Chapter 21. Policy: Using sudo
Identity Management provides a mechanism for predictably and consistently applying
sudopolicies across the IdM domain. The
sudopolicies apply to domain users and domain hosts.
21.1. About sudo and IPA
sudoutility allows a system administrator to delegate authority to specific users to run specific commands as root or another specified user. The utility provides an audit trail of the commands and their arguments, so access can be tracked.
sudo Configuration in Identity Management
sudoutility uses a local configuration file,
/etc/sudoers, which defines the commands and users with
sudoaccess. While this file can be shared among machines, there is no native way to distribute
sudoconfiguration files among machines.
Identity Management uses its centralized LDAP database to contain the
sudoconfiguration, which makes it globally available to all domain hosts. Identity Management also has a specialized LDAP schema for
sudoentries that allows a lot more flexible and simpler configuration. This schema adds two key features:
- The Identity Management schema supports host groups in addition to netgroups for
sudoonly supports netgroups.For every host group, Identity Management also creates a corresponding shadow netgroup. This allows IdM administrators to create
sudorules that reference host groups, while the local
sudocommand uses the corresponding netgroup.
- Identity Management introduces the concept of a sudo command group. The group contains multiple commands, and the command group can be referenced in the
sudodoes not support host groups and command groups, Identity Management translates the IdM
sudoconfiguration into native
sudoconfiguration when the
sudorules are created.
sudoinformation is not available anonymously over LDAP by default. Identity Management therefore defines a default
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/
sudoand Identity Management support user groups as part of the
sudoconfiguration. User groups can be either Unix or non-POSIX groups. Creating non-POSIX groups can result in some access issues because any users in the group inherit non-POSIX rights from the group. Having the choice between Unix and non-POSIX groups allows administrators the choice in group formatting and to avoid problems with inherited permissions or GID information.
21.1.2. sudo and Netgroups
As Section 21.1.1, “General
sudoConfiguration in Identity Management” mentions, the LDAP schema used for sudo entries in Identity Management supports host group-style groups in addition to netgroups. Really, Identity Management creates two groups, a visible host group and a shadow netgroup.
sudoitself only supports NIS-style netgroups for group formats.
One important thing to consider is that even though
sudouses NIS netgroups, it is not necessary to have a NIS server installed or a NIS client configured. When any group is created for
sudo, the NIS object is created in the Directory Server instance, and then the information is retrieved by NSS_LDAP or by SSSD. The client (in this case,
sudo) then extracts the required NIS information from the information provided by Identity Management's Directory Server. 
sudoconfiguration requires NIS-formatted netgroups. It does not require NIS.
However, in order for IdM
sudoto work with host groups, use the
nisdomainnamecommand to set the NIS domain name to be used with the
sudorules. See Section 21.4, “Configuring Hosts to Use IdM
sudoPolicies” for details on using
nisdomainnameas well as setting other configuration features.
21.1.3. Supported sudo Clients
Any system which is supported as an IdM client system can be configured as a
sudoclient in IdM.