On 2016-06-28 09:08, Mitra Dehghan wrote:
> 
> Hello,
> 
> I want to know how can I give directory permissions on a client to a
> domain user in FreeIPA.
> 
> 
> I'm using "runasuser" feature in sudo policy to give my domain users
> permission to run local services on client. 
> 
> Here is an example:
> I have a service on my client called "/abc/" located at "/home/abc/" and
> locally run by local user called "/abc/"
> 
> I have used runasuser feature in sudo policy rules to let domain users
> (say: /u...@mydomain.dc/) run the service. /usr/ can run scripts, read
> and edit files and stop/start services, using /abc/'s permissions and
> without any problem.
> 
> But the problem I have faced is, when I want "/usr/" to traverse
> subdirectories under "//home/abc//" it doesn't work.
> I have defined sudocmd for cd command and added it as allow-command to
> appropriate sudorule. my sudocmd definitions are like this:
> 
> /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'
> /
> /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'
> /
> /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'/

cd is a builtin command of your shell. It has to be because it changes
the current working directory the shell's process. sudo doesn't work for
shell builtins. You have to find another way to accomplish your task.

By the way are you familiar how r,w,x work for directories? 'r' is used
for listing the content of a directory, 'w' for creating/removing files
(except for +t directories) and 'x' is used to check if a user is
allowed to enter a directory. You can allow users to enter a directory
w/o actually seeing its content.

Christian


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to