30.6. Modifying sudo Rules

Modifying sudo Rules in the Web UI

  1. Under the Policy tab, click SudoSudo Rules.
  2. Click the name of the rule to display its configuration page.
  3. Change the settings as required. On some configuration pages, the Save button is available at the top of the page. On these pages, click the button to confirm the changes.
The sudo rule configuration page includes several configuration areas:
The General area
In this area, you can modify the rule's description and sudo order. The sudo order field accepts integers and defines the order in which IdM evaluates the rules. The rule with the highest sudo order value is evaluated first.
The Options area
In this area, you can add sudoers options to the rule.
  1. Click Add above the options list.
    Adding a sudo Option

    Figure 30.5. Adding a sudo Option

  2. Enter the sudoers option. For example, to specify that sudo will not prompt the user to authenticate, add the !authenticate option:
    Entering a sudoers Option

    Figure 30.6. Entering a sudoers Option

    For more information on sudoers options, see the sudoers(5) man page.
  3. Click Add.
The Who area
In this area, you can select the users or user groups to which the sudo rule will be applied. These users will be entitled to use sudo as defined in the rule.
To specify that all system users will be able to use sudo as defined in the rule, select Anyone.
To apply the rule to specific users or groups only, select Specified Users and Groups and then follow these steps:
  1. Click Add above the users or user groups list.
    Adding Users to a sudo Rule

    Figure 30.7. Adding Users to a sudo Rule

  2. Select the users or user groups to add to the rule, and click the > arrow button to move them to the Prospective column. To add an external user, specify the user in the External field, and then click the > arrow button.
    Selecting Users for a sudo Rule

    Figure 30.8. Selecting Users for a sudo Rule

  3. Click Add.
The Access This Host area
In this area, you can select the hosts on which the sudo rule will be in effect. These are the hosts where the users will be granted sudo permissions.
To specify that the rule will be in effect on all hosts, select Anyone.
To apply the rule to specific hosts or host groups only, select Specified Hosts and Groups and then follow these steps:
  1. Click Add above the hosts list.
    Adding Hosts to a sudo Rule

    Figure 30.9. Adding Hosts to a sudo Rule

  2. Select the hosts or host groups to include with the rule, and click the > arrow button to move them to the Prospective column. To add an external host, specify the host in the External field, and then click the > arrow button.
    Selecting Hosts for a sudo Rule

    Figure 30.10. Selecting Hosts for a sudo Rule

  3. Click Add.
The Run Commands area
In this area, you can select the commands to be included in the sudo rule. You can specify that users will be either allowed or denied to use specific commands.
To specify that users will be allowed to use any command with sudo, select Any Command.
To associate the rule with specific commands or command groups, select Specified Commands and Groups and then follow these steps:
  1. Click one of the Add buttons to add a command or a command group.
    To specify allowed commands or command groups, use the Allow area. To specify denied commands or command groups, use the Deny area.
    Adding Commands to a sudo Rule

    Figure 30.11. Adding Commands to a sudo Rule

  2. Select the commands or command groups to include with the rule, and click the > arrow button to move them to the Prospective column.
    Selecting Commands for a sudo Rule

    Figure 30.12. Selecting Commands for a sudo Rule

  3. Click Add.
The As Whom area
In this area, you can configure the sudo rule to run the given commands as a specific, non-root user.
Note that if you add a group of RunAs users, UIDs of the members of the group will be used to run the command. If you add a RunAs group, the GID of the group will be used to run the command.
To specify that the rule will be run as any user on the system, select Anyone. To specify that the rule will be run as any group on the system, select Any Group.
  1. Click Add above the users list.
    Configuring sudo Rules to Execute Commands as a Specific User

    Figure 30.13. Configuring sudo Rules to Execute Commands as a Specific User

  2. Select the required users or groups, and use the > arrow button to move them to the Prospective column. To add an external entity, specify it in the External field, and then click the > arrow button.
    Selecting Users for the Command

    Figure 30.14. Selecting Users for the Command

  3. Click Add.

Modifying sudo Rules from the Command Line

The IdM command-line utilities allow you to configure several sudo rule areas:
General sudo rules management
To change the general configuration for a sudo rule, use the ipa sudorule-mod command. The most common options accepted by the command are:
  • The --desc option to change the sudo rule description. For example:
    $ ipa sudorule-mod sudo_rule_name --desc="sudo_rule_description"
    
  • The --order option to define the order of the specified rule. For example:
    $ ipa sudorule-mod sudo_rule_name --order=3
  • Options to specify a category of entities: --usercat (user category), --hostcat (host category), --cmdcat (command category), --runasusercat (run-as user category), and --runasgroupcat (run-as group category). These options only accept the all value that associates the rule with all users, hosts, commands, run-as users, or run-as groups.
    For example, to specify that all users will be able to use sudo as defined in the sudo_rule rule:
    $ ipa sudorule-mod sudo_rule --usercat=all
    
    Note that if the rule is already associated with a specific entity, you must remove it before defining the corresponding all category. For example, if sudo_rule was previously associated with a specific user using the ipa sudorule-add-user command, you must first use the ipa sudorule-remove-user command to remove the user.
For more details and a complete list of options accepted by ipa sudorule-mod, run the command with the --help option added.
Managing sudo options
To add a sudoers option, use the ipa sudorule-add-option command.
For example, to specify that users using sudo based on the files-commands rule will not be required to authenticate, add the !authenticate option:
$ ipa sudorule-add-option files-commands
Sudo Option: !authenticate
---------------------------------------------------------
Added option "!authenticate" to Sudo Rule "files-commands"
---------------------------------------------------------
For more information on sudoers options, see the sudoers(5) man page.
To remove a sudoers option, use the ipa sudorule-remove-option command. For example:
$ ipa sudorule-remove-option files-commands
Sudo Option: authenticate
-------------------------------------------------------------
Removed option "authenticate" from Sudo Rule "files-commands"
-------------------------------------------------------------
Managing who is granted the permission to use sudo
To specify an individual user, add the --users option to the ipa sudorule-add-user command. To specify a user group, add the --groups option to ipa sudorule-add-user.
For example, to add user and user_group to the files-commands rule:
$ ipa sudorule-add-user files-commands --users=user --groups=user_group
...
-------------------------
Number of members added 2
-------------------------
To remove an individual user or group, use the ipa sudorule-remove-user. For example, to remove a user:
$ ipa sudorule-remove-user files-commands
[member user]: user
[member group]:
...
---------------------------
Number of members removed 1
---------------------------
Managing where the users are granted the sudo permissions
To specify a host, add the --hosts option to the ipa sudorule-add-host command. To specify a host group, add the --hostgroups option to ipa sudorule-add-host.
For example, to add example.com and host_group to the files-commands rule:
$ ipa sudorule-add-host files-commands --hosts=example.com --hostgroups=host_group
...
-------------------------
Number of members added 2
-------------------------
To remove a host or host group, use the ipa sudorule-remove-host command. For example:
$ ipa sudorule-remove-host files-commands
[member host]: example.com
[member host group]:
...
---------------------------
Number of members removed 1
---------------------------
Managing what commands can be used with sudo
You can specify that users will be either allowed or denied to use specific commands.
To specify an allowed command or command group, add the --sudocmds or --sudocmdgroups option to the ipa sudorule-add-allow-command. To specify a denied command or command group, add the --sudocmds or --sudocmdgroups option to the ipa sudorule-add-deny-command command.
For example, to add the /usr/bin/less command and the files command group as allowed to the files-commands rule:
$ ipa sudorule-add-allow-command files-commands --sudocmds=/usr/bin/less --sudocmdgroups=files
...
-------------------------
Number of members added 2
-------------------------
To remove a command or command group from a rule, use the ipa sudorule-remove-allow-command or ipa sudorule-remove-deny-command commands. For example:
$ ipa sudorule-remove-allow-command files-commands
[member sudo command]: /usr/bin/less
[member sudo command group]:
...
---------------------------
Number of members removed 1
---------------------------
Note that the --sudocmds option only accepts commands added to IdM, as described in Section 30.4.1, “Adding sudo Commands”.
Managing as whom the sudo commands are run
To use the UIDs of an individual user or users in a group as the identity under which the commands are run, use the --users or --groups options with the ipa sudorule-add-runasuser command.
To use the GID of a user group as the identity for the commands, use the ipa sudorule-add-runasgroup --groups command.
If you specify no user or group, sudo commands will be run as root.
For example, to specify that the identity of user will be used to execute the commands in the sudo rule:
$ ipa sudorule-add-runasuser files-commands --users=user
...
RunAs Users: user
...
For more information on the ipa sudorule-* commands, see the output of the ipa help sudorule command or run a particular command with the --help option added.

Example 30.1. Adding and Modifying a New sudo Rule from the Command Line

To allow a specific user group to use sudo with any command on selected servers:
  1. Obtain a Kerberos ticket for the admin user or any other user allowed to manage sudo rules.
    $ kinit admin
    Password for admin@EXAMPLE.COM:
    
  2. Add a new sudo rule to IdM.
    $ ipa sudorule-add new_sudo_rule --desc="Rule for user_group"
    ---------------------------------
    Added Sudo Rule "new_sudo_rule"
    ---------------------------------
      Rule name: new_sudo_rule
      Description: Rule for user_group
      Enabled: TRUE
    
  3. Define the who: specify the group of users who will be entitled to use the sudo rule.
    $ ipa sudorule-add-user new_sudo_rule --groups=user_group
      Rule name: new_sudo_rule
      Description: Rule for user_group
      Enabled: TRUE
      User Groups: user_group
    -------------------------
    Number of members added 1
    -------------------------
    
  4. Define the where: specify the group of hosts where the users will be granted the sudo permissions.
    $ ipa sudorule-add-host new_sudo_rule --hostgroups=host_group
      Rule name: new_sudo_rule
      Description: Rule for user_group
      Enabled: TRUE
      User Groups: user_group
      Host Groups: host_group
    -------------------------
    Number of members added 1
    -------------------------
    
  5. Define the what: to allow the users to run any sudo command, add the all command category to the rule.
    $ ipa sudorule-mod new_sudo_rule --cmdcat=all
    ------------------------------
    Modified Sudo Rule "new_sudo_rule"
    ------------------------------
      Rule name: new_sudo_rule
      Description: Rule for user_group
      Enabled: TRUE
      Command category: all
      User Groups: user_group
      Host Groups: host_group
    
  6. To let the sudo commands be executed as root, do not specify any run-as users or groups.
  7. Add the !authenticate sudoers option to specify that the users will not be required to authenticate when using the sudo command.
    $ ipa sudorule-add-option new_sudo_rule
    Sudo Option: !authenticate
    -----------------------------------------------------
    Added option "!authenticate" to Sudo Rule "new_sudo_rule"
    -----------------------------------------------------
      Rule name: new_sudo_rule
      Description: Rule for user_group
      Enabled: TRUE
      Command category: all
      User Groups: user_group
      Host Groups: host_group
      Sudo Option: !authenticate
    
  8. Display the new sudo rule configuration to verify it is correct.
    $ ipa sudorule-show new_sudo_rule
      Rule name: new_sudo_rule
      Description: Rule for user_group
      Enabled: TRUE
      Command category: all
      User Groups: user_group
      Host Groups: host_group
      Sudo Option: !authenticate