13

I'm having a hard time wrapping my head around FreeIPA's model. The FreeIPA manual states:

FreeIPA adds an extra control measure with sudo command groups, which allow a group of commands to be defined and then applied to the sudo configuration as one.

But their examples basically talk about creating a sudo command group and adding particular sudo commands like vim and less to a "files" sudo command group.

e.g. from the commandline:

ipa sudocmdgroup-add --desc 'File editing commands' files

ipa sudocmd-add --desc 'For editing files' '/usr/bin/vim'

ipa sudocmdgroup-add-member --sudocmds '/usr/bin/vim' files

But how do you specify ALL like you would in /etc/sudoers? Can this be wildcarded (e.g. *)?

HTTP500
  • 4,827
  • 4
  • 22
  • 31

2 Answers2

14

You don't need to make command groups if you want a group of users to be able to execute any command with sudo. You just need a sudo rule that permits all commands, and one should have been created for you by default when you installed FreeIPA.

# ipa sudorule-find All
-------------------
1 Sudo Rule matched
-------------------
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  User Groups: admins
----------------------------
Number of entries returned 1
----------------------------

(If such a rule doesn't exist, create it.)

ipa sudorule-add --cmdcat=all All

Just add the users or groups to this sudo rule that you want to be able to sudo with any command.

ipa sudorule-add-user --groups=admins All

You can also do this from the Web UI if you prefer.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • The rule didn't exist by default and it took a little bit of work to get a rule that matched yours, i.e. "%admins ALL=(ALL) ALL" but I think I'm on the path of enlightenment now. Much appreciated, thanks! – HTTP500 Dec 10 '13 at 23:16
  • This is one of those tasks that was obviously much easier in the Web UI than the command line. It took me quite a while to get even that far with it in the CLI. – Michael Hampton Dec 10 '13 at 23:18
  • Agreed, I finished off the rule in the Web UI. – HTTP500 Dec 10 '13 at 23:26
  • If you want the rule to be effective across all hosts, I noticed that without specifying `--hostcat=all` when creating the rule, sudo is not allowed (adding this option to an existing rule is possible by issuing `sudorule-mod --hostcat=all`). – nivs May 03 '16 at 11:57
  • 2
    @HTTP500 If you had to do things that are not listed in your OP or the Accepted Answer, please provide the steps/details for others, i.e. _The rule didn't exist by default and it took a little bit of work to get a rule that matched yours_... What bit of work was required? How did you achieve the desired result? – 0xSheepdog Jun 14 '16 at 19:05
  • Still not fully working for me. I ran `ipa sudorule-add --cmdcat=all --hostcat=all --runasusercat=all All` then added the group to the rule. I also added the specific user to the rule. Anything else I should be doing? – wordsforthewise Apr 02 '20 at 21:26
  • @wordsforthewise Probably you should ask a new question. – Michael Hampton Apr 03 '20 at 01:11
1

When you want to add ALL to a rule, you can use category option with value all. For commands that would be --cmdcat=all, for hosts -- --hostcat=all, for users -- --usercat=all and few more below.

All these options are visible in ipa sudorule-add --help:

$ ipa sudorule-add --help
Usage: ipa [global-options] sudorule-add SUDORULE-NAME [options]

Create new Sudo Rule.
Options:
  -h, --help            show this help message and exit
  --desc=STR            Description
  --usercat=['all']     User category the rule applies to
  --hostcat=['all']     Host category the rule applies to
  --cmdcat=['all']      Command category the rule applies to
  --runasusercat=['all']
                        RunAs User category the rule applies to
  --runasgroupcat=['all']
                        RunAs Group category the rule applies to
...
abbra
  • 1,025
  • 5
  • 8