I am new to freeipa and struggling very hard to achieve a task. Below is my desired task. I have two hosts watch1.office.com and watch2.office.com and a user john in freeipa. I want that user john can only read,write,execute to /etc/sysconfig directory of watch1.office.com and edit /etc/ssh/sshd_config. How can I achieve this task? I want that user john can edit specific file or execute in a directory of which permission is granted. But I do not know how to make or grant such permission in freeipa. Any help would be much appreciated.
On ti, 01 loka 2019, Syed Muhammad Hassan via FreeIPA-users wrote:
I am new to freeipa and struggling very hard to achieve a task. Below is my desired task. I have two hosts watch1.office.com and watch2.office.com and a user john in freeipa. I want that user john can only read,write,execute to /etc/sysconfig directory of watch1.office.com and edit /etc/ssh/sshd_config. How can I achieve this task? I want that user john can edit specific file or execute in a directory of which permission is granted. But I do not know how to make or grant such permission in freeipa. Any help would be much appreciated.
This task is unrelated to FreeIPA on itself. Think about a file system that is storing your /etc. How would you set those permissions for a local user 'john'? In a typical Linux environment your /etc is located on a / mount point which is most likely a file system that supports extended POSIX ACLs. So, if / is mounted to allow extended POSIX ACLs, you can use setfacl / getfacl to add / view additional ACLs on the directories and files on /, including /etc/sysconfig or /etc/ssh/sshd_config.
The fact that user 'john' comes from a remote identity source is irrelevant because in the case of Linux most file systems store permissions using numeric values for UID and GID.
There are plenty of articles to show how to use POSIX ACLs. For example, https://wiki.archlinux.org/index.php/Access_Control_Lists
Dear Alexander,
Thank you so much for getting back to me. I am much obliged. I read your article (Creating permissions in FreeIPA) (https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/). It is really well written. Thank you so much for this. I want to know the end goal of this permission. What is meant by managing hosts in ‘my-hostgroup’ ? If I create this permission for user john for watch1.office.com then what can be done by john to this host?
Dear Alexander, Thank you so much for getting back to me. I am much obliged. I read your article (Creating permissions in FreeIPA) ( https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/). It is really well written. Thank you so much for this. I want to know the end goal of this permission. What is meant by managing hosts in ‘my-hostgroup’ ? If I create this permission for user john for watch1.office.com then what can be done by john to this host?
On Tue, Oct 1, 2019 at 8:27 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 01 loka 2019, Syed Muhammad Hassan via FreeIPA-users wrote:
I am new to freeipa and struggling very hard to achieve a task. Below is my desired task. I have two hosts watch1.office.com and watch2.office.com and a user john in freeipa. I want that user john can only read,write,execute to /etc/sysconfig directory of watch1.office.com and edit /etc/ssh/sshd_config. How can I achieve this task? I want that user john can edit specific file or execute in a directory of which permission is granted. But I do not know how to make or grant such permission in freeipa. Any help would be much appreciated.
This task is unrelated to FreeIPA on itself. Think about a file system that is storing your /etc. How would you set those permissions for a local user 'john'? In a typical Linux environment your /etc is located on a / mount point which is most likely a file system that supports extended POSIX ACLs. So, if / is mounted to allow extended POSIX ACLs, you can use setfacl / getfacl to add / view additional ACLs on the directories and files on /, including /etc/sysconfig or /etc/ssh/sshd_config.
The fact that user 'john' comes from a remote identity source is irrelevant because in the case of Linux most file systems store permissions using numeric values for UID and GID.
There are plenty of articles to show how to use POSIX ACLs. For example, https://wiki.archlinux.org/index.php/Access_Control_Lists
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org