21.2. Setting up sudo Commands and Command Groups

Just as in regular sudo configuration, any command which will be governed by sudo access must be listed in the configuration. Identity Management adds an extra control measure with sudo command groups, which allow a group of commands to be defined and then applied to the sudo configuration as one.
Adding a command or a command group makes it available to IdM to be defined in a sudo rule; simply adding a command does not automatically include it in a sudo rule.

21.2.1. Adding sudo Commands

21.2.1.1. Adding sudo Commands with the Web UI

  1. Click the Policy tab.
  2. Click the Sudo subtab, and then select the Sudo Commands link.
  3. Click the Add link at the top of the list of commands.
  4. Enter the full system path and name of the command and, optionally, a description.
  5. Click the Add and Edit button to go immediately to the settings pages for the command.
  6. In the Sudo Command Groups tab, click the Add button to add the sudo command to a command group.
  7. Click the checkbox by the groups for the command to join, and click the right arrows button, >>, to move the group to the selection box.
  8. Click the Add button.

21.2.1.2. Adding sudo Commands with the Command Line

To add a single command, use the sudocmd-add command. This requires the full, local path to the command executable and a description of the command:
$ ipa sudocmd-add --desc "description" /local/path/to/command
For example:
$ ipa sudocmd-add --desc 'For reading log files' '/usr/bin/less'
----------------------------------
Added sudo command "/usr/bin/less"
----------------------------------
  sudo Command: /usr/bin/less
  Description: For reading log files

21.2.2. Adding sudo Command Groups

21.2.2.1. Adding sudo Command Groups with the Web UI

  1. Click the Policy tab.
  2. Click the Sudo subtab, and then select the Sudo Command Groups link.
  3. Click the Add link at the top of the list of command groups.
  4. Enter the name and description for the new command group.
  5. Click the Add and Edit button to go immediately to the settings pages for the group.
  6. In the Sudo Commands tab, click the Add button to add a sudo command to the group.
  7. In the Sudo Commands tab, click the Add button to add a sudo command to the group.
  8. Click the checkbox by the names of the commands to add, and click the right arrows button, >>, to move the command to the selection box.
  9. Click the Add button.

21.2.2.2. Adding sudo Command Groups with the Command Line

Creating a command group requires creating two entries, one for the group and one for the command itself:
  1. Create the command group using the sudocmdgroup-add command:
    $ ipa sudocmdgroup-add --desc 'File editing commands' files
    -----------------------------------
    Added sudo command group "files"
    -----------------------------------
      sudo Command Group: files
      Description: File editing commands
  2. Create a command entry using the sudocmd-add command:
    $ ipa sudocmd-add --desc 'For editing files' '/usr/bin/vim'
    ----------------------------------
    Added sudo command "/usr/bin/vim"
    ----------------------------------
      sudo Command: /usr/bin/vim
      Description: For editing files
  3. Add the command, using its full directory location as its name, to the command group using the sudocmdgroup-add-member command:
    $ ipa sudocmdgroup-add-member --sudocmds '/usr/bin/vim' files
      sudo Command Group: files
      Description: File editing commands
      Member sudo commands: /usr/bin/vim
    -------------------------
    Number of members added 1
    -------------------------