[Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
Mitra Dehghan
mitra.dehghan at gmail.com
Thu Jun 30 19:34:19 UTC 2016
Dear Christian
Thanks for your explanation about shell builtin. I changed directory
permissions and now it works!
Mitra
On Tue, Jun 28, 2016 at 4:17 PM, Christian Heimes <cheimes at redhat.com>
wrote:
> On 2016-06-28 09:08, Mitra Dehghan wrote:
> >
> > Hello,
> >
> > I want to know how can I give directory permissions on a client to a
> > domain user in FreeIPA.
> >
> >
> > I'm using "runasuser" feature in sudo policy to give my domain users
> > permission to run local services on client.
> >
> > Here is an example:
> > I have a service on my client called "/abc/" located at "/home/abc/" and
> > locally run by local user called "/abc/"
> >
> > I have used runasuser feature in sudo policy rules to let domain users
> > (say: /usr at mydomain.dc/) run the service. /usr/ can run scripts, read
> > and edit files and stop/start services, using /abc/'s permissions and
> > without any problem.
> >
> > But the problem I have faced is, when I want "/usr/" to traverse
> > subdirectories under "//home/abc//" it doesn't work.
> > I have defined sudocmd for cd command and added it as allow-command to
> > appropriate sudorule. my sudocmd definitions are like this:
> >
> > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'
> > /
> > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'
> > /
> > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'/
>
> cd is a builtin command of your shell. It has to be because it changes
> the current working directory the shell's process. sudo doesn't work for
> shell builtins. You have to find another way to accomplish your task.
>
> By the way are you familiar how r,w,x work for directories? 'r' is used
> for listing the content of a directory, 'w' for creating/removing files
> (except for +t directories) and 'x' is used to check if a user is
> allowed to enter a directory. You can allow users to enter a directory
> w/o actually seeing its content.
>
> Christian
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
m-dehghan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160701/9c91a868/attachment.htm>
More information about the Freeipa-users
mailing list