set_dzc_field

Use the set_dzc_field command to set the value for a specified field in the currently selected UNIX command stored in memory. The set_dzc_field command does not set a field value stored in Active Directory for the selected UNIX command.

If you change any fields, you must save the UNIX command using the save_dz_command command for your changes to take effect in Active Directory. If you select another UNIX command or end the ADEdit session before saving the currently selected UNIX command, your changes will be lost.

You can only use the set_dzc_field command to set UNIX command fields if the currently selected zone is a classic4 or hierarchical zone. The command does not work in other types of zones.

When executing privileged commands on computers running Security-Enhanced Linux (SELinux),  the security context contains additional information that is used to make access control decisions.

Zone type

Classic and hierarchical

Syntax

set_dzc_field field value

Abbreviation

sdzcf

Options

This command takes no options.

Arguments

This command takes the following arguments:

Argument Type Description

field

string

Required. Specifies the name of the field you want to set. The possible values are:

  • description: Text describing the UNIX command.
  • cmd: The UNIX command string or strings. You can use wild cards or a regular expression.
  • path: The path to the command’s location. You can use wild cards or a regular expression.
  • form: An integer that indicates whether the cmd and path strings use wild cards (0) or a regular expression (1).
  • dzdo_runas: A list of users and groups that can run this command under dzdo (similar to sudo). Users can be listed by user name or UID.
  • dzsh_runas: A list of users and groups that can run this command in a restricted shell environment (dzsh). Users can be listed by user name or UID. You cannot set this field value if the selected zone is a classic4 zone.
  • keep: A comma-separated list of environment variables from the current user’s environment to keep.
  • del: A comma-separated list of environment variables from the current user’s environment to delete.
  • add: A comma-separated list of environment variables to add to the final set of environment variables.
  • pri: An integer that specifies the command priority for the restricted shell command object.

field (continued)

string

  • umask: An integer that defines who can execute the command.
  • flags: An integer that specifies a combination of different properties for the command.
  • selinux_role: Specifies the SELinux role to use when constructing a new security context for command execution.
  • selinux_type: Specifies the SELinux type to use when constructing a new security context for command execution.
  • digest: Specifies the SHA-2 digest to verify the file checksum before command execution.
  • Note that selinux_role and selinux_type are only supported on Red Hat Enterprise Linux systems and effective only on systems with SELinux enabled and joined to a hierarchical zone.

value

 

Required. Specifies the value to assign to the specified field. The data type depends on the field specified.

In most cases, you can assign an empty string or null value (0) to unset a field value, depending on the data type of the field.

Setting the cmd and path field values

You can specify the cmd and path strings using wild cards (*, ?, and !), or as a regular expression. If you specify the cmd and path strings using wild cards, use an asterisk (*) to match zero or more characters, the question mark (?) to match exactly one character, or the exclamation mark (!) to negate matching of the specified string.

To set to the command path to the equivalent of the Standard user path option, you can set the value of the path field to USERPATH. To set to the path to the equivalent of the Standard system path option, set the value of the path field to SYSTEMPATH. To set to the path to the equivalent of the System search path option, set the value of the path field to SYSTEMSEARCHPATH.

For both the cmd and path fields, the form field controls whether the specified string is interpreted as a regular expression or as a string that includes wild cards.

Specifying the environment variables to use

You can use the keep, del, and add settings to control the environment variables used by the commands specified by the cmd string. The keep and del settings are mutually exclusive. The keep field only takes effect if the flag 16 is included in the setting for the flag field. The del field only takes effect if the flag 16 is not included in the setting for the flag field.

Any environment variables kept or deleted are in addition to the default set of the user’s environment variables that are either retained or deleted. The default set of environment variables to keep is defined in the dzdo.env_keep configuration parameter in the centrifydc.conf file. The default set of environment variables to delete is defined in the dzdo.env_delete configuration parameter in the centrifydc.conf file. You can also add environment variables to the final set of environment variables resulting from the keep or del fields.

Specifying the command priority

You can use the pri field to specify the command priority when there are multiple matches for the UNIX commands specified by wild cards. If commands specified by this UNIX command object match commands specified by another UNIX command object, the UNIX command object with the higher command priority prevails. This field takes an integer value; the higher the number, the higher the priority.

Specifying the umask value

You can use the umask field to define who can execute the command. The umask field specifies a 3-digit octal value that defines read, write, or execute permission for owner, group, and other users. The left digit defines the owner execution rights, the middle digit defines the group execution rights, and the right digit defines other execution rights. Each digit is a combination of binary flags, one flag for each right as follows:

  • 4 is read
  • 2 is write
  • 1 is execute

You add these values add together to define the rights available for each entity. For example, an umask value of 600 indicates read and write permission (4+2) for the owner, but no permissions for the group or other users. Similarly, an umask value of 740 indicates read, write, execute permissions (4+2+1) for the owner, read permissions for the group, but no permissions for other users.

Specifying command properties using the flags field

You can use the flags field to define a combination of binary flags, with one flag for each of the following properties:

1—Prevents nested command execution. If this flag value is not set, nested command execution is allowed.

2—Requires re-authentication using the login user’s password.

4—Requires authentication using the run-as user’s password.

8—Preserves group membership. If this flag value is not set, group membership is not preserved.

16—Resets environment variables for the command, deleting the variables specified in the dzdo.env_delete parameter and keeping the variables specified in the keep field. If this flag is not set, the command removes the unsafe environment variables specified in the dzdo.env_delete parameter along with any additional environment variables specified by the del field.

32—Requires multi-factor authentication to execute the command.

64—Prevents navigation up the path hierarchy when executing the command.

You add these values together to define the setting for the flags field. For example, a flags field value of 5 prevents nested command execution and requires authentication using the run-as user’s password (1+4). You cannot set the 2 flag and the 4 flag or the 4 flag and the 32 flag simultaneously. If you don't set any of these flags, re-authentication is not required.

Return value

This command returns nothing if it runs successfully.

Examples

The following example sets the current UNIX command dzdo_runas field to root:

set_dzc_field dzdo_runas root

The following example sets the UNIX command properties so that nested command execution is not allowed and authentication is required with the user’s password:

sdzcf flags 3

Related commands

Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select a UNIX command to work with:

After you have a UNIX command stored in memory, you can use the following commands to work with that command:

  • delete_dz_command deletes the selected command from Active Directory and from memory.
  • get_dzc_field reads a field value from the currently selected command.
  • save_dz_command saves the selected command with its current settings to Active Directory.