On ti, 01 loka 2019, Syed Muhammad Hassan via FreeIPA-users wrote:
I am new to freeipa and struggling very hard to achieve a task. Below is my desired task. I have two hosts watch1.office.com and watch2.office.com and a user john in freeipa. I want that user john can only read,write,execute to /etc/sysconfig directory of watch1.office.com and edit /etc/ssh/sshd_config. How can I achieve this task? I want that user john can edit specific file or execute in a directory of which permission is granted. But I do not know how to make or grant such permission in freeipa. Any help would be much appreciated.
This task is unrelated to FreeIPA on itself. Think about a file system that is storing your /etc. How would you set those permissions for a local user 'john'? In a typical Linux environment your /etc is located on a / mount point which is most likely a file system that supports extended POSIX ACLs. So, if / is mounted to allow extended POSIX ACLs, you can use setfacl / getfacl to add / view additional ACLs on the directories and files on /, including /etc/sysconfig or /etc/ssh/sshd_config. The fact that user 'john' comes from a remote identity source is irrelevant because in the case of Linux most file systems store permissions using numeric values for UID and GID. There are plenty of articles to show how to use POSIX ACLs. For example, https://wiki.archlinux.org/index.php/Access_Control_Lists -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
