Privileges and role defined in a file
For the first sample script, a single role and its privileged commands are defined in the file Role_apacheAdmin.txt. This sample text file defines the role name and a few sample commands that you might assign to an Apache server administrator. For example:
ApacheAdminRole vi /etc/httpd/conf/httpd.conf apachectl * htpasswd *
The first line in the Role_apacheAdmin.txt file specifies the new role name. The subsequent lines specify the commands to add to the role. You can edit the text file to suit your environment. For example, you might want add or remove commands or modify the path to the Apache configuration file. To create the role and commands, you can then run the MakeRole sample script and specify the Role_apacheAdmin.txt file name as a command‑line argument. The MakeRole sample script then prompts you to enter the domain name, account, and password for the bind command and to type the name of the parent zone where the sample role will be created.
Note that you must specify a parent zone for this sample script. The second sample ApacheAdminRole script shown in Privileges and roles defined in the script displays the list of zones in the domain to illustrate how you can create a role in a child zone. In addition, this sample script assumes you are using the default deployment structure with the top-level organizational unit. If you are not using the default deployment structure, you should modify the sample script to reflect the structure you are using before testing its operation.
MakeRole
The MakeRole sample script creates a role with the set of privileged commands defined in the sample Role_apacheAdmin.txt file.
#!/bin/env adedit
# This script creates a role consisting of a
# set of privileged commands
# The role name and commands are specified
# in a separate file.
#
# The first line in the input file should be
# the new role name.
# The subsequent lines are the names of the
# privileged commands to
# add to the role.
# For example:
# audit_admin_cmds
# /usr/bin/vi /etc/security/audit/config
# /usr/bin/vi /etc/security/audit/objects
package require ade_lib
if { $argc != 1 } {
puts "usage: $argv0 file"
exit 1
}
if {[catch {set fp [open [lindex $argv 0] r]} errmsg]}
{
puts "Cannot open [lindex $argv 0]."
exit 1
}
# Get domain and bind
puts "Enter domain name"
gets stdin domain
set domaindn [dn_from_domain $domain]
puts "Enter account name with administrator privileges"
gets stdin administrator
puts "Enter $administrator password"
gets stdin APWD
bind $domain $administrator "$APWD"
# Select the target zone and base organizational unit
puts "Enter the target zone name for the new role"
gets stdin zonename
puts "
Enter the name of the Active Directory
container that holds the Centrify zone data"
gets stdin zonesNode
puts "
Enter the organizational unit with the Centrify zone data container"
gets stdin baseOU
select_zone "cn=$zonename,cn=$zonesNode,ou=$baseOU,$domaindn"
if {[gets $fp line] == -1} {
puts "Cannot read [lindex $argv 0]."
exit 1
}
# Create role
puts "Creating role...$line"
set role $line
new_role "$role"
save_role "$role"
set count 0
while {[gets $fp line] >= 0} {
incr count
# Create command. Each command will be named
# based on the role defined in the first line
# and the command’s line number in the file
set cmd_name $role$count
new_dz_command "$cmd_name"
# set the command fields
set cmd_path $line
set_dzc_field cmd "$cmd_path"
set_dzc_field dzdo_runas root
set_dzc_field umask 077
# prevent nested execution
set_dzc_field flags 1
# save the command
save_dz_command
# Add the command to the Role
add_command_to_role "$cmd_name"
}
close $fp
save_role "$role"
Doc Feedback