Product SiteDocumentation Site

Chapter 13. Policy: Using sudo

13.1. About sudo and IPA
13.1.1. General sudo Configuration in Identity Management
13.1.2. sudo and Netgroups
13.1.3. Supported sudo Clients
13.2. Setting up sudo Commands and Command Groups
13.2.1. Adding sudo Commands
13.2.1.1. Adding sudo Commands with the Web UI
13.2.1.2. Adding sudo Commands with the Command Line
13.2.2. Adding sudo Command Groups
13.2.2.1. Adding sudo Command Groups with the Web UI
13.2.2.2. Adding sudo Command Groups with the Command Line
13.3. Defining sudo Rules
13.3.1. Defining sudo Rules in the Web UI
13.3.2. Defining sudo Rules in the Command Line
13.4. An Example of Configuring sudo
13.4.1. Server Configuration for sudo Rules
13.4.2. Client Configuration for sudo Rules
Identity Management provides a mechanism for predictably and consistently apply sudo policies across the IPA domain. The sudo policies apply to domain users and domain hosts.

13.1. About sudo and IPA

The sudo command allows a system administrator to delegate authority to specific users to run specific commands as root ro another specified user. sudo provides an audit trail of the commands and their arguments, so access can be tracked.

13.1.1. General sudo Configuration in Identity Management

sudo uses a local configuration file, /etc/sudoers, which defines the commands and users with sudo access. While this file can be shared among machines, there's no native way to distribute sudo configuration files among machines.
Identity Management uses its centralized LDAP database to contain the sudo configuration, which makes it globally available to all domain hosts. Identity Management also has a specialized LDAP schema for sudo entries that allows a lot more flexible and simpler configuration. This schema adds two key features:
  • The Identity Management schema supports host groups in addition to netgroups for sudo, while sudo only supports netgroups.
    For every host group, Identity Management also creates a corresponding shadow netgroup. This allows IPA administrators to create sudo rules that reference host groups, while the local sudo command uses the corresponding netgroup.
  • Identity Management introduces the concept of a sudo command group. The group contains multiple commands, and then the command group can be referenced in the sudo configuration.
Because sudo does not support host groups and command groups, Identity Management translates the IPA sudo configuration into native sudo configuration when the sudo rules are created.
Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/nslcd.conf. (The /etc/nslcd.conf file is created by the nss-pam-ldapd package. However, if nss-pam-ldapd is not installed, then the /etc/nslcd.conf file can be created manually.)
Both sudo and Identity Management support user groups as part of the sudo configuration. User groups can be either Unix or non-POSIX groups. Creating non-POSIX groups can create some access issues because any users in the group inherit non-POSIX rights from the group. Having the choice between Unix and non-POSIX groups allows administrators the choice in group formatting and to avoid problems with inherited permissions or GID information.

13.1.2. sudo and Netgroups

As Section 13.1.1, “General sudo Configuration in Identity Management” mentions, the LDAP schema used for sudo entries in Identity Management supports host group-style groups in addition to netgroups. Really, Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats.
One important thing to consider is that even though sudo uses NIS netgroups, it is not necessary to have a NIS server installed or a NIS client configured. When any group is created for sudo, the NIS object is created in the Directory Server instance, and then the information is retrieved by NSS_LDAP or by SSSD. The client (in this case, sudo) then extracts the required NIS information from the information provided by Identity Management's Directory Server.
In short, sudo configuration required NIS-formatted netgroups. It does not require NIS.
The Identity Management Directory Server instance uses the standard LDAP schema for NIS objects, defined in RFC 2307.

13.1.3. Supported sudo Clients

Any system which is supported as an IPA client system can be configured as a sudo client in IPA. IPA client platforms are listed in Section 3.2, “Supported Platforms for IPA Clients”.