get_dzc_field

Use the get_dzc_field command to return the value for a specified field from the currently selected command object that is stored in memory.

The get_dzc_field command does not query Active Directory for the command. If you change field values using ADEdit without saving the command to Active Directory, the field value you retrieve using get_dzc_field won’t match the same field value for the command stored in Active Directory.

You can only use the get_dzc_field command if the currently selected zone is a classic4 or hierarchical zone. The command does not work in other types of zones.

Zone type

Classic and hierarchical

Syntax

get_dzc_field field

Abbreviation

gdzcf

Options

This command takes no options.

Arguments

This command takes the following arguments:

Argument Type Description

Argument	Type	Description
field	string	Required. Specifies the case-sensitive name of the field whose value to retrieve. The possible values are: description: Returns text describing the UNIX command. cmd: Returns the restricted shell command string or strings. path: Returns the path to the command’s location. form: Returns an integer that indicates whether the `cmd` and `path` strings use wild cards (`0`) or a regular expression (`1`). dzdo_runas: Returns a list of users and groups that can run this command under `dzdo` version of `sudo`. Users may be listed by user name or user ID (UID). dzsh_runas: Returns a list of users and groups that can run this command in a restricted shell environment (`dzsh`). Users can be listed by user name or UID. You cannot get this field value if the selected zone is a classic4 zone. keep: Returns a comma-separated list of environment variables from the current user’s environment to keep. del: Returns a comma-separated list of environment variables from the current user’s environment to delete. add: Returns a comma-separated list of environment variables to add to the final set of environment variables. pri: Returns an integer that specifies the command priority for the restricted shell command object. umask: Returns an integer that defines who can execute the command. flags: Returns an integer that specifies a combination of different properties for the command. createTime: Returns the time and date this command was created, returned in generalized time format. modifyTime: Returns the time and date this command was last modified, returned in generalized time format. dn: Returns the command’s distinguished name. selinux_role: Returns the SELinux role used when constructing a new security context for command execution (tree zone only). selinux_type: Returns the SELinux type used when constructing a new security context for command execution (tree zone only). digest: Returns the SHA-2 digest to verify the file checksum before command execution. Note that `selinux_role` and `selinux_type` are only supported on Red Hat Enterprise Linux systems and effective only on systems with SELinux enabled and joined to a hierarchical zone.

field

string

Required. Specifies the case-sensitive name of the field whose value to retrieve. The possible values are:

description: Returns text describing the UNIX command.
cmd: Returns the restricted shell command string or strings.
path: Returns the path to the command’s location.
form: Returns an integer that indicates whether the cmd and path strings use wild cards (0) or a regular expression (1).
dzdo_runas: Returns a list of users and groups that can run this command under dzdo version of sudo. Users may be listed by user name or user ID (UID).
dzsh_runas: Returns a list of users and groups that can run this command in a restricted shell environment (dzsh). Users can be listed by user name or UID. You cannot get this field value if the selected zone is a classic4 zone.
keep: Returns a comma-separated list of environment variables from the current user’s environment to keep.
del: Returns a comma-separated list of environment variables from the current user’s environment to delete.
add: Returns a comma-separated list of environment variables to add to the final set of environment variables.
pri: Returns an integer that specifies the command priority for the restricted shell command object.
umask: Returns an integer that defines who can execute the command.
flags: Returns an integer that specifies a combination of different properties for the command.
createTime: Returns the time and date this command was created, returned in generalized time format.
modifyTime: Returns the time and date this command was last modified, returned in generalized time format.
dn: Returns the command’s distinguished name.
selinux_role: Returns the SELinux role used when constructing a new security context for command execution (tree zone only).
selinux_type: Returns the SELinux type used when constructing a new security context for command execution (tree zone only).
digest: Returns the SHA-2 digest to verify the file checksum before command execution.

Note that selinux_role and selinux_type are only supported on Red Hat Enterprise Linux systems and effective only on systems with SELinux enabled and joined to a hierarchical zone.

Getting the cmd and path field values

If you specify the cmd and path fields, the return value can be a string that uses wild cards (*, ?, and !), or a regular expression. If the cmd and path strings use wild cards, an asterisk (*) matches zero or more characters, a question mark (?) matches exactly one character, and the exclamation mark (!) negates matching of the specified string.

For both the cmd and path fields, the form field indicates whether the specified string is interpreted as a regular expression or as a string that includes wild cards.

Getting environment variable field values

If you specify the keep, del, or add field, the return value is a comma-separated list of environment variables. The keep, del, and add fields control the environment variables used by the commands specified by the cmd string. The keep and del settings are mutually exclusive:

The keep field only takes effect if the flag 16 is included in the setting for the flag field.
The del field only takes effect if the flag 16 is not included in the setting for the flag field.

Any environment variables kept or deleted are in addition to the default set of the user’s environment variables that are either retained or deleted. The default set of environment variables to keep is defined in the dzdo.env_keep configuration parameter in the centrifydc.conf file. The default set of environment variables to delete is defined in the dzdo.env_delete configuration parameter in the centrifydc.conf file.

The add field returns the environment variables added to the final set of environment variables resulting from the keep or del fields.

Getting the command priority field value

If you specify the pri field, the return value indicates the command priority when there are multiple matches for command strings in a command object. If there are multiple commands specified by this command object, the pri field specifies the specifies their relative priority. The higher the value returned by this field, the higher the command’s priority.

Getting the umask field value

If you specify the umask field, the return value is a 3-digit octal value that defines who can read, write, and execute the selected command object. The three digits of the umask field specify the read, write, or execute permission for the file owner, group, and other users. The left digit defines the owner execution rights, the middle digit defines the group execution rights, and the right digit defines execution rights for other users. Each digit is a combination of binary flags, one flag for each right as follows:

4 is read
2 is write
1 is execute

These values are added together to define the rights available for each entity. For example, a umask value of 600 indicates read and write permission (4+2) for the owner, but no permissions for the group or other users. Similarly, a umask value of 740 indicates read, write, execute permissions (4+2+1) for the owner, read permissions for the group, but no permissions for other users.

Getting command properties from the flags field value

If you specify the flags field, the return value is an integer that defines a combination of binary flags, with one flag for each of the following properties:

1—Prevents nested command execution. If this flag value is not set, nested command execution is allowed.

2—Requires authentication with the user’s password.

4—Requires authentication with the run-as user’s password.

8—Preserves group membership. If this flag value is not set, group membership is not preserved.

16—Resets environment variables for the command, deleting the variables specified in the dzdo.env_delete parameter and keeping the variables specified in the keep field. If this flag is not set, the command removes the unsafe environment variables specified in the dzdo.env_delete parameter along with any additional environment variables specified by the del field.

32—Requires multi-factor authentication to execute the command.

64—Prevents navigation up the path hierarchy when executing the command.

These values are added together to define the value for the flags field. For example, a flags field value of 11 indicates that nested command execution is not allowed (1), the command requires authentication using the user’s password (2), and the user’s group membership should be preserved (8). The value returned is the sum of these flags (1+2+8).

Return value

This command returns a field value, which varies in type depending on the data type stored by the field.

Examples

get_dzc_field dzdo_runas

returns: root

Related commands

Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select a UNIX command to work with:

get_dz_commands returns a Tcl list of UNIX commands in the current zone.
list_dz_commands lists to stdout the UNIX commands in the current zone.
new_dz_command creates a new UNIX command and stores it in memory.
select_dz_command retrieves a UNIX command from Active Directory and stores it in memory.

After you have a UNIX command stored in memory, you can use the following commands to work with that command:

delete_dz_command deletes the selected command from Active Directory and from memory.
save_dz_command saves the selected command with its current settings to Active Directory.
set_dzc_field sets a field value in the currently selected command.