Ping a Specific Port

Question

HTTP500

Asked: 2013-12-10 15:54:02 +0800 CST2013-12-10 15:54:02 +0800 CST 2013-12-10 15:54:02 +0800 CST

Using FreeIPA for centralized sudo - how to specify ALL commands?

772

I'm having a hard time wrapping my head around FreeIPA's model. The FreeIPA manual states:

FreeIPA adds an extra control measure with sudo command groups, which allow a group of commands to be defined and then applied to the sudo configuration as one.

But their examples basically talk about creating a sudo command group and adding particular sudo commands like vim and less to a "files" sudo command group.

e.g. from the commandline:

ipa sudocmdgroup-add --desc 'File editing commands' files

ipa sudocmd-add --desc 'For editing files' '/usr/bin/vim'

ipa sudocmdgroup-add-member --sudocmds '/usr/bin/vim' files

But how do you specify ALL like you would in /etc/sudoers? Can this be wildcarded (e.g. *)?

2 Answers

Voted

Michael Hampton · Answer 1 · 2013-12-10T16:08:05+08:00

Best Answer

Michael Hampton

2013-12-10T16:08:05+08:002013-12-10T16:08:05+08:00

You don't need to make command groups if you want a group of users to be able to execute any command with sudo. You just need a sudo rule that permits all commands, and one should have been created for you by default when you installed FreeIPA.

# ipa sudorule-find All
-------------------
1 Sudo Rule matched
-------------------
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  User Groups: admins
----------------------------
Number of entries returned 1
----------------------------

(If such a rule doesn't exist, create it.)

ipa sudorule-add --cmdcat=all All

Just add the users or groups to this sudo rule that you want to be able to sudo with any command.

ipa sudorule-add-user --groups=admins All

You can also do this from the Web UI if you prefer.

14

abbra · Answer 2 · 2019-07-29T10:16:09+08:00

abbra

2019-07-29T10:16:09+08:002019-07-29T10:16:09+08:00

When you want to add ALL to a rule, you can use category option with value all. For commands that would be --cmdcat=all, for hosts -- --hostcat=all, for users -- --usercat=all and few more below.

All these options are visible in ipa sudorule-add --help:

$ ipa sudorule-add --help
Usage: ipa [global-options] sudorule-add SUDORULE-NAME [options]

Create new Sudo Rule.
Options:
  -h, --help            show this help message and exit
  --desc=STR            Description
  --usercat=['all']     User category the rule applies to
  --hostcat=['all']     Host category the rule applies to
  --cmdcat=['all']      Command category the rule applies to
  --runasusercat=['all']
                        RunAs User category the rule applies to
  --runasgroupcat=['all']
                        RunAs Group category the rule applies to
...

1

Using FreeIPA for centralized sudo - how to specify ALL commands?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?