Command Reference
This feature is currently available only to customers participating in our public preview. To access public preview features, see Using the Public Preview Program.
This page gives examples and details about the commands that can be specified as part of a Granular Privilege Elevation PCS policy. For an overview and step-by-step instructions on how to create this type of policy, see Step 10: Set Up PCS Policies in the PCS End-to-End Installation and Run Guide.
Controlling Access to Commands
In a standard UNIX shell environment, an ordinary user account can execute a
large number of common command-line programs without any special privileges, and
one or more administrative accounts, such as root, are required to execute
commands that perform privileged operations. If ordinary users need to execute
any of the commands requiring administrative privileges, they might have to
switch to an administrative account that requires them to know the password for
a privileged user, or they might be granted access by configuration settings in a sudoers
file.
For Linux and UNIX computers managed by Delinea Platform, however, you can define command access rights to tightly control the specific commands users can execute. You can also refine those rights to only allow specific arguments to be used or to require an executable to be located in a specific directory.
There are no predefined rights for commands. Therefore, only the specific command access rights you define will be available for you to add to roles.
What Command Rights Provide
Command access rights identify the specific commands that can be executed on a Linux or UNIX computer by a user assigned the role to which the rights are added. Command rights also specify whether the commands defined in the right are executed under the user’s own account or using another user account.
There are two primary reasons for defining command rights:
-
To grant access to specific commands that must be executed with elevated privileges.
-
To restrict access to only allow specific commands to be executed.
Granting Access Using Command Rights
The most common reason for creating a command right is to allow users to execute commands that require privileges not granted to a standard UNIX user account. For example, you might want to grant some users permission to run command-line programs that require root privileges to better manage their own computers.
With this type of command right, most commands are executed in the default shell
environment with ordinary user privileges. When users assigned to a role with
this type of command right want to use their elevated privileges, they invoke
the command they have been granted access to using the dzdo command. This type
of command right is similar to configuring privileges in a sudoers file, then
invoking a command using sudo.
This type of command right is appropriate for UNIX users who have a standard shell environment and only need elevated rights to perform specific tasks.
Examples of Windows Elevated Privilege Commands and Apps
Here are some examples of Windows elevated privilege commands and applications, which you could include in a command set entitled "Windows Management Tools" or something similar:
| Privilege Elevation Command Name | Application and Arguments | Path |
|---|---|---|
| Server Manager | ServerManager.exe | Standard system path |
| Service Control Manager | sc.exe | Standard system path |
| Microsoft Management Console (MMC) | mmc.exe | Standard system path |
Examples of Linux Elevated Privilege Commands and Apps
Here are some examples of Linux elevated privilege commands and applications you could include in a command group named "Linux commands" or something similar.
In these command definitions, glob pattern matching is used to expand any wildcard expressions. For more information, see About Glob Expressions.
| Privilege Elevation Command Name | Command | Argument | Match Path | Description |
|---|---|---|---|---|
| Edit SSH server config | vi
|
/etc/ssh/sshd_config |
Standard user path | Allows the granted user to edit the SSH server's config file, but nothing else |
| Edit SSH | vi
|
/etc/ssh/\*_config |
Standard user path | Allows the granted user to edit any SSH-related configuration |
| Change firewall | iptables
|
-A INPUT -s \* -j ACCEPT
|
Standard system path | Allows the granted user to change Linux firewall rules so specified hosts can make network connections |
| Restart PostgreSQL | systemctl
|
restart pgsql |
Standard system path | Allows the granted user to restart the PostgreSQL service |
When you add or modify privilege elevation commands, you can also specify which user accounts the commands will run as. The Root user is the default. You can add one or more users by adding it under Run Command As.
Linux PCS Template Commands
| Privilege Elevation Command Template | Command | Argument | Match Path | Run Command As | Description |
|---|---|---|---|---|---|
| Any command (Root Equivalent) | *
|
Specific path | Root user | Allows the user to run any command as root. | |
| Delinea PCS - adcdiag | adcdiag |
*
|
Specific path | Root user | Allows the user to execute adcdiag with any argument. The adcdiag diagnostic tool is used to check whether the environment is ready for MFA. |
| Delinea PCS - adflush | adflush
|
*
|
Standard system path | Root user | Allows the user to execute adflush with any argument.
The adflush tool refreshes its local cache, pulling the latest from the PCS tenant. |
| Delinea PCS - adinfo | adinfo |
*
|
Standard system path | Root user | Allows the user to execute adinfo with any argument.
The adinfo diagnostic tool is used to provide feedback of the agent's AD status. |
| Delinea PCS - dzinfo | dzinfo
|
*
|
Specific path | Root user | Allows the user to execute dzinfo with any argument.
The dzinfo diagnostic tool is used to provide feedback of the commands available to the user. |
| System - env | env |
*
|
Standard user path | Root user | Allows the user to execute the env command without any arguments. |
| System - groups | Groups
|
*
|
Standard user path | Root user | Allows the user to execute the groups command with any argument. |
| System - httpd | service |
httpd* *
|
Standard user path | Root user | Allows the user to execute service htttpd with any argument. |
| System - id | id
|
*
|
Standard user path | Root user | Allows the user to execute id with any argument. |
| System - ls | ls |
*
|
Standard user path | Root user | Allows the user to execute ls with any argument. |
| System - mkdir | mkdir
|
*
|
Standard user path | Root user | Allows the user to execute mkdir with any argument. |
| System - mv | mv |
*
|
Standard user path | Root user |
Allows the user to execute the |
| System - NO Bash | !bash |
Standard user path | Root user | Prevents the user from executing bash. |
|
| System - NO su | !su |
Standard user path | *
|
Prevents the user from executing su to switch to any other user account. |
|
| System - NO su to root | !su
|
- root
|
Standard user path | Root user | Prevents the user from executing su to switch to the root user account. |
| System - rm | rm |
*
|
Standard user path | Root user | Allows the user to execute rm with any argument. |
| System – stat | stat
|
*
|
Standard user path | Root user | Allows the user to execute stat with any argument. |
| System – touch | touch |
*
|
Standard user path | Root user | Allows the user to execute touch with any argument. |
About Linux Match Paths
When you specify a match path, you can select one of the following options:
- Standard system path
- Standard user path
- System search path
- Specify path
Each match path maps to one or more of the binary directories on Linux systems as follows:
| Path Setting | Included Directories |
|---|---|
| System Path | /sbin, /usr/sbin |
| User Path | /bin, /usr/bin |
| Search Path | /sbin, /usr/sbin, /bin, /usr/bin |
Linux uses each directory for a specific, as follows (text from Linux help output):
-
/bin: For binaries usable before the/usrpartition is mounted. This/bindirectory is used for trivial binaries used in the very early boot stage or ones that you need to have available in booting single-user more. Think of binaries likecat,ls, and so forth. -
/sbin: Same, but for binaries with superuser (root) privileges required. -
/usr/bin: Same as first, but for general system-wide binaries. -
/usr/sbin: Same as above, but for binaries with superuser (root) privileges required.
About Glob Expressions
Glob pattern matching is text matching— for example, if you do a glob pattern search for "app" it returns anything with the exact name of "app". Typically, people use glob pattern matching in Unix shells or the Windows command window.
The glob standard gives special meaning to a few characters:
| Glob Character | Description | Example Pattern | Example Results |
|---|---|---|---|
| * (asterisk) | Matches any number of characters, including zero | app\*
|
application apple app |
b\*d
|
bad bud bid bGd bland before we sighted land |
||
| ? (question mark) | Matches any one character | b?d
|
bad bud bid bGd |
[ ] (brackets) |
Can contain any number of characters and matches exactly one character if it's contained between the brackets. | the\*brown\*f?x j[au]\*
|
the quick brown fox jumps the sly, silly brown fox jabbered |
For the complete documentation for the glob standard, see https://man7.org/linux/man-pages/man7/glob.7.html.
