HTTP500 asked:
I’m having a hard time wrapping my head around FreeIPA’s model. The FreeIPA manual states:
FreeIPA adds an extra control measure with sudo command groups, which
allow a group of commands to be defined and then applied to the sudo configuration as one.
But their examples basically talk about creating a sudo command group and adding particular sudo commands like vim and less to a “files” sudo command group.
e.g. from the commandline:
ipa sudocmdgroup-add --desc 'File editing commands' files
ipa sudocmd-add --desc 'For editing files' '/usr/bin/vim'
ipa sudocmdgroup-add-member --sudocmds '/usr/bin/vim' files
But how do you specify ALL like you would in /etc/sudoers? Can this be wildcarded (e.g. *)?
My answer:
You don’t need to make command groups if you want a group of users to be able to execute any command with sudo. You just need a sudo rule that permits all commands, and one should have been created for you by default when you installed FreeIPA.
# ipa sudorule-find All
-------------------
1 Sudo Rule matched
-------------------
Rule name: All
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
User Groups: admins
----------------------------
Number of entries returned 1
----------------------------
(If such a rule doesn’t exist, create it.)
ipa sudorule-add --cmdcat=all All
Just add the users or groups to this sudo rule that you want to be able to sudo with any command.
ipa sudorule-add-user --groups=admins All
You can also do this from the Web UI if you prefer.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
The post Using FreeIPA for centralized sudo – how to specify ALL commands? appeared first on Ringing Liberty.