[Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.

[Christian Heimes]

On 2016-06-28 09:08, Mitra Dehghan wrote:
> 
> Hello,
> 
> I want to know how can I give directory permissions on a client to a
> domain user in FreeIPA.
> 
> 
> I'm using "runasuser" feature in sudo policy to give my domain users
> permission to run local services on client. 
> 
> Here is an example:
> I have a service on my client called "/abc/" located at "/home/abc/" and
> locally run by local user called "/abc/"
> 
> I have used runasuser feature in sudo policy rules to let domain users
> (say: /usr at mydomain.dc/) run the service. /usr/ can run scripts, read
> and edit files and stop/start services, using /abc/'s permissions and
> without any problem.
> 
> But the problem I have faced is, when I want "/usr/" to traverse
> subdirectories under "//home/abc//" it doesn't work.
> I have defined sudocmd for cd command and added it as allow-command to
> appropriate sudorule. my sudocmd definitions are like this:
> 
> /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'
> /
> /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'
> /
> /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'/

cd is a builtin command of your shell. It has to be because it changes
the current working directory the shell's process. sudo doesn't work for
shell builtins. You have to find another way to accomplish your task.

By the way are you familiar how r,w,x work for directories? 'r' is used
for listing the content of a directory, 'w' for creating/removing files
(except for +t directories) and 'x' is used to check if a user is
allowed to enter a directory. You can allow users to enter a directory
w/o actually seeing its content.

Christian


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160628/aac017d8/attachment.sig>