On 2016-06-28 09:08, Mitra Dehghan wrote: > > Hello, > > I want to know how can I give directory permissions on a client to a > domain user in FreeIPA. > > > I'm using "runasuser" feature in sudo policy to give my domain users > permission to run local services on client. > > Here is an example: > I have a service on my client called "/abc/" located at "/home/abc/" and > locally run by local user called "/abc/" > > I have used runasuser feature in sudo policy rules to let domain users > (say: /[email protected]/) run the service. /usr/ can run scripts, read > and edit files and stop/start services, using /abc/'s permissions and > without any problem. > > But the problem I have faced is, when I want "/usr/" to traverse > subdirectories under "//home/abc//" it doesn't work. > I have defined sudocmd for cd command and added it as allow-command to > appropriate sudorule. my sudocmd definitions are like this: > > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/' > / > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/' > / > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'/
cd is a builtin command of your shell. It has to be because it changes the current working directory the shell's process. sudo doesn't work for shell builtins. You have to find another way to accomplish your task. By the way are you familiar how r,w,x work for directories? 'r' is used for listing the content of a directory, 'w' for creating/removing files (except for +t directories) and 'x' is used to check if a user is allowed to enter a directory. You can allow users to enter a directory w/o actually seeing its content. Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
