Set dzdo validator

Specify the full path of dzdo validator.

Dzdo validator is a customized executable program or script, which is called by dzdo to perform validation check before running privileged commands. The customized validator program or script must return zero for success, non-zero for failure. Validator will take AD user name (user@domain format), command, run as user, run as group and dzdo role, that he/she is trying to execute. All these information can be configured through environment variables DZDO_USER, DZDO_COMMAND, DZDO_RUNASUSER, DZDO_RUNASGROUP and DZDO_ROLE respectively.

Dzdo only trusts and runs the validator owned by root and not group/world writable. When the return value of validator is non-zero, dzdo will not execute the privileged command. Dzdo will not print any message to console or log about the validation result. Validator should log the messages by itself.

When the validator is not available or not trusted, dzdo will ignore the validator, and continues to run the privileged command by default. We can alter this behavior by configuring group policy "Require dzdo command validation check". When enabled, dzdo will not execute the privileged command if the validator is not available or not trusted.

The dzdo validator is located at /usr/share/centrifydc/sbin/dzcheck by default. This file is non-exist upon installation. A sample script is provided at /usr/share/centrifydc/sbin/dzcheck.sample for your reference.

This policy modifies the dzdo.validator setting in the Centrify DirectControl configuration file.


Supported on:
centrifydc_settings.admx

Administrative Templates (Computers)

Administrative Templates (Users)