Re: Running func client as non-root ACL wiki documentation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michael DeHaan wrote:

Stephan Huiser wrote:

Hi,
I added some extra commands to the Wiki for ACL's on /var/lib/certmaster and some directories below, needed for doing Func calls as a non-root user. 

The complete list of acl commands is now:

setfacl -d -R -m 'u:MYUSER:rX' /etc/pki/certmaster/
setfacl -R -m 'u:MYUSER:rX' /etc/pki/certmaster/
setfacl -d -R -m 'u:MYUSER:rX' /var/lib/certmaster
setfacl -R -m 'u:MYUSER:rX' /var/lib/certmaster
setfacl -d -R -m 'u:MYUSER:rX' /var/lib/certmaster/certmaster
setfacl -R -m 'u:MYUSER:rX' /var/lib/certmaster/certmaster
setfacl -d -R -m 'u:MYUSER:rX' /var/lib/certmaster/certmaster/certs
setfacl -R -m 'u:MYUSER:rX' /var/lib/certmaster/certmaster/certs
setfacl -d -R -m 'u:MYUSER:rX' /var/lib/certmaster/peers
setfacl -R -m 'u:MYUSER:rX' /var/lib/certmaster/peers
setfacl -d -R -m 'u:MYUSER:rwX' /var/lib/func
setfacl -R -m 'u:MYUSER:rwX' /var/lib/func
setfacl -d -R -m 'u:MYUSER:rwX' /var/log/func/func.log
setfacl -R -m 'u:MYUSER:rwX' /var/log/func/func.log

- Stephan

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
This may be a useful idea -- cobbler has a command to automate acl setup for various users, i.e.
cobbler aclsetup --adduser foo (also works for removing and also for groups) 

And it will apply the ACLs to all of the right log directories.

Perhaps something we might want to copy over for Func.
/var/log/func/func.log should probably be /var/log/func (the whole directory) and I'm guessing you also want the certmaster logging directories. 

Code is here if anyone wants to borrow some of it:
http://git.fedoraproject.org/git/cobbler?p=cobbler;a=blob_plain;f=cobbler/action_acl.py;hb=devel
Sounds like a good idea. It's maybe a bit tricky to do it and not be super fedora specific, but shouldn't be too bad. Hopefully there aren't too many hardcoded path's in the func/certmaster code (and if there are, the need to 
be fixed of course).

Adrian

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux