On Tue, Feb 2, 2021 at 12:04 PM Mustapha Aissat via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
> Hi all,
>
> I have a question regarding sudo command and rules in FreeIPA, is it possible to allow a user to only install packages and not remove?
> for example the sudo command will look,like : /usr/bin/dnf install *****
>
> I tried to configure sudo command as "/usr/bin/dnf install" and it didn't work
> If I use set the command to "/usr/bin/dnf" it works. But the user is also allowed to remove packages!
>
> Any suggestions please?
>
From `man sudoers(5)`, you will find that you can use the '!' operator (remember to read its limitations).
For example, if you add the following in sudoers file:
admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove
User `admin` will be able to execute all dnf commands with sudo, but `sudo dnf remove` will fail. The problem is that `sudo dnf remove emacs` will succeed.
If you change the configuration to:
admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove *
Then you will have the effect you want, but `sudo dnf -y remove emacs` will remove emacs.
Changing to:
admin ALL=/usr/bin/dnf, !/usr/bin/dnf *remove*
Will prevent `dnf remove` to be executed, but it will also prevent any dnf command that has "remove" anywhere in the command line.
Most of the suggestions I found, for similar issues, include creating a wrapper script and providing access to that script.
Rafael
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat