ConfD User Community

Possible to restrict CLI command to specific directory

Is there some option that can be added to a CLI modification that would allow me to restrict a command to only work in a specific directory (and sub-directories).

For example, I’d like to execute ‘file list/show’, but only in one directory, rather than exposing the whole filesystem.
Also, if using ‘load/save’, I’d like to retrieve files from a single directory, to make things a bit easier and avoid users from needing to know precisely where the files are stored, and instead knowing the filename would be sufficient.

I see the /confdConfig/cli/restrictedFileRegexp configuration option, but wasn’t able to get the regex working. I’m also wondering if the regex could be applied to specific commands, rather than the CLI as a whole.

Thanks!

If you don’t want to use PAM to authenticate and restrict file access, try /confdConfig/cli/restrictedFileAccess. If this is set to ‘true’, then the user only has access to the home directory (or the directory where confd_cli is started), or if a directory is specified in a cli command parameter (params/param/type/directory{wd} or params/param/type/file{wd}) to that directory.

Hi @cohult,

Apologies for the delay.

if a directory is specified in a cli command parameter (params/param/type/directory{wd} or params/param/type/file{wd})

I saw this in the user guide too. But I don’t see params/param as one of the available options in the /clispec/$MODE/modifications tree, so I’m now sure how I would specify the working directory for a built-in command? I can do it with a custom command just fine.

Override the built-in command with your own custom one instead of modifying it.

Override the built-in command with your own custom one instead of modifying it.

Yeah, it was looking like that. Was hoping there was a simpler option.

Thanks for the info. :slight_smile:

Note that for example a script that replace the overridden command can just pass on the parameters to maapi (see for example the maapi tool). This way the authorization is checked before using that functionality.