set_rsc_field
Use the set_rsc_field
command to set the value for a specified field for the currently selected restricted shell command that is stored in memory. The set_rsc_field
command does not set the field value stored in Active Directory for the selected restricted command field.
If you change any fields, you must save the restricted shell command using the save_rs_command command for your changes to take effect in Active Directory. If you select another restricted shell command or end the ADEdit session before saving the currently selected restricted shell command, your changes will be lost.
You can only use the set_rsc_field
command if the currently selected zone is a classic4 zone is the selected zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
set_rsc_field field value
Abbreviation
srscf
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument | Type | Description |
field |
string |
Required. Specifies the name of the field whose value you want to set. |
value |
|
Required. Specifies the value you want to assign to the specified field. The data type depends on the field specified. In most cases, you can assign an empty string or null value (0) to unset a field value, depending on the data type of the field. |
The possible field
values are:
- description: Text describing the restricted shell command.
- cmd: The restricted shell command string or strings. You can use wild cards or a regular expression.
- path: The path to the command’s location. You can use wild cards or a regular expression.
- form: An integer that indicates whether the cmd and path strings use wild cards (0) or a regular expression (1).
- dzsh_runas: A list of users and groups that can run this command in a restricted shell environment (dzsh). Users can be listed by user name or UID.
- keep: A comma-separated list of environment variables from the current user’s environment to keep.
- del: A comma-separated list of environment variables from the current user’s environment to delete.
- add: A comma-separated list of environment variables to add to the final set of environment variables.
- pri: An integer that specifies the command priority for the restricted shell command object.
- umask: An integer that defines who can execute the command.
- flags: An integer that specifies a combination of different properties for the command.
- createTime: The time and date this command was created, returned in generalized time format.
- modifyTime: The time and date this command was last modified, returned in generalized time format.
- dn: The command’s distinguished name.
Setting the cmd and path field values for a restricted command
You can specify the cmd
and path
strings using wild cards (*, ?, and !), or as a regular expression. If you specify the cmd
and path
strings using wild cards, use an asterisk (*) to match zero or more characters, the question mark (?) to match exactly one character, or the exclamation mark (!) to negate matching of the specified string.
For both the cmd
and path
fields, the form
field controls whether the specified string is interpreted as a regular expression or as a string that includes wild cards.
Specifying the environment variables for a restricted command
You can use the keep
, del
, and add
settings to control the environment variables used by the commands specified by the cmd
string. The keep
and del
settings are mutually exclusive. The keep
field only takes effect if the flag 16
is included in the setting for the flag field
. The del
field only takes effect if the flag 16
is not included in the setting for the flag
field.
Any environment variables kept or deleted are in addition to the default set of the user’s environment variables that are either retained or deleted. The default set of environment variables to keep is defined in the dzdo.env_keep
configuration parameter in the centrifydc.conf
file. The default set of environment variables to delete is defined in the dzdo.env_delete
configuration parameter in the centrifydc.conf
file. You can also add environment variables to the final set of environment variables resulting from the keep
or del
fields.
Specifying the restricted command priority
You can use the pri
field to specify the command priority when there are multiple matches for the restricted shell command object specified by wild cards. If there are multiple commands specified by this restricted shell command object, the restricted shell command with the higher command priority prevails.
Specifying the umask value for restricted commands
You can use the umask
field to define who can execute the command. The umask
field specifies a 3-digit octal value that defines read, write, or execute permission for owner, group, and other users. The left digit defines the owner execution rights, the middle digit defines the group execution rights, and the right digit defines other execution rights. Each digit is a combination of binary flags, one flag for each right as follows:
- 4 is read
- 2 is write
- 1 is execute
You add these values add together to define the rights available for each entity. For example, a umask
value of 600 indicates read and write permission (4+2) for the owner, but no permissions for the group or other users. Similarly, a umask
value of 740 indicates read, write, execute permissions (4+2+1) for the owner, read permissions for the group, but no permissions for other users.
Specifying restricted command properties using the flags field
You can use the flags field to define a combination of binary flags, with one flag for each of the following properties:
- 1 to prevent nested command execution. If this flag value is not set, nested command execution is allowed.
- 2 to require authentication with the user’s password. You cannot set this flag and the 4 flag simultaneously. If neither 2 nor 4 is set, authentication is not required.
- 4 to require authentication with the run-as user’s password
If you do not set the 2 flag or the 4 flag, authentication is not required.
-
8 to preserve group membership. If this flag value is not set, group membership is not preserved.
-
16 to reset environment variables for the command, deleting the variables specified in the
dzdo.env_delete
parameter and keeping the variables specified in thekeep
field. If this flag is not set, the command removes the unsafe environment variables specified in thedzdo.env_delete
parameter along with any additional environment variables specified by thedel
field
You add these values together to define the setting for the flags
field. For example, a flags
field value of 5 prevents nested command execution and requires authentication using the run-as user’s password (1+4).
Return value
This command returns nothing if it runs successfully.
Examples
set_rsc_field description {This is the restricted command description}
This example sets the current restricted shell command description
field to the “This is the restricted command description” text string.
Related commands
Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select the restricted shell command to work with:
- get_rs_commands returns a Tcl list of restricted shell commands in the current zone.
- list_rs_commands lists to
stdout
the restricted shell commands in the current zone. - new_rs_command creates a new restricted shell command and stores it in memory.
- select_rs_command retrieves a restricted shell command from Active Directory and stores it in memory.
After you have a restricted shell command stored in memory, you can use the following commands to work with that restricted shell command:
- delete_rs_command deletes the selected command from Active Directory and from memory.
- get_rsc_field reads a field value from the currently selected command.
- save_rs_command saves the selected command with its current settings to Active Directory.