Table of Contents

lib/commands.cf

Table of Contents

See the commands promises documentation for a comprehensive reference on the body types and attributes used here.

To use these bodies, add the following to your policy:

body file control
{
    inputs => { "commands.cf" }
}

agent bundles

daemonize

Prototype: daemonize(command)

Description: Run a command as a daemon. I.e., fully detaches from Cfengine.

Arguments:

command: The command to run detached Note: There will be no output from the command reported by cf-agent. This bundle has no effect on windows

Example: cf3 methods: "Launch Daemon" usebundle => daemonize("/bin/sleep 30");

Implementation:

bundle agent daemonize(command)
{
  commands:
    !windows::
      "exec 1>&-; exec 2>&-; $(command) &"
        contain => in_shell;

  reports:
    "windows.(DEBUG|DEBUG_$(this.bundle))"::
      "DEBUG $(this.bundle): This bundle does not support Windows";
}

contain bodies

silent

Prototype: silent

Description: suppress command output

Implementation:

body contain silent
{
      no_output => "true";
}

in_dir

Prototype: in_dir(dir)

Description: run command after switching to directory "dir"

Arguments:

dir: directory to change into

Example:

 commands:
   "/bin/pwd"
     contain => in_dir("/tmp");

Implementation:

body contain in_dir(dir)
{
      chdir => "$(dir)";
}

in_dir_shell

Prototype: in_dir_shell(dir)

Description: run command after switching to directory "dir" with full shell

Arguments:

dir: directory to change into

Example:

 commands:
   "/bin/pwd | /bin/cat"
     contain => in_dir_shell("/tmp");

Implementation:

body contain in_dir_shell(dir)
{
      chdir => "$(dir)";
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

silent_in_dir

Prototype: silent_in_dir(dir)

Description: run command after switching to directory and suppress output

Arguments:

dir: directory to change into

Example:

   "/bin/pwd"
     contain => silent_in_dir("/tmp");

Implementation:

body contain silent_in_dir(dir)
{
      chdir => "$(dir)";
      no_output => "true";
}

in_shell

Prototype: in_shell

Description: run command in shell

Example:

 commands:
   "/bin/pwd | /bin/cat"
     contain => in_shell;

Implementation:

body contain in_shell
{
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

in_shell_bg

Prototype: in_shell_bg

Description: deprecated This bundle previously had an invalid background attribute that was caught by parser strictness enhancements. Backgrounding is handeled by the body action background attribute.

Implementation:

body contain in_shell_bg
{
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

in_shell_and_silent

Prototype: in_shell_and_silent

Description: run command in shell and suppress output

Example:

 commands:
   "/bin/pwd | /bin/cat"
     contain => in_shell_and_silent,
     comment => "Silently run command in shell";

Implementation:

body contain in_shell_and_silent
{
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
      no_output => "true";
}

in_dir_shell_and_silent

Prototype: in_dir_shell_and_silent(dir)

Description: run command in shell after switching to 'dir' and suppress output

Arguments:

dir: directory to change into

Example:

 commands:
   "/bin/pwd | /bin/cat"
     contain => in_dir_shell_and_silent("/tmp"),
     comment => "Silently run command in shell";

Implementation:

body contain in_dir_shell_and_silent(dir)
{
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
      no_output => "true";
      chdir => "$(dir)";
}

setuid

Prototype: setuid(owner)

Description: run command as specified user

Arguments:

owner: username or uid to run command as

Example:

 commands:
   "/usr/bin/id"
     contain => setuid("apache");
   "/usr/bin/id"
     contain => setuid("503");

Implementation:

body contain setuid(owner)
{
      exec_owner => "$(owner)";
}

setuid_sh

Prototype: setuid_sh(owner)

Description: run command as specified user in shell

Arguments:

owner: username or uid to run command as

Example:

 commands:
   "/usr/bin/id | /bin/cat"
     contain => setuid("apache");
   "/usr/bin/id | /bin/cat"
     contain => setuid("503");

Implementation:

body contain setuid_sh(owner)
{
      exec_owner => "$(owner)";
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

setuidgid_dir

Prototype: setuidgid_dir(owner, group, dir)

Description: run command as specified owner and group in shell

Arguments:

owner: username or uid to run command as
group: groupname or gid to run command as
dir: directory to run command from

Implementation:

body contain setuidgid_dir(owner,group,dir)
{
      exec_owner => "$(owner)";
      exec_group => "$(group)";
      chdir      => "$(dir)";
}

setuidgid_sh

Prototype: setuidgid_sh(owner, group)

Description: run command as specified owner and group in shell

Arguments:

owner: username or uid to run command as
group: groupname or gid to run command as

Implementation:

body contain setuidgid_sh(owner,group)
{
      exec_owner => "$(owner)";
      exec_group => "$(group)";
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

jail

Prototype: jail(owner, jail_root, dir)

Description: run command as specified user in specified directory of jail

Arguments:

owner: username or uid to run command as
jail_root: path that will be the root directory for the process
dir: directory to change to before running command (must be within 'jail_root')

Implementation:

body contain jail(owner,jail_root,dir)
{
      exec_owner => "$(owner)";
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
      chdir => "$(dir)";
      chroot => "$(jail_root)";
}

setuid_umask

Prototype: setuid_umask(owner, umask)

Description: run command as specified user with umask

Valid Values	Umask	Octal (files)	Symbolic (files)	Octal (dirs)	Symbolic (dirs)
`0`	`000`	`666`	`(rw-rw-rw-)`	`777`	`(rwxrwxrwx)`
`002`	`002`	`664`	`(rw-rw-r--)`	`775`	`(rwxrwxr-x)`
`22`, `022`	`022`	`644`	`(rw-r--r--)`	`755`	`(rwxr-xr-x)`
`27`, `027`	`027`	`640`	`(rw-r-----)`	`750`	`(rwxr-x---)`
`77`, `077`	`077`	`600`	`(rw-------)`	`700`	`(rwx------)`
`72`, `072`	`072`	`604`	`(rw----r--)`	`705`	`(rwx---r-x)`

Arguments:

owner: username or uid to run command as
umask: controls permissions of created files and directories

Example:

 commands:
   "/usr/bin/git pull"
     contain => setuid_umask("git", "022");

Implementation:

body contain setuid_umask(owner, umask)
{
      exec_owner => "$(owner)";
      umask => "$(umask)";
}

setuid_gid_umask

Prototype: setuid_gid_umask(uid, gid, umask)

Description: run command as specified user with umask

Valid Values	Umask	Octal (files)	Symbolic (files)	Octal (dirs)	Symbolic (dirs)
`0`	`000`	`666`	`(rw-rw-rw-)`	`777`	`(rwxrwxrwx)`
`002`	`002`	`664`	`(rw-rw-r--)`	`775`	`(rwxrwxr-x)`
`22`, `022`	`022`	`644`	`(rw-r--r--)`	`755`	`(rwxr-xr-x)`
`27`, `027`	`027`	`640`	`(rw-r-----)`	`750`	`(rwxr-x---)`
`77`, `077`	`077`	`600`	`(rw-------)`	`700`	`(rwx------)`
`72`, `072`	`072`	`604`	`(rw----r--)`	`705`	`(rwx---r-x)`

Arguments:

uid: username or uid to run command as
gid: group name or gid to run command as
umask: controls permissions of created files and directories

Example:

 commands:
   "/usr/bin/git pull"
     contain => setuid_gid_umask("git", "minions", "022");

Implementation:

body contain setuid_gid_umask(uid, gid, umask)
{
      exec_owner => "$(uid)";
      exec_group => "$(uid)";
      umask => "$(umask)";
}