lib/commands.cf

Table of Contents

See the commands promises documentation for a comprehensive reference on the body types and attributes used here.

To use these bodies, add the following to your policy:

body file control
{
    inputs => { "commands.cf" }
}

contain bodies

powershell

Prototype: powershell

Description: Run command with powershell (windows only)

Example:

 commands:
   windows::
     'schtasks /DELETE /TN "$(_taskname)" /F'
       contain => powershell;

History:

  • Introduced in 3.17.0, 3.15.3

Implementation:

body contain powershell
{
        useshell => "powershell";
}

silent

Prototype: silent

Description: suppress command output

Implementation:

body contain silent
{
      no_output => "true";
}

in_dir

Prototype: in_dir(dir)

Description: run command after switching to directory "dir"

Arguments:

  • dir: directory to change into

Example:

 commands:
   "/bin/pwd"
     contain => in_dir("/tmp");

Implementation:

body contain in_dir(dir)
{
      chdir => "$(dir)";
}

in_dir_shell

Prototype: in_dir_shell(dir)

Description: run command after switching to directory "dir" with full shell

Arguments:

  • dir: directory to change into

Example:

 commands:
   "/bin/pwd | /bin/cat"
     contain => in_dir_shell("/tmp");

Implementation:

body contain in_dir_shell(dir)
{
      chdir => "$(dir)";
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

silent_in_dir

Prototype: silent_in_dir(dir)

Description: run command after switching to directory and suppress output

Arguments:

  • dir: directory to change into

Example:

   "/bin/pwd"
     contain => silent_in_dir("/tmp");

Implementation:

body contain silent_in_dir(dir)
{
      chdir => "$(dir)";
      no_output => "true";
}

in_shell

Prototype: in_shell

Description: run command in shell

Example:

 commands:
   "/bin/pwd | /bin/cat"
     contain => in_shell;

Implementation:

body contain in_shell
{
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

in_shell_bg

Prototype: in_shell_bg

Description: deprecated This bundle previously had an invalid background attribute that was caught by parser strictness enhancements. Backgrounding is handeled by the body action background attribute.

Implementation:

body contain in_shell_bg
{
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

in_shell_and_silent

Prototype: in_shell_and_silent

Description: run command in shell and suppress output

Example:

 commands:
   "/bin/pwd | /bin/cat"
     contain => in_shell_and_silent,
     comment => "Silently run command in shell";

Implementation:

body contain in_shell_and_silent
{
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
      no_output => "true";
}

in_dir_shell_and_silent

Prototype: in_dir_shell_and_silent(dir)

Description: run command in shell after switching to 'dir' and suppress output

Arguments:

  • dir: directory to change into

Example:

 commands:
   "/bin/pwd | /bin/cat"
     contain => in_dir_shell_and_silent("/tmp"),
     comment => "Silently run command in shell";

Implementation:

body contain in_dir_shell_and_silent(dir)
{
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
      no_output => "true";
      chdir => "$(dir)";
}

setuid

Prototype: setuid(owner)

Description: run command as specified user

Arguments:

  • owner: username or uid to run command as

Example:

 commands:
   "/usr/bin/id"
     contain => setuid("apache");
   "/usr/bin/id"
     contain => setuid("503");

Implementation:

body contain setuid(owner)
{
      exec_owner => "$(owner)";
}

setuid_sh

Prototype: setuid_sh(owner)

Description: run command as specified user in shell

Arguments:

  • owner: username or uid to run command as

Example:

 commands:
   "/usr/bin/id | /bin/cat"
     contain => setuid("apache");
   "/usr/bin/id | /bin/cat"
     contain => setuid("503");

Implementation:

body contain setuid_sh(owner)
{
      exec_owner => "$(owner)";
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

setuidgid_dir

Prototype: setuidgid_dir(owner, group, dir)

Description: run command as specified owner and group in shell

Arguments:

  • owner: username or uid to run command as
  • group: groupname or gid to run command as
  • dir: directory to run command from

Implementation:

body contain setuidgid_dir(owner,group,dir)
{
      exec_owner => "$(owner)";
      exec_group => "$(group)";
      chdir      => "$(dir)";
}

setuidgid_sh

Prototype: setuidgid_sh(owner, group)

Description: run command as specified owner and group in shell

Arguments:

  • owner: username or uid to run command as
  • group: groupname or gid to run command as

Implementation:

body contain setuidgid_sh(owner,group)
{
      exec_owner => "$(owner)";
      exec_group => "$(group)";
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
}

jail

Prototype: jail(owner, jail_root, dir)

Description: run command as specified user in specified directory of jail

Arguments:

  • owner: username or uid to run command as
  • jail_root: path that will be the root directory for the process
  • dir: directory to change to before running command (must be within 'jail_root')

Implementation:

body contain jail(owner,jail_root,dir)
{
      exec_owner => "$(owner)";
      useshell => "true"; # canonical "useshell" but this is backwards-compatible
      chdir => "$(dir)";
      chroot => "$(jail_root)";
}

setuid_umask

Prototype: setuid_umask(owner, umask)

Description: run command as specified user with umask

Valid Values Umask Octal (files) Symbolic (files) Octal (dirs) Symbolic (dirs)
0 000 666 (rw-rw-rw-) 777 (rwxrwxrwx)
002 002 664 (rw-rw-r--) 775 (rwxrwxr-x)
22, 022 022 644 (rw-r--r--) 755 (rwxr-xr-x)
27, 027 027 640 (rw-r-----) 750 (rwxr-x---)
77, 077 077 600 (rw-------) 700 (rwx------)
72, 072 072 604 (rw----r--) 705 (rwx---r-x)

Arguments:

  • owner: username or uid to run command as
  • umask: controls permissions of created files and directories

Example:

 commands:
   "/usr/bin/git pull"
     contain => setuid_umask("git", "022");

Implementation:

body contain setuid_umask(owner, umask)
{
      exec_owner => "$(owner)";
      umask => "$(umask)";
}

setuid_gid_umask

Prototype: setuid_gid_umask(uid, gid, umask)

Description: run command as specified user with umask

Valid Values Umask Octal (files) Symbolic (files) Octal (dirs) Symbolic (dirs)
0 000 666 (rw-rw-rw-) 777 (rwxrwxrwx)
002 002 664 (rw-rw-r--) 775 (rwxrwxr-x)
22, 022 022 644 (rw-r--r--) 755 (rwxr-xr-x)
27, 027 027 640 (rw-r-----) 750 (rwxr-x---)
77, 077 077 600 (rw-------) 700 (rwx------)
72, 072 072 604 (rw----r--) 705 (rwx---r-x)

Arguments:

  • uid: username or uid to run command as
  • gid: group name or gid to run command as
  • umask: controls permissions of created files and directories

Example:

 commands:
   "/usr/bin/git pull"
     contain => setuid_gid_umask("git", "minions", "022");

Implementation:

body contain setuid_gid_umask(uid, gid, umask)
{
      exec_owner => "$(uid)";
      exec_group => "$(uid)";
      umask => "$(umask)";
}

agent bundles

daemonize

Prototype: daemonize(command)

Description: Run a command as a daemon. I.e., fully detaches from Cfengine.

Arguments:

  • command: The command to run detached Note: There will be no output from the command reported by cf-agent. This bundle has no effect on windows

Example: cf3 methods: "Launch Daemon" usebundle => daemonize("/bin/sleep 30");

Implementation:

bundle agent daemonize(command)
{
  commands:
    !windows::
      "exec 1>&-; exec 2>&-; $(command) &"
        contain => in_shell;

  reports:
    "windows.(DEBUG|DEBUG_$(this.bundle))"::
      "DEBUG $(this.bundle): This bundle does not support Windows";
}