Re: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
Dear Christian Thanks for your explanation about shell builtin. I changed directory permissions and now it works! Mitra On Tue, Jun 28, 2016 at 4:17 PM, Christian Heimes wrote: > On 2016-06-28 09:08, Mitra Dehghan wrote: > > > > Hello, > > > > I want to know how can I give directory permissions on a client to a > > domain user in FreeIPA. > > > > > > I'm using "runasuser" feature in sudo policy to give my domain users > > permission to run local services on client. > > > > Here is an example: > > I have a service on my client called "/abc/" located at "/home/abc/" and > > locally run by local user called "/abc/" > > > > I have used runasuser feature in sudo policy rules to let domain users > > (say: /u...@mydomain.dc/) run the service. /usr/ can run scripts, read > > and edit files and stop/start services, using /abc/'s permissions and > > without any problem. > > > > But the problem I have faced is, when I want "/usr/" to traverse > > subdirectories under "//home/abc//" it doesn't work. > > I have defined sudocmd for cd command and added it as allow-command to > > appropriate sudorule. my sudocmd definitions are like this: > > > > /ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/' > > / > > /ipa sudocmd-add --desc="ttt" 'cd /home/abc/m/' > > / > > /ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/q/'/ > > cd is a builtin command of your shell. It has to be because it changes > the current working directory the shell's process. sudo doesn't work for > shell builtins. You have to find another way to accomplish your task. > > By the way are you familiar how r,w,x work for directories? 'r' is used > for listing the content of a directory, 'w' for creating/removing files > (except for +t directories) and 'x' is used to check if a user is > allowed to enter a directory. You can allow users to enter a directory > w/o actually seeing its content. > > Christian > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- m-dehghan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
On 2016-06-28 09:08, Mitra Dehghan wrote: > > Hello, > > I want to know how can I give directory permissions on a client to a > domain user in FreeIPA. > > > I'm using "runasuser" feature in sudo policy to give my domain users > permission to run local services on client. > > Here is an example: > I have a service on my client called "/abc/" located at "/home/abc/" and > locally run by local user called "/abc/" > > I have used runasuser feature in sudo policy rules to let domain users > (say: /u...@mydomain.dc/) run the service. /usr/ can run scripts, read > and edit files and stop/start services, using /abc/'s permissions and > without any problem. > > But the problem I have faced is, when I want "/usr/" to traverse > subdirectories under "//home/abc//" it doesn't work. > I have defined sudocmd for cd command and added it as allow-command to > appropriate sudorule. my sudocmd definitions are like this: > > /ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/' > / > /ipa sudocmd-add --desc="ttt" 'cd /home/abc/m/' > / > /ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/q/'/ cd is a builtin command of your shell. It has to be because it changes the current working directory the shell's process. sudo doesn't work for shell builtins. You have to find another way to accomplish your task. By the way are you familiar how r,w,x work for directories? 'r' is used for listing the content of a directory, 'w' for creating/removing files (except for +t directories) and 'x' is used to check if a user is allowed to enter a directory. You can allow users to enter a directory w/o actually seeing its content. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
On 28.6.2016 12:32, Mitra Dehghan wrote: > Thank you Petr for your answer. I'm trying to do the job with least > changes in client which was a operating machine now joined to Free IPA > domain. I just want to make sure if using chmod, chown or setfacl are the > only available solutions or not? I believe that it is the only viable option because these checks are enforced in filesystem layer in kernel. Petr^2 Spacek > On Jun 28, 2016 12:30 PM, "Petr Spacek" wrote: > >> On 28.6.2016 09:08, Mitra Dehghan wrote: >>> Hello, >>> >>> I want to know how can I give directory permissions on a client to a >> domain >>> user in FreeIPA. >>> >>> >>> I'm using "runasuser" feature in sudo policy to give my domain users >>> permission to run local services on client. >>> >>> Here is an example: >>> I have a service on my client called "*abc*" located at "/home/abc/" and >>> locally run by local user called "*abc*" >>> >>> I have used runasuser feature in sudo policy rules to let domain users >>> (say: *u...@mydomain.dc*) run the service. *usr* can run scripts, read >> and >>> edit files and stop/start services, using *abc*'s permissions and without >>> any problem. >>> >>> But the problem I have faced is, when I want "*usr*" to traverse >>> subdirectories under "*/home/abc/*" it doesn't work. >>> I have defined sudocmd for cd command and added it as allow-command to >>> appropriate sudorule. my sudocmd definitions are like this: >>> >>> >>> *ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/'* >>> >>> *ipa sudocmd-add --desc="ttt" 'cd /home/abc/m/'* >>> *ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/q/'* >>> >>> While *usr* can run the *cd* command without error, it doesn't work and >>> *pwd* still shows* /home/usr* as current directory. >>> what *usr* runs is: >>> *$ sudo -u abc cd /home/abc/m*/ >> >> Most importantly you need to add appropriate permission for user abc to the >> /home/abc directory (and its contents if necessary). >> >> You can use either chown+chmod or setfacl commands, depending on the >> use-case. >> >> When this is one, add SUDO rule allowing user usr to run a program in >> question. You do not need to bother with SUDO rules for "cd" because this >> will >> be solved at filesystem level. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
Thank you Petr for your answer. I'm trying to do the job with least changes in client which was a operating machine now joined to Free IPA domain. I just want to make sure if using chmod, chown or setfacl are the only available solutions or not? On Jun 28, 2016 12:30 PM, "Petr Spacek" wrote: > On 28.6.2016 09:08, Mitra Dehghan wrote: > > Hello, > > > > I want to know how can I give directory permissions on a client to a > domain > > user in FreeIPA. > > > > > > I'm using "runasuser" feature in sudo policy to give my domain users > > permission to run local services on client. > > > > Here is an example: > > I have a service on my client called "*abc*" located at "/home/abc/" and > > locally run by local user called "*abc*" > > > > I have used runasuser feature in sudo policy rules to let domain users > > (say: *u...@mydomain.dc*) run the service. *usr* can run scripts, read > and > > edit files and stop/start services, using *abc*'s permissions and without > > any problem. > > > > But the problem I have faced is, when I want "*usr*" to traverse > > subdirectories under "*/home/abc/*" it doesn't work. > > I have defined sudocmd for cd command and added it as allow-command to > > appropriate sudorule. my sudocmd definitions are like this: > > > > > > *ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/'* > > > > *ipa sudocmd-add --desc="ttt" 'cd /home/abc/m/'* > > *ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/q/'* > > > > While *usr* can run the *cd* command without error, it doesn't work and > > *pwd* still shows* /home/usr* as current directory. > > what *usr* runs is: > > *$ sudo -u abc cd /home/abc/m*/ > > Most importantly you need to add appropriate permission for user abc to the > /home/abc directory (and its contents if necessary). > > You can use either chown+chmod or setfacl commands, depending on the > use-case. > > When this is one, add SUDO rule allowing user usr to run a program in > question. You do not need to bother with SUDO rules for "cd" because this > will > be solved at filesystem level. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
On 28.6.2016 09:08, Mitra Dehghan wrote: > Hello, > > I want to know how can I give directory permissions on a client to a domain > user in FreeIPA. > > > I'm using "runasuser" feature in sudo policy to give my domain users > permission to run local services on client. > > Here is an example: > I have a service on my client called "*abc*" located at "/home/abc/" and > locally run by local user called "*abc*" > > I have used runasuser feature in sudo policy rules to let domain users > (say: *u...@mydomain.dc*) run the service. *usr* can run scripts, read and > edit files and stop/start services, using *abc*'s permissions and without > any problem. > > But the problem I have faced is, when I want "*usr*" to traverse > subdirectories under "*/home/abc/*" it doesn't work. > I have defined sudocmd for cd command and added it as allow-command to > appropriate sudorule. my sudocmd definitions are like this: > > > *ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/'* > > *ipa sudocmd-add --desc="ttt" 'cd /home/abc/m/'* > *ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/q/'* > > While *usr* can run the *cd* command without error, it doesn't work and > *pwd* still shows* /home/usr* as current directory. > what *usr* runs is: > *$ sudo -u abc cd /home/abc/m*/ Most importantly you need to add appropriate permission for user abc to the /home/abc directory (and its contents if necessary). You can use either chown+chmod or setfacl commands, depending on the use-case. When this is one, add SUDO rule allowing user usr to run a program in question. You do not need to bother with SUDO rules for "cd" because this will be solved at filesystem level. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.
Hello, I want to know how can I give directory permissions on a client to a domain user in FreeIPA. I'm using "runasuser" feature in sudo policy to give my domain users permission to run local services on client. Here is an example: I have a service on my client called "*abc*" located at "/home/abc/" and locally run by local user called "*abc*" I have used runasuser feature in sudo policy rules to let domain users (say: *u...@mydomain.dc*) run the service. *usr* can run scripts, read and edit files and stop/start services, using *abc*'s permissions and without any problem. But the problem I have faced is, when I want "*usr*" to traverse subdirectories under "*/home/abc/*" it doesn't work. I have defined sudocmd for cd command and added it as allow-command to appropriate sudorule. my sudocmd definitions are like this: *ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/'* *ipa sudocmd-add --desc="ttt" 'cd /home/abc/m/'* *ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/q/'* While *usr* can run the *cd* command without error, it doesn't work and *pwd* still shows* /home/usr* as current directory. what *usr* runs is: *$ sudo -u abc cd /home/abc/m*/ -- respectfully m-dehghan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project