70 Novell Privileged User Manager 2.2.1 Administration guidenovdocx (en) 7 January 2010Rule definitions override the settings for user and host. If a successfully matched rule specifiesa run user or a run host, this user or host is used to execute the command, and not thosespecified in the set -o commands.You can use rule conditions to match the run user or run host to the username or hostnamedefined by using these commands (see “Setting Conditions for a Rule” on page 82), but if a runuser or run host is defined in the rule configuration, these are the ones that are used.You can define a list of illegal commands, including built-in shell commands, in a scriptassigned to a rule. Users using the rush shell cannot run these commands, even if they are root.5.2.5 Using Shell ScriptsYou can hide some of the complexities of the privileged command syntax from your users by usingscripts and aliases to wrap privileged tasks. Using this technique, the end user can log in with theirnon-privileged account and use what appear to be standard commands to perform privileged tasks.Alternatively, you could create a script that provides a menu system to access a set of administrativetasks. With this method, the user would simply select options from the menu to perform theirprivileged tasks.Either method requires a shell script that executes under the rush shell and performs remoteauthorization. For example:Option Descriptionset -o host Specifies that all authorized commands are executed on thedefined host, if permitted.set -o user Specifies that all authorized commands are executed as thedefined user if permitted.set -o audit Enables auditing, Set to one of the following values: 1: Enables auditing of all commands that are not builtinto the user's shell. 2: Enables auditing of all commands includingcommands that are built into the user's shell. This levelof auditing can affect login times.After the audit value has been set, it cannot be changed. If itis turned on in the profile, the user cannot turn it off later.set -o ignoreperm Enables commands that have not been successfullyauthorized at the Framework to execute according to thelocal permissions in effect on the server where the commandwas issued.set -o test Allows typed commands to be checked to see if they wouldbe accepted by the rule structure.A yes or no output to screen indicates the result.The set -o test option is normally used in conjunctionwith the set -o remote option.set -o test '${}$' Returns the complete metadata result that is generated bythe Command Control manager.
