Using FreeIPA for centralized sudo – how to specify ALL commands?

HTTP500 asked:

I’m having a hard time wrapping my head around FreeIPA’s model. The FreeIPA manual states:

FreeIPA adds an extra control measure with sudo command groups, which
allow a group of commands to be defined and then applied to the sudo configuration as one.

But their examples basically talk about creating a sudo command group and adding particular sudo commands like vim and less to a “files” sudo command group.

e.g. from the commandline:

ipa sudocmdgroup-add --desc 'File editing commands' files

ipa sudocmd-add --desc 'For editing files' '/usr/bin/vim'

ipa sudocmdgroup-add-member --sudocmds '/usr/bin/vim' files

But how do you specify ALL like you would in /etc/sudoers? Can this be wildcarded (e.g. *)?

My answer:


You don’t need to make command groups if you want a group of users to be able to execute any command with sudo. You just need a sudo rule that permits all commands, and one should have been created for you by default when you installed FreeIPA.

# ipa sudorule-find All
-------------------
1 Sudo Rule matched
-------------------
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  User Groups: admins
----------------------------
Number of entries returned 1
----------------------------

(If such a rule doesn’t exist, create it.)

ipa sudorule-add --cmdcat=all All

Just add the users or groups to this sudo rule that you want to be able to sudo with any command.

ipa sudorule-add-user --groups=admins All

You can also do this from the Web UI if you prefer.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.