8‎ > ‎q‎ > ‎


Chapter 13. Policy: Using sudo

13.1. About sudo IPA
13.1.1. General sudo Configuration in FreeIPA
13.1.2. sudo Netgroups
13.1.3. Supported sudo Clients
13.2. Setting up sudo Commands Command Groups
13.2.1. Adding sudo Commands
13.2.2. Adding sudo Command Groups
13.3. Defining sudo Rules
13.3.1. Defining sudo Rules in Web UI
13.3.2. Defining sudo Rules in Command Line
13.4. An Example of Configuring sudo
13.4.1. Server Configuration for sudo Rules
13.4.2. Client Configuration for sudo Rules
FreeIPA provides mechanism for predictably consistently apply sudo policies across FreeIPA domain.  sudopolicies apply domain users domain hosts. 13.1. About sudo IPA  sudo command allows system administrator delegate authority specific users run specific commands as root ro another specified user. sudo provides an audit trail of commands their arguments, so access can be tracked.

13.1.1. General sudo Configuration in FreeIPA

sudo uses local configuration file, /etc/sudoers, which defines commands users with sudo access. While this file can be shared among machines, there's no native way distribute sudo configuration files among machines.FreeIPA uses its centralized LDAP database contain  sudo configuration, which makes it globally available all domain hosts. FreeIPA also has specialized LDAP schema for sudo entries that allows lot more flexible simpler configuration. This schema adds two key features:
  • The FreeIPA schema supports host groups in addition netgroups for sudo, while sudo only supports netgroups.For every host group, FreeIPA also creates corresponding shadow netgroup. This allows FreeIPA administrators create sudo rules that reference host groups, while local sudo command uses corresponding netgroup.
  • FreeIPA introduces concept of  sudo command group. group contains multiple commands, then command group can be referenced in  sudo configuration.
Because sudo does not support host groups command groups, FreeIPA translates FreeIPA sudo configuration into native sudo configuration when  sudo rules are created.Both sudo  FreeIPA support user groups as part of  sudo configuration. User groups can be either Unix or non-POSIX groups. Creating non-POSIX groups can create some access issues because any users in group inherit non-POSIX rights from group. Having choice between Unix non-POSIX groups allows administrators choice in group formatting to avoid problems with inherited permissions or GID information.

13.1.2. sudo Netgroups

As Section 13.1.1, “General sudo Configuration in FreeIPA” mentions, LDAP schema used for sudo entries in FreeIPA supports host group-style groups in addition netgroups. Really, FreeIPA creates two groups, visible host group a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats.One important thing consider is that even though sudo uses NIS netgroups, it is not necessary have NIS server installed or NIS client configured. When any group is created for sudo, NIS object is created in Directory Server instance, then information is retrieved by NSS_LDAP or by SSSD. client (in this case, sudo) then extracts required NIS information from information provided by FreeIPA's Directory Server.In short, sudo configuration required NIS-formatted netgroups. It does not require NIS. FreeIPA Directory Server instance uses standard LDAP schema for NIS objects, defined in RFC 2307.

13.1.3. Supported sudo Clients

Any system which is supported as an FreeIPA client system can be configured as  sudo client in FreeIPA. FreeIPA client platforms are listed in Section 3.2, “Supported Platforms for FreeIPA Clients”.


Subpages (1): 5