Using FreeIPA for centralized sudo - how to specify ALL commands?
Solution 1:
You don't need to make command groups if you want a group of users to be able to execute any command with sudo
. You just need a sudo rule that permits all commands, and one should have been created for you by default when you installed FreeIPA.
# ipa sudorule-find All
-------------------
1 Sudo Rule matched
-------------------
Rule name: All
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
User Groups: admins
----------------------------
Number of entries returned 1
----------------------------
(If such a rule doesn't exist, create it.)
ipa sudorule-add --cmdcat=all All
Just add the users or groups to this sudo rule that you want to be able to sudo
with any command.
ipa sudorule-add-user --groups=admins All
You can also do this from the Web UI if you prefer.
Solution 2:
When you want to add ALL
to a rule, you can use category option with value all
. For commands that would be --cmdcat=all
, for hosts -- --hostcat=all
, for users -- --usercat=all
and few more below.
All these options are visible in ipa sudorule-add --help
:
$ ipa sudorule-add --help
Usage: ipa [global-options] sudorule-add SUDORULE-NAME [options]
Create new Sudo Rule.
Options:
-h, --help show this help message and exit
--desc=STR Description
--usercat=['all'] User category the rule applies to
--hostcat=['all'] Host category the rule applies to
--cmdcat=['all'] Command category the rule applies to
--runasusercat=['all']
RunAs User category the rule applies to
--runasgroupcat=['all']
RunAs Group category the rule applies to
...