Using FreeIPA for centralized sudo - how to specify ALL commands?
Solution 1
You don't need to make command groups if you want a group of users to be able to execute any command with sudo
. You just need a sudo rule that permits all commands, and one should have been created for you by default when you installed FreeIPA.
# ipa sudorule-find All
-------------------
1 Sudo Rule matched
-------------------
Rule name: All
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
User Groups: admins
----------------------------
Number of entries returned 1
----------------------------
(If such a rule doesn't exist, create it.)
ipa sudorule-add --cmdcat=all All
Just add the users or groups to this sudo rule that you want to be able to sudo
with any command.
ipa sudorule-add-user --groups=admins All
You can also do this from the Web UI if you prefer.
Solution 2
When you want to add ALL
to a rule, you can use category option with value all
. For commands that would be --cmdcat=all
, for hosts -- --hostcat=all
, for users -- --usercat=all
and few more below.
All these options are visible in ipa sudorule-add --help
:
$ ipa sudorule-add --help
Usage: ipa [global-options] sudorule-add SUDORULE-NAME [options]
Create new Sudo Rule.
Options:
-h, --help show this help message and exit
--desc=STR Description
--usercat=['all'] User category the rule applies to
--hostcat=['all'] Host category the rule applies to
--cmdcat=['all'] Command category the rule applies to
--runasusercat=['all']
RunAs User category the rule applies to
--runasgroupcat=['all']
RunAs Group category the rule applies to
...
Related videos on Youtube
HTTP500
Updated on September 18, 2022Comments
-
HTTP500 almost 2 years
I'm having a hard time wrapping my head around FreeIPA's model. The FreeIPA manual states:
FreeIPA adds an extra control measure with sudo command groups, which allow a group of commands to be defined and then applied to the sudo configuration as one.
But their examples basically talk about creating a sudo command group and adding particular sudo commands like
vim
andless
to a "files" sudo command group.e.g. from the commandline:
ipa sudocmdgroup-add --desc 'File editing commands' files ipa sudocmd-add --desc 'For editing files' '/usr/bin/vim' ipa sudocmdgroup-add-member --sudocmds '/usr/bin/vim' files
But how do you specify
ALL
like you would in /etc/sudoers? Can this be wildcarded (e.g. *)? -
HTTP500 over 10 yearsThe rule didn't exist by default and it took a little bit of work to get a rule that matched yours, i.e. "%admins ALL=(ALL) ALL" but I think I'm on the path of enlightenment now. Much appreciated, thanks!
-
Michael Hampton over 10 yearsThis is one of those tasks that was obviously much easier in the Web UI than the command line. It took me quite a while to get even that far with it in the CLI.
-
HTTP500 over 10 yearsAgreed, I finished off the rule in the Web UI.
-
nivs about 8 yearsIf you want the rule to be effective across all hosts, I noticed that without specifying
--hostcat=all
when creating the rule, sudo is not allowed (adding this option to an existing rule is possible by issuingsudorule-mod --hostcat=all
). -
0xSheepdog about 8 years@HTTP500 If you had to do things that are not listed in your OP or the Accepted Answer, please provide the steps/details for others, i.e. The rule didn't exist by default and it took a little bit of work to get a rule that matched yours... What bit of work was required? How did you achieve the desired result?
-
wordsforthewise about 4 yearsStill not fully working for me. I ran
ipa sudorule-add --cmdcat=all --hostcat=all --runasusercat=all All
then added the group to the rule. I also added the specific user to the rule. Anything else I should be doing? -
Michael Hampton about 4 years@wordsforthewise Probably you should ask a new question.