Hi Rafael, Stephen, Thank you for your replies. Really appreciate it. I know that it's a weird request! But I had a specific case.
Finally, I have implement by simply adding un asterisk at the end: admin ALL=/usr/bin/dnf install* Using the "!" operator has another limitation; The user can run "sudo dnf shell" and execute in command inside the dnf shell. Thank you again for your valuable support. Best regards, Mustapha AISSAT On Tue, Feb 2, 2021 at 8:23 PM Rafael Jeffman via FreeIPA-users < [email protected]> wrote: > On Tue, Feb 2, 2021 at 12:04 PM Mustapha Aissat via FreeIPA-users < > [email protected]> wrote: > > > > Hi all, > > > > I have a question regarding sudo command and rules in FreeIPA, is it > possible to allow a user to only install packages and not remove? > > for example the sudo command will look,like : /usr/bin/dnf install ***** > > > > I tried to configure sudo command as "/usr/bin/dnf install" and it > didn't work > > If I use set the command to "/usr/bin/dnf" it works. But the user is > also allowed to remove packages! > > > > Any suggestions please? > > > > From `man sudoers(5)`, you will find that you can use the '!' operator > (remember to read its limitations). > For example, if you add the following in sudoers file: > > admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove > > User `admin` will be able to execute all dnf commands with sudo, but `sudo > dnf remove` will fail. The problem is that `sudo dnf remove emacs` will > succeed. > > If you change the configuration to: > > admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove * > > Then you will have the effect you want, but `sudo dnf -y remove emacs` > will remove emacs. > > Changing to: > > admin ALL=/usr/bin/dnf, !/usr/bin/dnf *remove* > > Will prevent `dnf remove` to be executed, but it will also prevent any dnf > command that has "remove" anywhere in the command line. > > Most of the suggestions I found, for similar issues, include creating a > wrapper script and providing access to that script. > > Rafael > > -- > Rafael Guterres Jeffman > Senior Software Engineer > FreeIPA - Red Hat > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
