Dear Christian Thanks for your explanation about shell builtin. I changed directory permissions and now it works!
Mitra On Tue, Jun 28, 2016 at 4:17 PM, Christian Heimes <chei...@redhat.com> wrote: > On 2016-06-28 09:08, Mitra Dehghan wrote: > > > > Hello, > > > > I want to know how can I give directory permissions on a client to a > > domain user in FreeIPA. > > > > > > I'm using "runasuser" feature in sudo policy to give my domain users > > permission to run local services on client. > > > > Here is an example: > > I have a service on my client called "/abc/" located at "/home/abc/" and > > locally run by local user called "/abc/" > > > > I have used runasuser feature in sudo policy rules to let domain users > > (say: /u...@mydomain.dc/) run the service. /usr/ can run scripts, read > > and edit files and stop/start services, using /abc/'s permissions and > > without any problem. > > > > But the problem I have faced is, when I want "/usr/" to traverse > > subdirectories under "//home/abc//" it doesn't work. > > I have defined sudocmd for cd command and added it as allow-command to > > appropriate sudorule. my sudocmd definitions are like this: > > > > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/' > > / > > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/' > > / > > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'/ > > cd is a builtin command of your shell. It has to be because it changes > the current working directory the shell's process. sudo doesn't work for > shell builtins. You have to find another way to accomplish your task. > > By the way are you familiar how r,w,x work for directories? 'r' is used > for listing the content of a directory, 'w' for creating/removing files > (except for +t directories) and 'x' is used to check if a user is > allowed to enter a directory. You can allow users to enter a directory > w/o actually seeing its content. > > Christian > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- m-dehghan
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project