All versions of Centrify DirectControl
The restricted shell is unable to expand the glob character * (asterisk), when running a command as another user. Instead, the restricted shell treats the * as a regular character and does not use it to expand filenames.
The restricted shell command is defined to allow the command "ls -ltr /tmp/donald/myfile*.log" as user donald. The user tetsu is required to run this command as donald so he will be able to list files that belong to donald.
The command is defined in DirectAuthorize as:
Command: /bin/ls -ltr /tmp/donald/myfile.+\.log
The user, donald, can run the command successfully:
The user, tetsu, gets an error: No such file or directory
This problem is due to a constraint on the functionality of dzdo. In this scenario, it is dzsh's job to expand the *, but since tetsu is running the dzsh and tetsu cannot read the directory, DirectAuthorize cannot do the filename expansion. DirectAuthorize just passes the *, as a regular character, to /bin/ls.
The /bin/ls command is running as user, donald, but, since /bin/ls is NOT a shell, it does not expand the *, it just treats * as part of a file name. The /bin/ls command does not find a file with * in the filename and throws the message: No such file or directory.
The constraint on dzdo can be resolved by defining the DirectAuthorize command to execute in a shell. In this way the * is passed to a shell that will use it to correctly expand the filenames.
The correct command definition for this example is:
Command: /bin/sh -c /bin/ls -ltr /tmp/donald/myfile.+\.log
User tetsu can successfully execute the command using dzdo. Note: Tetsu does not need to be in the restricted shell, he just enters the command in his normal shell using dzdo.