Privileges and role defined in a file

For the first sample script, a single role and its privileged commands are defined in the file Role_apacheAdmin.txt. This sample text file defines the role name and a few sample commands that you might assign to an Apache server administrator. For example:

ApacheAdminRole
vi /etc/httpd/conf/httpd.conf
apachectl *
htpasswd *

The first line in the Role_apacheAdmin.txt file specifies the new role name. The subsequent lines specify the commands to add to the role. You can edit the text file to suit your environment. For example, you might want add or remove commands or modify the path to the Apache configuration file. To create the role and commands, you can then run the MakeRole sample script and specify the Role_apacheAdmin.txt file name as a command‑line argument. The MakeRole sample script then prompts you to enter the domain name, account, and password for the bind command and to type the name of the parent zone where the sample role will be created.

Note that you must specify a parent zone for this sample script. The second sample ApacheAdminRole script shown in Privileges and roles defined in the script displays the list of zones in the domain to illustrate how you can create a role in a child zone. In addition, this sample script assumes you are using the default deployment structure with the top-level organizational unit. If you are not using the default deployment structure, you should modify the sample script to reflect the structure you are using before testing its operation.

MakeRole

The MakeRole sample script creates a role with the set of privileged commands defined in the sample Role_apacheAdmin.txt file.

#!/bin/env adedit
# This script creates a role consisting of a 
# set of privileged commands
# The role name and commands are specified 
# in a separate file.
#
# The first line in the input file should be 
# the new role name.
# The subsequent lines are the names of the 
# privileged commands to
# add to the role.
# For example:
#     audit_admin_cmds
#     /usr/bin/vi /etc/security/audit/config
#     /usr/bin/vi /etc/security/audit/objects
package require ade_lib
if { $argc != 1 } {
    puts "usage: $argv0 file"
    exit 1
}
if {[catch {set fp [open [lindex $argv 0] r]} errmsg]} 
    { 
    puts "Cannot open [lindex $argv 0]."
    exit 1
}
# Get domain and bind
puts "Enter domain name"
gets stdin domain 
set domaindn [dn_from_domain $domain]
puts "Enter account name with administrator privileges"
gets stdin administrator
puts "Enter $administrator password"
gets stdin APWD
bind $domain $administrator "$APWD"
# Select the target zone and base organizational unit
puts "Enter the target zone name for the new role"
gets stdin zonename
puts "
Enter the name of the Active Directory 
  container that holds the Centrify zone data"
gets stdin zonesNode
puts "
Enter the organizational unit with the Centrify zone data container"
gets stdin baseOU
select_zone "cn=$zonename,cn=$zonesNode,ou=$baseOU,$domaindn"
if {[gets $fp line] == -1} {
              puts "Cannot read [lindex $argv 0]."
              exit 1
}
# Create role
puts "Creating role...$line"
set role $line
new_role "$role"
save_role "$role"
set count 0
while {[gets $fp line] >= 0} {
   incr count
# Create command. Each command will be named 
# based on the role defined in the first line 
# and the command’s line number in the file
   set cmd_name $role$count
   new_dz_command "$cmd_name"
   # set the command fields
   set cmd_path $line
   set_dzc_field cmd "$cmd_path"
   set_dzc_field dzdo_runas root
   set_dzc_field umask 077
   # prevent nested execution
   set_dzc_field flags 1
   # save the command
   save_dz_command
   # Add the command to the Role
   add_command_to_role "$cmd_name"
 }
close $fp
save_role "$role"