Customizing Command Execution Attributes

You can modify the default command execution attributes that are used when commands run in either the non-restricted shell or in a restricted shell environment. In most cases, changes are rarely required for commands that run in a non-restricted shell. It is more common to change the execution attributes for commands that run in restricted shell environments. For example, you can use the execution attributes to control whether an allowed command can invoke a nested command. In a restricted shell environment, you might want to prevent a command from invoking nested commands to reduce the chance that users can run commands not explicitly defined for their environment.

If you want to set any execution attributes for a command right, click the Attributes tab. You can then select different options to control different aspects of command execution.

Requiring Re-Authentication to Run Commands

After successful authentication during the login process, you can control whether running a command in a restricted shell or using elevated privileges requires re-authentication or not. If you want to require re-authentication, select the authentication rules to apply. When defining the rights for executing commands, you can select from the following authentication options:

  • No re-authentication required

    Select this option to allow users to run the command without any additional authentication.

  • Re-authenticate current user

    Select this option to require the user to be re-authenticated before running the command using their own credentials. If you select this option, you can also specify whether reauthentication requires the user to provide their password, requires their password and another form of authentication, or requires multi-factor authentication as determined by the authentication profile configured in Privileged Access Service, which might or might not involve providing a password.

    If you select both Use password and Require multi-factor authentication for login, users are prompted to type their password and provide another form of authentication before the command is executed. If you have configured the authentication profile to accept more than one type of authentication challenge, users are prompted to select the authentication method to continue.

  • Re-authenticate using the target user’s password.

    Select this option to require the user to be re-authenticated before running the command using the target run-as user’s credentials.

Preserving Group Membership

When defining command rights, you should consider whether keeping a user’s existing group membership would provide benefits for command execution or could be exploited to perform unauthorized operations.Select Preserve group membership if you want to retain the logged-on user’s group membership while executing commands.

Allowing Nested Commands

When defining command rights, you should consider whether allowing the execution of nested commands could be exploited to perform unauthorized operations. Select Allow nested command execution if you want to allow a command to invoke another program or open a new shell. To enhance the security of a restricted shell environment, you should deselect this option to prevent an allowed command to be used to run another program or open an unrestricted shell.

Preventing Unsafe Path Navigation

When defining command rights, you should consider whether the command or any of the allowed command arguments could be exploited to perform unauthorized operations. One way command arguments can be exploited is to allow navigation up the path hierarchy. To prevent command arguments from allowing unsafe navigation up a path hierarchy, you can select the Prevent navigation up a path hierarchy. For example, if a command right allows a user to execute a command such as vi /etc/httpd/conf/* without this option, the right could be exploited by specifying a command argument that navigates up a path hierarchy to perform an unauthorized operation. In this case, the right might be used to edit any file as the root user by specifying a relative path as a command-line argument.

vi /etc/httpd/conf/../../shadowpass

You can avoid this potential security risk by disabling upward path navigation for command arguments, if needed. Note that this setting is only supported in hierarchical zones and is only applicable for glob command rights.

Setting the Umask Value

Set the Umask value by selecting the read (R), write (W), and execute (X) permissions for the owner, group, and other users if you want to change the permission settings for executing a command.

Setting SELinux role-based access control

Configure the SELinux Setting for dzdo Security Enhanced Linux (SELinux) role-based access control (RBAC). By enabling the SELinux role and SELinux type fields, privileged commands can be specified with the default role and type for creating SELinux context in execution. These settings can be overridden using the '-r'/'-t' command-line options respectively. To enable this setting, click the SELinux Setting button and enable SELinux role and SELinux type, then enter string values in the corresponding text fields. Settings are saved in the attribute of the msDS-AzOperation command object.

These settings are currently supported only on the RHEL systems and effective only on system with SELinux enabled and joined to a hierarchical zone.

Setting the Command Digest

You can use Digest Settings to specify SHA-2 digests so that sudo can verify the binary's checksum (SHA-2) before sudo executes the binary. The supported digest (hash) types are as follows:

  • SHA224

  • SHA256

  • SHA384

  • SHA512

Select a digest type, and then enter a checksum. You can specify multiple digests for a command.

Note that setting a command digest is only supported in the explicit path matches against the command right, and only supported in the hierarchical zone.