On 28.6.2016 09:08, Mitra Dehghan wrote: > Hello, > > I want to know how can I give directory permissions on a client to a domain > user in FreeIPA. > > > I'm using "runasuser" feature in sudo policy to give my domain users > permission to run local services on client. > > Here is an example: > I have a service on my client called "*abc*" located at "/home/abc/" and > locally run by local user called "*abc*" > > I have used runasuser feature in sudo policy rules to let domain users > (say: *[email protected]*) run the service. *usr* can run scripts, read and > edit files and stop/start services, using *abc*'s permissions and without > any problem. > > But the problem I have faced is, when I want "*usr*" to traverse > subdirectories under "*/home/abc/*" it doesn't work. > I have defined sudocmd for cd command and added it as allow-command to > appropriate sudorule. my sudocmd definitions are like this: > > > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'* > > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'* > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'* > > While *usr* can run the *cd* command without error, it doesn't work and > *pwd* still shows* /home/usr* as current directory. > what *usr* runs is: > *$ sudo -u abc cd /home/abc/m*/
Most importantly you need to add appropriate permission for user abc to the /home/abc directory (and its contents if necessary). You can use either chown+chmod or setfacl commands, depending on the use-case. When this is one, add SUDO rule allowing user usr to run a program in question. You do not need to bother with SUDO rules for "cd" because this will be solved at filesystem level. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
