Using FreeIPA for centralized sudo - how to specify ALL commands?

Solution 1:

You don't need to make command groups if you want a group of users to be able to execute any command with sudo. You just need a sudo rule that permits all commands, and one should have been created for you by default when you installed FreeIPA.

# ipa sudorule-find All
-------------------
1 Sudo Rule matched
-------------------
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  User Groups: admins
----------------------------
Number of entries returned 1
----------------------------

(If such a rule doesn't exist, create it.)

ipa sudorule-add --cmdcat=all All

Just add the users or groups to this sudo rule that you want to be able to sudo with any command.

ipa sudorule-add-user --groups=admins All

You can also do this from the Web UI if you prefer.

Solution 2:

When you want to add ALL to a rule, you can use category option with value all. For commands that would be --cmdcat=all, for hosts -- --hostcat=all, for users -- --usercat=all and few more below.

All these options are visible in ipa sudorule-add --help:

$ ipa sudorule-add --help
Usage: ipa [global-options] sudorule-add SUDORULE-NAME [options]

Create new Sudo Rule.
Options:
  -h, --help            show this help message and exit
  --desc=STR            Description
  --usercat=['all']     User category the rule applies to
  --hostcat=['all']     Host category the rule applies to
  --cmdcat=['all']      Command category the rule applies to
  --runasusercat=['all']
                        RunAs User category the rule applies to
  --runasgroupcat=['all']
                        RunAs Group category the rule applies to
...