On Tue, Feb 2, 2021 at 12:04 PM Mustapha Aissat via FreeIPA-users < [email protected]> wrote: > > Hi all, > > I have a question regarding sudo command and rules in FreeIPA, is it possible to allow a user to only install packages and not remove? > for example the sudo command will look,like : /usr/bin/dnf install ***** > > I tried to configure sudo command as "/usr/bin/dnf install" and it didn't work > If I use set the command to "/usr/bin/dnf" it works. But the user is also allowed to remove packages! > > Any suggestions please? >
>From `man sudoers(5)`, you will find that you can use the '!' operator (remember to read its limitations). For example, if you add the following in sudoers file: admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove User `admin` will be able to execute all dnf commands with sudo, but `sudo dnf remove` will fail. The problem is that `sudo dnf remove emacs` will succeed. If you change the configuration to: admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove * Then you will have the effect you want, but `sudo dnf -y remove emacs` will remove emacs. Changing to: admin ALL=/usr/bin/dnf, !/usr/bin/dnf *remove* Will prevent `dnf remove` to be executed, but it will also prevent any dnf command that has "remove" anywhere in the command line. Most of the suggestions I found, for similar issues, include creating a wrapper script and providing access to that script. Rafael -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
