Andrew Meyer via FreeIPA-users wrote:
> In preparation for a migration I am trying to setup sudoers within
> freeipa. I have about a dozen people that will need to sudo to another
> user and run commands. However I want to add all the commands for that
> user into my rule.
>
> would this be best practice to add ALL the commands into 1 rule? or
> should I do a sudocmdgroup?
Up to you but that's what the groups were made for: to combine a common
set of commands together to make management easier. Seems to fit well.
> ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commands
>
> Would I just put a comma after each command? Or should I do this all
> individually and add all the commands to a cmd group?
Try: --sudocmds={"/usr/bin/vim","cat /etc/passwd",...}
Bash will expand it.
I'd use a group though so you can make one change and affect any/all rules.
rob