30.4. Adding sudo Commands, Command Groups, and Rules

30.4.1. Adding sudo Commands

Adding sudo Commands in the Web UI

  1. Under the Policy tab, click SudoSudo Commands.
  2. Click Add at the top of the list.
  3. Fill out the information about the command. Enter the full system path to the command executable.
    Adding a New sudo Command

    Figure 30.1. Adding a New sudo Command

  4. Click Add. Alternatively, click Add and Add Another to start adding another entry or Add and Edit to start editing the new entry.

Adding sudo Commands from the Command Line

To add a sudo command, use the ipa sudocmd-add command. Provide the full system path to the command executable. For example, to add the /usr/bin/less command and a description:
$ ipa sudocmd-add /usr/bin/less --desc="For reading log files"
----------------------------------
Added sudo command "/usr/bin/less"
----------------------------------
  sudo Command: /usr/bin/less
  Description: For reading log files

30.4.2. Adding sudo Command Groups

Adding sudo Command Groups in the Web UI

  1. Under the Policy tab, click SudoSudo Command Groups.
  2. Click Add at the top of the list.
  3. Fill out the information about the command group.
    Adding a New sudo Command Group

    Figure 30.2. Adding a New sudo Command Group

  4. Click Add and Edit to start editing the command group.
  5. Under the Sudo Commands tab, click Add to add a sudo command to the group. Select the required commands and move them to the Prospective column using the > button.
    Adding Commands to a sudo Command Group

    Figure 30.3. Adding Commands to a sudo Command Group

  6. Click Add.

Adding sudo Command Groups from the Command Line

  1. Create the command group using the ipa sudocmdgroup-add command. For example, to create the files command group and add its description:
    $ ipa sudocmdgroup-add files --desc="File editing commands"
    -----------------------------------
    Added sudo command group "files"
    -----------------------------------
      sudo Command Group: files
      Description: File editing commands
  2. Include a sudo command in the group using the ipa sudocmdgroup-add-member command. Note that you can only include commands that have already been added to IdM, as described in Section 30.4.1, “Adding sudo Commands”.
    $ ipa sudocmdgroup-add-member files --sudocmds "/usr/bin/vim"
      sudo Command Group: files
      Description: File editing commands
      Member sudo commands: /usr/bin/vim
    -------------------------
    Number of members added 1
    -------------------------

30.4.3. Adding sudo Rules

Adding sudo Rules in the Web UI

  1. Under the Policy tab, click SudoSudo Rules.
  2. Click Add at the top of the list.
  3. Enter the name for the rule.
    Naming a New sudo Rule

    Figure 30.4. Naming a New sudo Rule

  4. Click Add. Alternatively, click Add and Add Another to start adding another entry or Add and Edit to start editing the new entry.
For information on how to edit the new sudo rule, see Section 30.6, “Modifying sudo Rules”.

Adding sudo Rules from the Command Line

To add a new sudo rule, use the ipa sudorule-add command. For example, to add a rule named files-commands:
$ ipa sudorule-add files-commands
--------------------------------
Added Sudo Rule "files-commands"
--------------------------------
  Rule name: files-commands
  Enabled: TRUE
For more information on using ipa sudorule-add and the options it accepts, run the command with the --help option added.
For information on how to edit the new sudo rule, see Section 30.6, “Modifying sudo Rules”.
For a complete example of adding a new sudo rule and editing it from the command line, see Example 30.1, “Adding and Modifying a New sudo Rule from the Command Line”.