Privileges and role defined in a file
For the first sample script, a single role and its privileged commands are defined in the file Role_apacheAdmin.txt
. This sample text file defines the role name and a few sample commands that you might assign to an Apache server administrator. For example:
ApacheAdminRole vi /etc/httpd/conf/httpd.conf apachectl * htpasswd *
The first line in the Role_apacheAdmin.txt
file specifies the new role name. The subsequent lines specify the commands to add to the role. You can edit the text file to suit your environment. For example, you might want add or remove commands or modify the path to the Apache configuration file. To create the role and commands, you can then run the MakeRole
sample script and specify the Role_apacheAdmin.txt
file name as a command‑line argument. The MakeRole
sample script then prompts you to enter the domain name, account, and password for the bind
command and to type the name of the parent zone where the sample role will be created.
Note that you must specify a parent zone for this sample script. The second sample ApacheAdminRole script shown in Privileges and roles defined in the script displays the list of zones in the domain to illustrate how you can create a role in a child zone. In addition, this sample script assumes you are using the default deployment structure with the top-level organizational unit. If you are not using the default deployment structure, you should modify the sample script to reflect the structure you are using before testing its operation.
MakeRole
The MakeRole
sample script creates a role with the set of privileged commands defined in the sample Role_apacheAdmin.txt
file.
#!/bin/env adedit # This script creates a role consisting of a # set of privileged commands # The role name and commands are specified # in a separate file. # # The first line in the input file should be # the new role name. # The subsequent lines are the names of the # privileged commands to # add to the role. # For example: # audit_admin_cmds # /usr/bin/vi /etc/security/audit/config # /usr/bin/vi /etc/security/audit/objects package require ade_lib if { $argc != 1 } { puts "usage: $argv0 file" exit 1 } if {[catch {set fp [open [lindex $argv 0] r]} errmsg]} { puts "Cannot open [lindex $argv 0]." exit 1 } # Get domain and bind puts "Enter domain name" gets stdin domain set domaindn [dn_from_domain $domain] puts "Enter account name with administrator privileges" gets stdin administrator puts "Enter $administrator password" gets stdin APWD bind $domain $administrator "$APWD" # Select the target zone and base organizational unit puts "Enter the target zone name for the new role" gets stdin zonename puts " Enter the name of the Active Directory container that holds the Centrify zone data" gets stdin zonesNode puts " Enter the organizational unit with the Centrify zone data container" gets stdin baseOU select_zone "cn=$zonename,cn=$zonesNode,ou=$baseOU,$domaindn" if {[gets $fp line] == -1} { puts "Cannot read [lindex $argv 0]." exit 1 } # Create role puts "Creating role...$line" set role $line new_role "$role" save_role "$role" set count 0 while {[gets $fp line] >= 0} { incr count # Create command. Each command will be named # based on the role defined in the first line # and the command’s line number in the file set cmd_name $role$count new_dz_command "$cmd_name" # set the command fields set cmd_path $line set_dzc_field cmd "$cmd_path" set_dzc_field dzdo_runas root set_dzc_field umask 077 # prevent nested execution set_dzc_field flags 1 # save the command save_dz_command # Add the command to the Role add_command_to_role "$cmd_name" } close $fp save_role "$role"