On 28.6.2016 12:32, Mitra Dehghan wrote: > Thank you Petr for your answer. I'm trying to do the job with least > changes in client which was a operating machine now joined to Free IPA > domain. I just want to make sure if using chmod, chown or setfacl are the > only available solutions or not?
I believe that it is the only viable option because these checks are enforced in filesystem layer in kernel. Petr^2 Spacek > On Jun 28, 2016 12:30 PM, "Petr Spacek" <pspa...@redhat.com> wrote: > >> On 28.6.2016 09:08, Mitra Dehghan wrote: >>> Hello, >>> >>> I want to know how can I give directory permissions on a client to a >> domain >>> user in FreeIPA. >>> >>> >>> I'm using "runasuser" feature in sudo policy to give my domain users >>> permission to run local services on client. >>> >>> Here is an example: >>> I have a service on my client called "*abc*" located at "/home/abc/" and >>> locally run by local user called "*abc*" >>> >>> I have used runasuser feature in sudo policy rules to let domain users >>> (say: *u...@mydomain.dc*) run the service. *usr* can run scripts, read >> and >>> edit files and stop/start services, using *abc*'s permissions and without >>> any problem. >>> >>> But the problem I have faced is, when I want "*usr*" to traverse >>> subdirectories under "*/home/abc/*" it doesn't work. >>> I have defined sudocmd for cd command and added it as allow-command to >>> appropriate sudorule. my sudocmd definitions are like this: >>> >>> >>> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'* >>> >>> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'* >>> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'* >>> >>> While *usr* can run the *cd* command without error, it doesn't work and >>> *pwd* still shows* /home/usr* as current directory. >>> what *usr* runs is: >>> *$ sudo -u abc cd /home/abc/m*/ >> >> Most importantly you need to add appropriate permission for user abc to the >> /home/abc directory (and its contents if necessary). >> >> You can use either chown+chmod or setfacl commands, depending on the >> use-case. >> >> When this is one, add SUDO rule allowing user usr to run a program in >> question. You do not need to bother with SUDO rules for "cd" because this >> will >> be solved at filesystem level. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project