Using FreeIPA for centralized sudo - how to specify ALL commands?

sudo freeipa

25,499

Solution 1

You don't need to make command groups if you want a group of users to be able to execute any command with sudo. You just need a sudo rule that permits all commands, and one should have been created for you by default when you installed FreeIPA.

# ipa sudorule-find All
-------------------
1 Sudo Rule matched
-------------------
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  User Groups: admins
----------------------------
Number of entries returned 1
----------------------------

(If such a rule doesn't exist, create it.)

ipa sudorule-add --cmdcat=all All

Just add the users or groups to this sudo rule that you want to be able to sudo with any command.

ipa sudorule-add-user --groups=admins All

You can also do this from the Web UI if you prefer.

Solution 2

When you want to add ALL to a rule, you can use category option with value all. For commands that would be --cmdcat=all, for hosts -- --hostcat=all, for users -- --usercat=all and few more below.

All these options are visible in ipa sudorule-add --help:

$ ipa sudorule-add --help
Usage: ipa [global-options] sudorule-add SUDORULE-NAME [options]

Create new Sudo Rule.
Options:
  -h, --help            show this help message and exit
  --desc=STR            Description
  --usercat=['all']     User category the rule applies to
  --hostcat=['all']     Host category the rule applies to
  --cmdcat=['all']      Command category the rule applies to
  --runasusercat=['all']
                        RunAs User category the rule applies to
  --runasgroupcat=['all']
                        RunAs Group category the rule applies to
...

25,499

HTTP500

Updated on September 18, 2022

Comments

HTTP500 almost 2 years
I'm having a hard time wrapping my head around FreeIPA's model. The FreeIPA manual states:

FreeIPA adds an extra control measure with sudo command groups, which allow a group of commands to be defined and then applied to the sudo configuration as one.

But their examples basically talk about creating a sudo command group and adding particular sudo commands like vim and less to a "files" sudo command group.

e.g. from the commandline:
```
ipa sudocmdgroup-add --desc 'File editing commands' files

ipa sudocmd-add --desc 'For editing files' '/usr/bin/vim'

ipa sudocmdgroup-add-member --sudocmds '/usr/bin/vim' files
```
But how do you specify ALL like you would in /etc/sudoers? Can this be wildcarded (e.g. *)?
HTTP500 over 10 years

The rule didn't exist by default and it took a little bit of work to get a rule that matched yours, i.e. "%admins ALL=(ALL) ALL" but I think I'm on the path of enlightenment now. Much appreciated, thanks!
Michael Hampton over 10 years

This is one of those tasks that was obviously much easier in the Web UI than the command line. It took me quite a while to get even that far with it in the CLI.
HTTP500 over 10 years

Agreed, I finished off the rule in the Web UI.
nivs about 8 years

If you want the rule to be effective across all hosts, I noticed that without specifying --hostcat=all when creating the rule, sudo is not allowed (adding this option to an existing rule is possible by issuing sudorule-mod --hostcat=all).
0xSheepdog about 8 years

@HTTP500 If you had to do things that are not listed in your OP or the Accepted Answer, please provide the steps/details for others, i.e. The rule didn't exist by default and it took a little bit of work to get a rule that matched yours... What bit of work was required? How did you achieve the desired result?
wordsforthewise about 4 years

Still not fully working for me. I ran ipa sudorule-add --cmdcat=all --hostcat=all --runasusercat=all All then added the group to the rule. I also added the specific user to the rule. Anything else I should be doing?
Michael Hampton about 4 years

@wordsforthewise Probably you should ask a new question.