A record in the SUDO class stores a command script so that users can run the script with borrowed permissions. The ability to borrow permissions is tightly controlled by the SUDO record, as well as by the sesudo command that executes the scripts.
In a SUDO record, the comment property is used for a special purpose, and often it is known by its alternate name: the data property.
The data property's value is the command script, with the optional addition of one or more script parameter values that are to be prohibited or permitted. The entire data property value must be enclosed in single quotes, and executables should be referenced by their complete path names to prevent Trojan horses from taking their place.
This is the format for the data property:
data('cmd[;[prohibited‑values][;permitted‑values]]')
Because the lists of prohibited and permitted values are optional, a simple data property value could be the following:
newres SUDO MountCd data('mount /dev/cdrom /cdr')
The simple value in the command means that the command sesudo MountCd executes the script mount /dev/cdrom /cdr. No particular script parameter values are prohibited; all are permitted.
Wildcards and powerful variables give you flexibility in specifying prohibited and permitted parameters. The wildcards you can use are the standard UNIX wildcards. The variables are these:
Variable |
Description |
---|---|
$A |
Alphabetic value |
$G |
Existing CA ControlMinder group name |
$H |
Home path pattern of the user |
$N |
Numeric value |
$O |
Executor's user name |
$U |
Existing CA ControlMinder user name |
$e |
SUDO commands with no parameters |
$f |
Existing file name |
$g |
Existing UNIX group name |
$h |
Existing host name |
$r |
Existing UNIX file name with UNIX read permission |
$u |
Existing UNIX user name |
$w |
Existing UNIX file name with UNIX write permission |
$x |
Existing UNIX file name with UNIX exec permission |
If you append a list of prohibited parameter values to the script:
newres SUDO scriptname data('cmd;‑9')
where cmd represents your script.
Alternatively, if you do not allow any parameter values, but rather want all parameters defaulted, define the SUDO record as follows:
newres SUDO scriptname data('cmd;*')
newres SUDO scriptname data('cmd;‑9 ‑HUP')
newres SUDO scriptname data('cmd;‑9 ‑HUP | $u')
If the script has more parameters than you list, then your last set of prohibited parameters applies to all the remaining parameters.
If you append a list of permitted parameter values to the script:
newres SUDO scriptname data('cmd;;NAME')
For example, if you have two parameters, and the first must be numeric but must not be a UNIX user name, and the second must be alphabetic but must not be a UNIX group name, enter the following command:
newres SUDO scriptname data('cmd; $u | $g ; $N | $A')
If the script has more parameters than you list, then your last set of permitted parameters applies to all the remaining parameters.
Thus, the overall format for the data property is this: first the script; then the prohibited values, parameter by parameter; then the permitted values, parameter by parameter:
data('cmd; param1_prohib1 param1_prohib2 ... param1_prohibN | \ param2_prohib1 param2_prohib2 ... param2_prohibN | \ ... paramN_prohib1 paramN_prohib2 ... paramN_prohibN ; \ param1_permit1 param1_permit2 ... param1_permitN | \ param2_permit1 param2_permit2 ... param2_permitN | ... paramN_permit1 paramN_permit2 ... paramN_permitN')
Copyright © 2013 CA Technologies.
All rights reserved.
|
|