Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3408: How to allow "dzdo su - *", but disallow "dzdo su - root"

Authentication Service ,  

12 April,16 at 11:08 AM

Applies to: All versions of Centrify DirectControl on All Platforms
 
Question:
Is it possible to configure dzdo rights, so that user can "su - *", except for "su - root"?
 
In other words,
su - user1
su - user2 
...
su - alluser
- are allowed;
 
su - root 
- is not allowed.
 
Answer:

(Note: This is only an example showing how to negate certain syntax (ie. "su -" / "su - root" / "su - root *" "su - ") for a defined privilege command "su - *. This KB does not aim to block all the ways for an user to switch to root.)

To achieve this, define the two Command Rights below, add these two Command Rights to a Role and then assign this Role to the target user:
 
su - * (Glob expressions) 
!su -($| root($| .*)) (Regular expressions) - This blocks "su -" / "su - root" / "su - root *" / "su - "
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 













 








 

After assigning the Command Rights to a target user, go to the UNIX machine and run the command below to update the local cache:
 
  adflush -f
 
Run "dzinfo <target AD user>" and make sure the command rights can be seen in the output. 
 
For example:
 
========== 
[root@RedHat Desktop]# dzinfo fred.thomas 
User: fred.thomas 
Forced into restricted environment: No 
 
Role Name Avail Restricted Env 
--------------- ----- -------------- 
login/FIN Yes None 
FinDSA/FIN Yes None 
login/Global Yes None 
 
Effective rights: 
Password login 
Non password login 
Allow normal shell 
 
Audit level: 
AuditIfPossible 
 
Always permit login: 
false 
 
PAM Application Avail Source Roles 
--------------- ----- -------------------- 
* Yes login/Global 
* Yes FinDSA/FIN 
* Yes login/FIN 
 
Privileged commands: 
Name Avail Command Source Roles 
--------------- ----- -------------------- -------------------- 
su to all/FIN Yes su - * FinDSA/FIN 
Block su to Yes !su -($| root($| FinDSA/FIN 
root/FIN .*)) 
ALL/FIN Yes * login/FIN 
ls -al/FIN Yes ls -al login/FIN 
ls/FIN Yes ls login/FIN 
 
Commands in restricted environment: 
Name Avail Command Run As 
--------------- ----- -------------------- ---------- 
su to all/FIN Yes su - * self 
Block su to Yes !su -($| root($| self 
root/FIN .*)) 
ALL/FIN Yes * self 
ls -al/FIN Yes ls -al self 
ls/FIN Yes ls self 
========== 
 
With the both Command Rights assigned to fred.thomas, fred.thomas can now only "dzdo su - <anyone except root>": 
 
========== 
[root@RedHat Desktop]# su - fred.thomas 
[fred.thomas@RedHat ~]$ dzdo su - test2 
It can only run as user root, default to run as root 
[test2@RedHat ~]$ exit 
logout 
[fred.thomas@RedHat ~]$ dzdo su - root 
Sorry, user fred.thomas is not allowed to execute '/bin/su - root' as root on RedHat. 
========== 
 
 
Without the second Command Right, fred.thomas can "dzdo su - <any user including root>": 
 
========== 
[root@RedHat Desktop]# dzinfo fred.thomas 
User: fred.thomas 
Forced into restricted environment: No 
 
Role Name Avail Restricted Env 
--------------- ----- -------------- 
login/FIN Yes None 
FinDSA/FIN Yes None 
login/Global Yes None 
 
Effective rights: 
Password login 
Non password login 
Allow normal shell 
 
Audit level: 
AuditIfPossible 
 
Always permit login: 
false 
 
PAM Application Avail Source Roles 
--------------- ----- -------------------- 
* Yes login/Global 
* Yes FinDSA/FIN 
* Yes login/FIN 
 
Privileged commands: 
Name Avail Command Source Roles 
--------------- ----- -------------------- -------------------- 
su to all/FIN Yes su - * FinDSA/FIN 
ALL/FIN Yes * login/FIN 
ls -al/FIN Yes ls -al login/FIN 
ls/FIN Yes ls login/FIN 
 
Commands in restricted environment: 
Name Avail Command Run As 
--------------- ----- -------------------- ---------- 
su to all/FIN Yes su - * self 
ALL/FIN Yes * self 
ls -al/FIN Yes ls -al self 
ls/FIN Yes ls self 
 
[root@RedHat Desktop]# su - fred.thomas 
[fred.thomas@RedHat ~]$ dzdo su - test2 
It can only run as user root, default to run as root 
[test2@RedHat ~]$ exit 
logout 
[fred.thomas@RedHat ~]$ dzdo su - root 
It can only run as user root, default to run as root 
[root@RedHat ~]# exit 
logout 
========== 
 
SECURITY NOTES
 
Limitations of the ‘!’ operator
 

It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:

bill    ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in the user specification.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 article[Labs] Using Centrify Audit Trail for UNIX/Linux with AWS CloudWatch articleMistakes to avoid when using privilege elevation articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-7039: In Direct Audit, with command auditing enabled, two sessions were logged instead of one. articleKB-3925: How to add Centrify parameter to a group policy articleKB-6041: How to show current license type in use by adclient articleKB-3057: How to allow local UNIX users to execute root equivalent commands via dzdo. articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-7934: How to import IWA root certificate manually to enable Windows MFA