HTTP500 asked:
I’m having a hard time wrapping my head around FreeIPA’s model. The FreeIPA manual states:
FreeIPA adds an extra control measure with sudo command groups, which
allow a group of commands to be defined and then applied to the sudo configuration as one.
But their examples basically talk about creating a sudo command group and adding particular sudo commands like vim and less to a “files” sudo command group.
e.g. from the commandline:
ipa sudocmdgroup-add --desc 'File editing commands' files
ipa sudocmd-add --desc 'For editing files' '/usr/bin/vim'
ipa sudocmdgroup-add-member --sudocmds '/usr/bin/vim' files
But how do you specify ALL like you would in /etc/sudoers? Can this be wildcarded (e.g. *)?
My answer:
You don’t need to make command groups if you want a group of users to be able to execute any command with sudo. You just need a sudo rule that permits all commands, and one should have been created for you by default when you installed FreeIPA.
# ipa sudorule-find All
-------------------
1 Sudo Rule matched
-------------------
Rule name: All
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
User Groups: admins
----------------------------
Number of entries returned 1
----------------------------
(If such a rule doesn’t exist, create it.)
ipa sudorule-add --cmdcat=all All
Just add the users or groups to this sudo rule that you want to be able to sudo with any command.
ipa sudorule-add-user --groups=admins All
You can also do this from the Web UI if you prefer.
View the full question and any other answers on Server Fault.
Image may be NSFW.
Clik here to view.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
The post Using FreeIPA for centralized sudo – how to specify ALL commands? appeared first on Ringing Liberty.