> On 22 Mar 2022, at 15:42, Rob Crittenden <
rcritten@redhat.com> wrote:
>
> Djerk Geurts via FreeIPA-users wrote:
>> This is a topic that I've spent way too much time on recently. The reason is I'm trying to manage sudo rights for teams and the sudo ruleset is getting out of hand as no globs I've tried are working except for maybe an '*' in a pathname. I'm trying to keep
things secure I'd like to allow members of a certain group to manage the services they're responsible for. These are dev guys so there's a fair bit of management involved.
>>
>> Initially, I would create a rule for systemctl start, another for stop, etc for status, reload and restart. Then I have to add the journalctl rules for seeing the current logs and the tail options for those.
>>
>> In trying to make thing easier when adding rules, and knowing glob should be supported I was hoping to simplify things to:
>>
>> /usr/bin/journalctl --unit nodejs@+([a-zA-Z]) @(-t)
>> /usr/bin/systemctl (start|stop|status|reload|restart) nodejs@+([a-zA-Z])
>>
>> But alas, none of this is working, what does work is a long list of rules specific to each separate instantiated service, which is getting really tiresome and error-prone. Is there anything I can do to ease maintaining these rules, or do I give up and look
at using Ansible to automate FreeIPA sudo rules?
>
> It may very well depend on the version of sudo you have on the client(s)
> whether regular expressions are supported or not.
>
> IPA is only a container for the rules. It just passes them along to
> sudo. I'd suggest checking with the sudo team as well.
>
> There may also be distribution-based idiosyncrasies.
>
> rob
Thanks you, I’ll check there as well. It’s mostly Ubuntu 20.04 here with a few Debian 10 and CentOS 7 machines as well. So far I’ve seen no difference between them.
Djerk