[Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
Petr Spacek
pspacek at redhat.com
Tue Jun 28 11:26:35 UTC 2016
On 28.6.2016 12:32, Mitra Dehghan wrote:
> Thank you Petr for your answer. I'm trying to do the job with least
> changes in client which was a operating machine now joined to Free IPA
> domain. I just want to make sure if using chmod, chown or setfacl are the
> only available solutions or not?
I believe that it is the only viable option because these checks are enforced
in filesystem layer in kernel.
Petr^2 Spacek
> On Jun 28, 2016 12:30 PM, "Petr Spacek" <pspacek at redhat.com> wrote:
>
>> On 28.6.2016 09:08, Mitra Dehghan wrote:
>>> Hello,
>>>
>>> I want to know how can I give directory permissions on a client to a
>> domain
>>> user in FreeIPA.
>>>
>>>
>>> I'm using "runasuser" feature in sudo policy to give my domain users
>>> permission to run local services on client.
>>>
>>> Here is an example:
>>> I have a service on my client called "*abc*" located at "/home/abc/" and
>>> locally run by local user called "*abc*"
>>>
>>> I have used runasuser feature in sudo policy rules to let domain users
>>> (say: *usr at mydomain.dc*) run the service. *usr* can run scripts, read
>> and
>>> edit files and stop/start services, using *abc*'s permissions and without
>>> any problem.
>>>
>>> But the problem I have faced is, when I want "*usr*" to traverse
>>> subdirectories under "*/home/abc/*" it doesn't work.
>>> I have defined sudocmd for cd command and added it as allow-command to
>>> appropriate sudorule. my sudocmd definitions are like this:
>>>
>>>
>>> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'*
>>>
>>> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'*
>>> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'*
>>>
>>> While *usr* can run the *cd* command without error, it doesn't work and
>>> *pwd* still shows* /home/usr* as current directory.
>>> what *usr* runs is:
>>> *$ sudo -u abc cd /home/abc/m*/
>>
>> Most importantly you need to add appropriate permission for user abc to the
>> /home/abc directory (and its contents if necessary).
>>
>> You can use either chown+chmod or setfacl commands, depending on the
>> use-case.
>>
>> When this is one, add SUDO rule allowing user usr to run a program in
>> question. You do not need to bother with SUDO rules for "cd" because this
>> will
>> be solved at filesystem level.
More information about the Freeipa-users
mailing list