In preparation for a migration I am trying to setup sudoers within freeipa. I have about a dozen people that will need to sudo to another user and run commands. However I want to add all the commands for that user into my rule. would this be best practice to add ALL the commands into 1 rule? or should I do a sudocmdgroup? ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commandsWould I just put a comma after each command? Or should I do this all individually and add all the commands to a cmd group?
Andrew Meyer via FreeIPA-users wrote:
In preparation for a migration I am trying to setup sudoers within freeipa. I have about a dozen people that will need to sudo to another user and run commands. However I want to add all the commands for that user into my rule.
would this be best practice to add ALL the commands into 1 rule? or should I do a sudocmdgroup?
Up to you but that's what the groups were made for: to combine a common set of commands together to make management easier. Seems to fit well.
ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commands
Would I just put a comma after each command? Or should I do this all individually and add all the commands to a cmd group?
Try: --sudocmds={"/usr/bin/vim","cat /etc/passwd",...}
Bash will expand it.
I'd use a group though so you can make one change and affect any/all rules.
rob
What would the equivalent of Cmnd_Alias DEVS? Is that somewhere in the documentation? I was also trying to find something to convert my sudoers to what it would be in IPA commands.
On Thursday, November 2, 2017 4:02 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
In preparation for a migration I am trying to setup sudoers within freeipa. I have about a dozen people that will need to sudo to another user and run commands. However I want to add all the commands for that user into my rule.
would this be best practice to add ALL the commands into 1 rule? or should I do a sudocmdgroup?
Up to you but that's what the groups were made for: to combine a common set of commands together to make management easier. Seems to fit well.
ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commands
Would I just put a comma after each command? Or should I do this all individually and add all the commands to a cmd group?
Try: --sudocmds={"/usr/bin/vim","cat /etc/passwd",...}
Bash will expand it.
I'd use a group though so you can make one change and affect any/all rules.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Andrew Meyer wrote:
What would the equivalent of Cmnd_Alias DEVS? Is that somewhere in the documentation? I was also trying to find something to convert my sudoers to what it would be in IPA commands.
For Cmnd_Alias I'm not sure if it is supported or documented. IPA just uses the standard sudo LDAP schema so you could start with the sudoers.ldap man page I guess. I don't recall a specific option in IPA sudocmd to do that though, but I've been out of the game for a while.
I'm 99% sure there is no sudoers -> IPA conversion script. It's certainly a nice-to-have but it'd probably be death by a thousand cuts to try to implement such a thing and be useful for more than 80% of users.
rob
On Thursday, November 2, 2017 4:02 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
In preparation for a migration I am trying to setup sudoers within freeipa. I have about a dozen people that will need to sudo to another user and run commands. However I want to add all the commands for that user into my rule.
would this be best practice to add ALL the commands into 1 rule? or should I do a sudocmdgroup?
Up to you but that's what the groups were made for: to combine a common set of commands together to make management easier. Seems to fit well.
ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commands
Would I just put a comma after each command? Or should I do this all individually and add all the commands to a cmd group?
Try: --sudocmds={"/usr/bin/vim","cat /etc/passwd",...}
Bash will expand it.
I'd use a group though so you can make one change and affect any/all rules.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
In IPA the Cmnd_Alias is more like the sudo command group.
Basically you have 2 options on how you want to input sudo commands for rules.
1. input each command as a sudo command, and then group the commands into sudo command groups. 2. input directly into the rule, one at a time. Very nasty, and can't be reused.
The better option is #1. This is so you can reuse the command for different command groups.
The only way i have found to input multiple entries at a time, is to have all of the commands in a file, and then do a loop and add them in. You will still have to add them into command groups, and sudo rules. Kind of like this. Make sure you have kerberos credentials too, otherwise it will fail.
example file - /tmp/list - notice the quotes.. very important if there are spaces in the command '/usr/bin/less' '/usr/bin/vim' 'cat /etc/passwd'
example loop: The single quotes will carry over from the file so that the command is added in it's entirety. while read -r line; do ipa sudocmd-add $line; done < /tmp/list
You can make it fancier by adding a second entry in each line and add the description, but got to leave something to the imagination. lol.
Hope that helps Aaron.
I will check this out and get back to you. thank you.
On Friday, November 10, 2017 8:04 AM, Aaron Cole via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
In IPA the Cmnd_Alias is more like the sudo command group.
Basically you have 2 options on how you want to input sudo commands for rules.
1. input each command as a sudo command, and then group the commands into sudo command groups. 2. input directly into the rule, one at a time. Very nasty, and can't be reused.
The better option is #1. This is so you can reuse the command for different command groups.
The only way i have found to input multiple entries at a time, is to have all of the commands in a file, and then do a loop and add them in. You will still have to add them into command groups, and sudo rules. Kind of like this. Make sure you have kerberos credentials too, otherwise it will fail.
example file - /tmp/list - notice the quotes.. very important if there are spaces in the command '/usr/bin/less' '/usr/bin/vim' 'cat /etc/passwd'
example loop: The single quotes will carry over from the file so that the command is added in it's entirety. while read -r line; do ipa sudocmd-add $line; done < /tmp/list
You can make it fancier by adding a second entry in each line and add the description, but got to leave something to the imagination. lol.
Hope that helps Aaron. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Aaron, I am just now returning to this, had lots of production issues which took priority. However I just did what you said, added them individually and used a for loop w/ single quotes around the commands EVEN the ones w/ spaces and extra options. It added a lot of them but not always corrects. Sometimes it would miss half of the options, other times it would take the command and think that a '*' was a command. For example:to start tomcat 5 & 7 I have '/etc/init.d/tomcat5 *''/etc/init.d/tomcat7 *'It stripped the end single quote. Thoughts?
On Friday, November 10, 2017 8:33 AM, Andrew Meyer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I will check this out and get back to you. thank you.
On Friday, November 10, 2017 8:04 AM, Aaron Cole via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
In IPA the Cmnd_Alias is more like the sudo command group.
Basically you have 2 options on how you want to input sudo commands for rules.
1. input each command as a sudo command, and then group the commands into sudo command groups. 2. input directly into the rule, one at a time. Very nasty, and can't be reused.
The better option is #1. This is so you can reuse the command for different command groups.
The only way i have found to input multiple entries at a time, is to have all of the commands in a file, and then do a loop and add them in. You will still have to add them into command groups, and sudo rules. Kind of like this. Make sure you have kerberos credentials too, otherwise it will fail.
example file - /tmp/list - notice the quotes.. very important if there are spaces in the command '/usr/bin/less' '/usr/bin/vim' 'cat /etc/passwd'
example loop: The single quotes will carry over from the file so that the command is added in it's entirety. while read -r line; do ipa sudocmd-add $line; done < /tmp/list
You can make it fancier by adding a second entry in each line and add the description, but got to leave something to the imagination. lol.
Hope that helps Aaron. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
You don't need to add a "*" to those command as an argument.
"/etc/init.d/tomcat5 *" is the same as "/etc/init.d/tomcat5". This allows all command line arguments to be passed. Meaning you do not have to have a wildcard to allow all command line arguments to be processed, because the base command will allow them to already be processed. With that said you can have /etc/init.d/tomcat5 as a sudo command and the user can issue the command "sudo /etc/init.d/tomcat5 start" , just like the can issue the command "sudo /etc/init.d/tomcat5 restart"
The only time you should add a wildcard to a sudo command is when it's absolutely necessary. As an example:
/bin/cp /tmp/* /opt/app/files/.
You probably should look at your sudo commands, and reevaluate the necessity of a wildcard. Also beware the use of wildcards can be very dangerous. You can look at man(5) sudo for more info on the use of wildcards.
Now as for your command the loop not properly processing the commands with spaces correctly, I would surmise that you should have quoted your variable in the loop -
while read -r line; do ipa sudocmd-add "$line"; done < /tmp/list.
I usually always echo back the variable before I put the command in, to make sure my variable is being processed the way I believe it should be. That way if other type of quoting or adjustment to the variable needs to happen, then it can be. As an example:
while read -r line; do echo "Line - $line"; done < /tmp/list.
Aaron
freeipa-users@lists.fedorahosted.org