[Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
Petr Spacek
pspacek at redhat.com
Tue Jun 28 07:52:54 UTC 2016
On 28.6.2016 09:08, Mitra Dehghan wrote:
> Hello,
>
> I want to know how can I give directory permissions on a client to a domain
> user in FreeIPA.
>
>
> I'm using "runasuser" feature in sudo policy to give my domain users
> permission to run local services on client.
>
> Here is an example:
> I have a service on my client called "*abc*" located at "/home/abc/" and
> locally run by local user called "*abc*"
>
> I have used runasuser feature in sudo policy rules to let domain users
> (say: *usr at mydomain.dc*) run the service. *usr* can run scripts, read and
> edit files and stop/start services, using *abc*'s permissions and without
> any problem.
>
> But the problem I have faced is, when I want "*usr*" to traverse
> subdirectories under "*/home/abc/*" it doesn't work.
> I have defined sudocmd for cd command and added it as allow-command to
> appropriate sudorule. my sudocmd definitions are like this:
>
>
> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'*
>
> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'*
> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'*
>
> While *usr* can run the *cd* command without error, it doesn't work and
> *pwd* still shows* /home/usr* as current directory.
> what *usr* runs is:
> *$ sudo -u abc cd /home/abc/m*/
Most importantly you need to add appropriate permission for user abc to the
/home/abc directory (and its contents if necessary).
You can use either chown+chmod or setfacl commands, depending on the use-case.
When this is one, add SUDO rule allowing user usr to run a program in
question. You do not need to bother with SUDO rules for "cd" because this will
be solved at filesystem level.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list