13.3. Defining sudo Rules

sudo rules are in a sense similar to access control rules: they define users who are granted access, the commands which are within the scope of the rule, and then the target hosts to which the rule applies. In IPA, additional information can be configured in the rule, such as sudoers options and run-as settings, but the basic elements always define who, what (services), and where (hosts).

13.3.1. Defining sudo Rules in the Web UI

Click the Policy tab.
Click the Sudo subtab, and then select the Sudo Rules link.
Click the Add link at the top of the list of sudo rules.
Enter the name for the rule.
Click the Add and Edit button to go immediately to set the configuration for the rule.
There are a number of configuration areas for the rule. The most basic elements are set in the Who, Access This Host, and Run Commands areas; the others are optional and are used to refine the rule.
Optional. In the Options area, add any sudoers options. The complete list of options is in the sudoers manpage and at http://www.gratisoft.us/sudo/sudoers.man.html#sudoers_options.
1. Click the + Add link at the right of the options list.
2. Enter the sudoers option.
3. Click Add.
In the Who area, select the users or user groups to which the sudo rule is applied.
1. Click the + Add link at the right of the users list.
2. Click the checkbox by the users to add to the rule, and click the right arrows button, >>, to move the users to the selection box.
3. Click Add.
In the Access This Host area, select the hosts on which the sudo rule is in effect.
1. Click the + Add link at the right of the hosts list.
2. Click the checkbox by the hosts to include with the rule, and click the right arrows button, >>, to move the hosts to the selection box.
3. Click Add.
In the Run Commands area, select the commands which are included in the sudo rule. The sudo rule can grant access or deny access to commands, and it can grant allow access to one command and also deny access to another.
1. In the Allow/Deny area, click the + Add link at the right of the commands list.
2. Click the checkbox by the commands or command groups to include with the rule, and click the right arrows button, >>, to move the commands to the selection box.
3. Click Add.
Optional. The sudo rule can be configured to run the given commands as a specific, non-root user.
1. In the As Whom area, click the + Add link at the right of the users list.
2. Click the checkbox by the users to run the command as, and click the right arrows button, >>, to move the users to the selection box.
3. Click Add.

13.3.2. Defining sudo Rules in the Command Line

Each element is added to the rule command using a different command (listed in Table 13.1, “sudo Commands”).

The basic outline of a sudo rule command is:

$ ipa sudorule-add* options ruleName

Example 13.1. Creating Basic sudo Rules

In the most basic case, the sudo configuration is going to grant the right to one user for one command on one host.

The first step is to add the initial rule entry.

$ ipa sudorule-add files-commands
-----------------------------------
Added sudo rule "files-commands"
-----------------------------------
  Rule name: files-commands
  Enabled: TRUE

Next, add the commands to grant access to. This can be a single command, using --sudocmd, or a group of commands, using --sudocmdgroups.

$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/vim" files-commands
  Rule name: files-commands
  Enabled: TRUE
  sudo Commands: /usr/bin/vim
-------------------------
Number of members added 1
-------------------------

Add a host or a host group to the rule.

$ ipa sudorule-add-host --host server.example.com files-commands
  Rule name: files-commands
  Enabled: TRUE
  Hosts: server.example.com
  sudo Commands: /usr/bin/vim
-------------------------
Number of members added 1
-------------------------

Last, add the user or group to the rule. This is the user who is allowed to use sudo as defined in the rule; if no "run-as" user is given, then this user will run the sudo commands as root.

$ ipa sudorule-add-user --user jsmith files-commands
  Rule name: files-commands
  Enabled: TRUE
  Users: jsmith
  Hosts: server.example.com
  sudo Commands: /usr/bin/vim"
-------------------------
Number of members added 1
-------------------------

Example 13.2. Allowing and Denying Commands

The sudo rule can grant access or deny access to commands. For example, this rule would allow read access to files but prevent editing:

$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/less" readfiles
$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/tail" readfiles
$ ipa sudorule-add-deny-command --sudocmd "/usr/bin/vim" readfiles

Example 13.3. Using sudoers Options

The sudoers file has a lot of potential flags that can be set to control the behavior of sudo users, like requiring (or not requiring) passwords to offer a user to authenticate to sudo or using fully-qualified domain names in the sudoers file. The complete list of options is in the sudoers manpage and at http://www.gratisoft.us/sudo/sudoers.man.html#sudoers_options.

Any of these options can be set for the IPA sudo rule using the sudorule-add-option command. When the command is run, it prompts for the option to add:

$ ipa sudorule-add-option readfiles
Sudo Option: !authenticate
-----------------------------------------------------
Added option "!authenticate" to Sudo rule "readfiles"
-----------------------------------------------------

Example 13.4. Running as Other Users

The sudo rule also has the option of specifying a non-root user or group to run the commands as. The initial rule has the user or group specified using the --sudorule-add-runasuser or --sudorule-add-runasgroup command, respectively.

$ ipa sudorule-add-runasuser --users=jsmith readfiles
$ ipa sudorule-add-runasgroup --groups=ITadmins readfiles

When creating a rule, the sudorule-add-runasuser or sudorule-add-runasgroup command can only set specific users or groups. However, when editing a rule, it is possible to run sudo as all users or all groups by using the --runasusercat or --runasgroupcat option. For example:

$ ipa sudorule-mod --runasgroupcat=all ruleName

NOTE

The --sudorule-add-runasuser and --sudorule-add-runasgroup commands do not support an all option, only specific user or group names. Specifying all users or all groups can only be used with options with the sudorule-mod command.

Table 13.1. sudo Commands

Command	Description
sudorule-add	Adds a sudo rule entry.
sudorule-add-user	Adds a user or a user group to the sudo rule. This user (or every member of the group) is then entitled to sudo any of the commands in the rule.
sudorule-add-host	Adds a target host for the rule. These are the hosts where the users are granted sudo permissions.
sudorule-add-runasgroup	Sets a group to run the sudo commands as. This must be a specific user; to specify all users, modify the rule using `sudo-rule`.
sudorule-add-runasuser	Sets a user to run the sudo commands as. This must be a specific user; to specify all users, modify the rule using `sudo-rule`.
sudorule-add-allow-command	Adds a command that users in the rule have sudo permission to run.
sudorule-add-deny-command	Adds a command that users in the rule are explicitly denied sudo permission to run.
sudorule-add-option	Adds a sudoers flag to the sudo rule.