dzdo.set.runas.explicit

This configuration parameter specifies whether a user must explicitly identify the ‘runas’ user when executing a command with dzdo.

The parameter value can be true or false; the default value is true.

When the parameter value is true, if a user executes a command with dzdo and does not explicitly identify the user or group to run as (with the -u or -g option), adclient assumes that the command should be run as root. If the user is not authorized to run the command as root, dzdo fails to execute the command and issues an error message; for example:

User u1 is authorized to run adinfo as user qa1
dzdo.set.runas.explicit: true
...
[u1@rh6]$dzdo adinfo
Sorry, user u1 is not allowed to execute ‘/usr/bin/adinfo’ as root on rh6.

When the parameter value is false, if a user executes a command with dzdo and does not explicitly identify the user or group to run as (with the -u or -g option), adclient attempts to resolve the user. If the command defines a single runas user, dzdo executes the specified command and sends a message to the log file; for example:

User u1 is authorized to run adinfo as user qa1
dzdo.set.runas.explicit: false
...
[u1@rh6]$dzdo adinfo
Local host name: rh6
Joined to domain acme.com
...

If the command defines multiple runas users, dzdo cannot resolve the user to run as and attempts to run the command as root. Since the user is not authorized to run the command as root, dzdo fails to execute the command and issues an error message; for example:

User u1 is authorized to run adinfo as users qa1 and adm
dzdo.set.runas.explicit: true
...
[u1@rh6]$dzdo adinfo
Sorry, user u1 is not allowed to execute ‘/usr/bin/adinfo’ as root on rh6.

In all cases, a user can execute a command successfully with dzdo by using the -u option to explicitly identify the runas user; for example:

[u1@rh6]$dzdo -u qa1 adinfo
Local host name: rh6
Joined to domain acme.com
...

You can also set this parameter using group policy.