set_dzc_field
Use the set_dzc_field
command to set the value for a specified field in the currently selected UNIX command stored in memory. The set_dzc_field
command does not set a field value stored in Active Directory for the selected UNIX command.
If you change any fields, you must save the UNIX command using the save_dz_command command for your changes to take effect in Active Directory. If you select another UNIX command or end the ADEdit session before saving the currently selected UNIX command, your changes will be lost.
You can only use the set_dzc_field
command to set UNIX command fields if the currently selected zone is a classic4 or hierarchical zone. The command does not work in other types of zones.
When executing privileged commands on computers running Security-Enhanced Linux (SELinux), the security context contains additional information that is used to make access control decisions.
Zone type
Classic and hierarchical
Syntax
set_dzc_field field value
Abbreviation
sdzcf
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument | Type | Description |
field |
string |
Required. Specifies the name of the field you want to set. The possible values are:
|
field (continued) |
string |
|
value |
|
Required. Specifies the value to assign to the specified field. The data type depends on the field specified. In most cases, you can assign an empty string or null value (0) to unset a field value, depending on the data type of the field. |
Setting the cmd and path field values
You can specify the cmd
and path
strings using wild cards (*, ?, and !), or as a regular expression. If you specify the cmd
and path
strings using wild cards, use an asterisk (*) to match zero or more characters, the question mark (?) to match exactly one character, or the exclamation mark (!) to negate matching of the specified string.
To set to the command path to the equivalent of the Standard user path option, you can set the value of the path
field to USERPATH
. To set to the path to the equivalent of the Standard system path option, set the value of the path
field to SYSTEMPATH
. To set to the path to the equivalent of the System search path option, set the value of the path
field to SYSTEMSEARCHPATH
.
For both the cmd
and path
fields, the form
field controls whether the specified string is interpreted as a regular expression or as a string that includes wild cards.
Specifying the environment variables to use
You can use the keep
, del
, and add
settings to control the environment variables used by the commands specified by the cmd
string. The keep
and del
settings are mutually exclusive. The keep
field only takes effect if the flag 16
is included in the setting for the flag field
. The del
field only takes effect if the flag 16
is not included in the setting for the flag
field.
Any environment variables kept or deleted are in addition to the default set of the user’s environment variables that are either retained or deleted. The default set of environment variables to keep is defined in the dzdo.env_keep
configuration parameter in the centrifydc.conf
file. The default set of environment variables to delete is defined in the dzdo.env_delete
configuration parameter in the centrifydc.conf
file. You can also add environment variables to the final set of environment variables resulting from the keep
or del
fields.
Specifying the command priority
You can use the pri
field to specify the command priority when there are multiple matches for the UNIX commands specified by wild cards. If commands specified by this UNIX command object match commands specified by another UNIX command object, the UNIX command object with the higher command priority prevails. This field takes an integer value; the higher the number, the higher the priority.
Specifying the umask value
You can use the umask
field to define who can execute the command. The umask
field specifies a 3-digit octal value that defines read, write, or execute permission for owner, group, and other users. The left digit defines the owner execution rights, the middle digit defines the group execution rights, and the right digit defines other execution rights. Each digit is a combination of binary flags, one flag for each right as follows:
- 4 is read
- 2 is write
- 1 is execute
You add these values add together to define the rights available for each entity. For example, an umask
value of 600 indicates read and write permission (4+2) for the owner, but no permissions for the group or other users. Similarly, an umask
value of 740 indicates read, write, execute permissions (4+2+1) for the owner, read permissions for the group, but no permissions for other users.
Specifying command properties using the flags field
You can use the flags
field to define a combination of binary flags, with one flag for each of the following properties:
1—Prevents nested command execution. If this flag value is not set, nested command execution is allowed.
2—Requires re-authentication using the login user’s password.
4—Requires authentication using the run-as user’s password.
8—Preserves group membership. If this flag value is not set, group membership is not preserved.
16—Resets environment variables for the command, deleting the variables specified in the dzdo.env_delete
parameter and keeping the variables specified in the keep
field. If this flag is not set, the command removes the unsafe environment variables specified in the dzdo.env_delete
parameter along with any additional environment variables specified by the del
field.
32—Requires multi-factor authentication to execute the command.
64—Prevents navigation up the path hierarchy when executing the command.
You add these values together to define the setting for the flags
field. For example, a flags
field value of 5 prevents nested command execution and requires authentication using the run-as user’s password (1+4). You cannot set the 2 flag and the 4 flag or the 4 flag and the 32 flag simultaneously. If you don't set any of these flags, re-authentication is not required.
Return value
This command returns nothing if it runs successfully.
Examples
The following example sets the current UNIX command dzdo_runas
field to root
:
set_dzc_field dzdo_runas root
The following example sets the UNIX command properties so that nested command execution is not allowed and authentication is required with the user’s password:
sdzcf flags 3
Related commands
Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select a UNIX command to work with:
- get_dz_commands returns a Tcl list of UNIX commands in the current zone.
- list_dz_commands lists to
stdout
the UNIX commands in the current zone. - new_dz_command creates a new UNIX command and stores it in memory.
- select_dz_command retrieves a UNIX command from Active Directory and stores it in memory.
After you have a UNIX command stored in memory, you can use the following commands to work with that command:
- delete_dz_command deletes the selected command from Active Directory and from memory.
- get_dzc_field reads a field value from the currently selected command.
- save_dz_command saves the selected command with its current settings to Active Directory.