, the default of no password is appropriate because the user has been previous authenticated before invoking dzdo to execute a privileged command and the Run as target’s password option requires the user to know the privileged account password. For example, if the run-as user is root, the Run as target’s password authentication option requires the user to know the password for the root account.
The steps for creating the role definition that includes the previously-defined command right are the same for the unrestricted shell as for the restricted shell except that at Step 6 of Create a restricted role definition for the service account in the System Rights tab, you would also select the Login with non-Restricted Shell option if you are not using the UNIX Login role. You could add all of the same command rights to the role definition and grant the same privileges and exceptions.
The primary difference between the two role definitions would be how users execute their privileged commands.
In the restricted shell environment, users running the adflush command requiring administrative privileges:
dzsh $ adflush
In the unrestricted shell environment, users running the adflush command requiring administrative privileges:
[tulo@ajax]$ dzdo adflush