[Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
Mitra Dehghan
mitra.dehghan at gmail.com
Tue Jun 28 10:32:25 UTC 2016
Thank you Petr for your answer. I'm trying to do the job with least
changes in client which was a operating machine now joined to Free IPA
domain. I just want to make sure if using chmod, chown or setfacl are the
only available solutions or not?
On Jun 28, 2016 12:30 PM, "Petr Spacek" <pspacek at redhat.com> wrote:
> On 28.6.2016 09:08, Mitra Dehghan wrote:
> > Hello,
> >
> > I want to know how can I give directory permissions on a client to a
> domain
> > user in FreeIPA.
> >
> >
> > I'm using "runasuser" feature in sudo policy to give my domain users
> > permission to run local services on client.
> >
> > Here is an example:
> > I have a service on my client called "*abc*" located at "/home/abc/" and
> > locally run by local user called "*abc*"
> >
> > I have used runasuser feature in sudo policy rules to let domain users
> > (say: *usr at mydomain.dc*) run the service. *usr* can run scripts, read
> and
> > edit files and stop/start services, using *abc*'s permissions and without
> > any problem.
> >
> > But the problem I have faced is, when I want "*usr*" to traverse
> > subdirectories under "*/home/abc/*" it doesn't work.
> > I have defined sudocmd for cd command and added it as allow-command to
> > appropriate sudorule. my sudocmd definitions are like this:
> >
> >
> > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'*
> >
> > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'*
> > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'*
> >
> > While *usr* can run the *cd* command without error, it doesn't work and
> > *pwd* still shows* /home/usr* as current directory.
> > what *usr* runs is:
> > *$ sudo -u abc cd /home/abc/m*/
>
> Most importantly you need to add appropriate permission for user abc to the
> /home/abc directory (and its contents if necessary).
>
> You can use either chown+chmod or setfacl commands, depending on the
> use-case.
>
> When this is one, add SUDO rule allowing user usr to run a program in
> question. You do not need to bother with SUDO rules for "cd" because this
> will
> be solved at filesystem level.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160628/6149b616/attachment.htm>
More information about the Freeipa-users
mailing list