set_rsc_field

Use the set_rsc_field command to set the value for a specified field for the currently selected restricted shell command that is stored in memory. The set_rsc_field command does not set the field value stored in Active Directory for the selected restricted command field.

If you change any fields, you must save the restricted shell command using the save_rs_command command for your changes to take effect in Active Directory. If you select another restricted shell command or end the ADEdit session before saving the currently selected restricted shell command, your changes will be lost.

You can only use the set_rsc_field command if the currently selected zone is a classic4 zone is the selected zone. The command does not work in other types of zones.

Zone type

Classic only

Syntax

set_rsc_field field value

Abbreviation

srscf

Options

This command takes no options.

Arguments

This command takes the following arguments:

Argument Type Description

field

string

Required. Specifies the name of the field whose value you want to set.

value

 

Required. Specifies the value you want to assign to the specified field. The data type depends on the field specified.

In most cases, you can assign an empty string or null value (0) to unset a field value, depending on the data type of the field.

The possible field values are:

  • description: Text describing the restricted shell command.
  • cmd: The restricted shell command string or strings. You can use wild cards or a regular expression.
  • path: The path to the command’s location. You can use wild cards or a regular expression.
  • form: An integer that indicates whether the cmd and path strings use wild cards (0) or a regular expression (1).
  • dzsh_runas: A list of users and groups that can run this command in a restricted shell environment (dzsh). Users can be listed by user name or UID.
  • keep: A comma-separated list of environment variables from the current user’s environment to keep.
  • del: A comma-separated list of environment variables from the current user’s environment to delete.
  • add: A comma-separated list of environment variables to add to the final set of environment variables.
  • pri: An integer that specifies the command priority for the restricted shell command object.
  • umask: An integer that defines who can execute the command.
  • flags: An integer that specifies a combination of different properties for the command.
  • createTime: The time and date this command was created, returned in generalized time format.
  • modifyTime: The time and date this command was last modified, returned in generalized time format.
  • dn: The command’s distinguished name.

Setting the cmd and path field values for a restricted command

You can specify the cmd and path strings using wild cards (*, ?, and !), or as a regular expression. If you specify the cmd and path strings using wild cards, use an asterisk (*) to match zero or more characters, the question mark (?) to match exactly one character, or the exclamation mark (!) to negate matching of the specified string.

For both the cmd and path fields, the form field controls whether the specified string is interpreted as a regular expression or as a string that includes wild cards.

Specifying the environment variables for a restricted command

You can use the keep, del, and add settings to control the environment variables used by the commands specified by the cmd string. The keep and del settings are mutually exclusive. The keep field only takes effect if the flag 16 is included in the setting for the flag field. The del field only takes effect if the flag 16 is not included in the setting for the flag field.

Any environment variables kept or deleted are in addition to the default set of the user’s environment variables that are either retained or deleted. The default set of environment variables to keep is defined in the dzdo.env_keep configuration parameter in the centrifydc.conf file. The default set of environment variables to delete is defined in the dzdo.env_delete configuration parameter in the centrifydc.conf file. You can also add environment variables to the final set of environment variables resulting from the keep or del fields.

Specifying the restricted command priority

You can use the pri field to specify the command priority when there are multiple matches for the restricted shell command object specified by wild cards. If there are multiple commands specified by this restricted shell command object, the restricted shell command with the higher command priority prevails.

Specifying the umask value for restricted commands

You can use the umask field to define who can execute the command. The umask field specifies a 3-digit octal value that defines read, write, or execute permission for owner, group, and other users. The left digit defines the owner execution rights, the middle digit defines the group execution rights, and the right digit defines other execution rights. Each digit is a combination of binary flags, one flag for each right as follows:

  • 4 is read
  • 2 is write
  • 1 is execute

You add these values add together to define the rights available for each entity. For example, a umask value of 600 indicates read and write permission (4+2) for the owner, but no permissions for the group or other users. Similarly, a umask value of 740 indicates read, write, execute permissions (4+2+1) for the owner, read permissions for the group, but no permissions for other users.

Specifying restricted command properties using the flags field

You can use the flags field to define a combination of binary flags, with one flag for each of the following properties:

  • 1 to prevent nested command execution. If this flag value is not set, nested command execution is allowed.
  • 2 to require authentication with the user’s password. You cannot set this flag and the 4 flag simultaneously. If neither 2 nor 4 is set, authentication is not required.
  • 4 to require authentication with the run-as user’s password

    If you do not set the 2 flag or the 4 flag, authentication is not required.

  • 8 to preserve group membership. If this flag value is not set, group membership is not preserved.

  • 16 to reset environment variables for the command, deleting the variables specified in the dzdo.env_delete parameter and keeping the variables specified in the keep field. If this flag is not set, the command removes the unsafe environment variables specified in the dzdo.env_delete parameter along with any additional environment variables specified by the del field

You add these values together to define the setting for the flags field. For example, a flags field value of 5 prevents nested command execution and requires authentication using the run-as user’s password (1+4).

Return value

This command returns nothing if it runs successfully.

Examples

set_rsc_field description {This is the restricted command description}

This example sets the current restricted shell command description field to the “This is the restricted command description” text string.

Related commands

Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select the restricted shell command to work with:

  • get_rs_commands returns a Tcl list of restricted shell commands in the current zone.
  • list_rs_commands lists to stdout the restricted shell commands in the current zone.
  • new_rs_command creates a new restricted shell command and stores it in memory.
  • select_rs_command retrieves a restricted shell command from Active Directory and stores it in memory.

After you have a restricted shell command stored in memory, you can use the following commands to work with that restricted shell command:

  • delete_rs_command deletes the selected command from Active Directory and from memory.
  • get_rsc_field reads a field value from the currently selected command.
  • save_rs_command saves the selected command with its current settings to Active Directory.