Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8374: Restricted Shell is Unable to Expand the Glob Character "*"

Centrify DirectControl ,  

20 March,17 at 07:39 PM

Applies to:
 
All versions of Centrify DirectControl


Problem:
 

The restricted shell is unable to expand the glob character * (asterisk), when running a command as another user. Instead, the restricted shell treats the * as a regular character and does not use it to expand filenames.

For example:

The restricted shell command is defined to allow the command "ls -ltr /tmp/donald/myfile*.log" as user donald.  The user tetsu is required to run this command as donald so he will be able to list files that belong to donald.

The command is defined in DirectAuthorize as:

Command: /bin/ls -ltr /tmp/donald/myfile.+\.log

The user, donald, can run the command successfully:

User-added image


The user, tetsu, gets an error: No such file or directory

User-added image
  

Cause:
 

This problem is due to a constraint on the functionality of dzdo.  In this scenario,  it is dzsh's job to expand the *, but since tetsu is running the dzsh and tetsu cannot read the directory, DirectAuthorize cannot do the filename expansion.  DirectAuthorize just passes the *, as a regular character, to /bin/ls.

The /bin/ls command is running as user, donald, but, since /bin/ls is NOT a shell, it does not expand the *, it just treats * as part of a file name.  The /bin/ls command does not find a file with * in the filename and throws the message: No such file or directory.


Resolution:
  

The constraint on dzdo can be resolved by defining the DirectAuthorize command to execute in a shell.  In this way the * is passed to a shell that will use it to correctly expand the filenames.

The correct command definition for this example is:
  
Command: /bin/sh -c /bin/ls -ltr /tmp/donald/myfile.+\.log

User tetsu can successfully execute the command using dzdo.   Note: Tetsu does not need to be in the restricted shell, he just enters the command in his normal shell using dzdo.
 
User-added image

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.