Applies to: Centrify DirectControl 5.1
After deploying Centrify 2013/5.1, running dzdo -i from an account now produces the following message:
[chlewis@nbsrvadm-02v ~]$ dzdo -i
It can only run as user root, default to run as root
On a Centrify 2012.2 server, no message is displayed:
[chlewis@swsrvcomp-02 ~]$ dzdo -i
What is this new message and is there a way to disable it?
This was an intentional change. Prior to Suite 2013, dzdo would always assume the "run as" is root if not specified (-u).
It will be denied if such a right does not exist.
If a user runs a dzdo command that can only match 1 pattern, but the command only run as user oraadm, then dzdo will fail.
The command needs to be specified as:
dzdo -u oraadm <cmd>
Since this can only run as oraadm, why cannot it be assumed that the command will be run as that account?.
In Suite 2013, dzdo has been changed to recognize that if the command pattern matches only 1 role, 1 right - such that there is no ambiguity of "run as", then it will just proceed to run <cmd> as what the rights specifies - but the user will be notified what the runas is (may not be root).
This message cannot be suppressed.
There is no loss of functionality as command will still be executed.
1) The "-u" flag can be used (specifying the username)
2) In the UI, add another "run as" user (for example, "test") to the command right (to introduce ambiguity).
This issue has been fixed in DirectControl version 5.1.1 - Suite 2013.2.