Applies to: All versions of Centrify DirectAuthorize
When a dzdo command is defined with elevated privilege and selects Glob expressions, adclient will do string pattern checking only. If asterisk (*) is defined in the command, users can place any string, including using “/..” to traverse up the directory.
For example, the user granted with privileged command "vi /tmp/*" is able to sudoers file by executing command:
# dzdo vi /tmp/../etc/sudoers
Option 1: In current version, please do not define "*" in command with Glob expressions.
Option 2: Use Regular expressions. Regular expressions will not accept "/../" as a valid expression and not allow the command to be executed.
Starting from Suite 2016.1 there is a new attribute in hierarchical zone Unix Command Right to allow dzdo/dzsh to check all command arguments and prevent navigation up a path hierarchy. Please refer to the 'Prevent navigation up a path hierarchy' checkbox in Access Manager (Suite 2016.1).