Red Hat Summit30.2. sudo Rules in Identity Management
Using
sudo rules, you can define who can do what, where, and as whom.
- Who are the users allowed to use
sudo. - What are the commands that can be used with
sudo. - Where are the target hosts on which the users are allowed to use
sudo. - As whom is the system or other user identity which the users assume to perform tasks.
30.2.1. External Users and Hosts in sudo Rules
Copy linkLink copied to clipboard!
IdM accepts external entities in
sudo rules. External entities are entities that are stored outside of the IdM domain, such as users or hosts that are not part of the IdM domain.
For example, you can use
sudo rules to grant root access to a member of the IT group in IdM, where the root user is not a user defined in the IdM domain. Or, for another example, administrators can block access to certain hosts that are on a network but are not part of the IdM domain.
30.2.2. User Group Support for sudo Rules
Copy linkLink copied to clipboard!
You can use
sudo to give access to whole user groups in IdM. IdM supports both Unix and non-POSIX groups. Note that creating non-POSIX groups can cause access problems because any users in a non-POSIX group inherit non-POSIX permissions from the group.
30.2.3. Support for sudoers Options
Copy linkLink copied to clipboard!
IdM supports
sudoers options. For a complete list of the available sudoers options, see the sudoers(5) man page.
Note that IdM does not allow white spaces or line breaks in
sudoers options. Therefore, instead of supplying multiple options in a comma-separated list, add them separately. For example, to add two sudoers options from the command line:
ipa sudorule-add-option sudo_rule_name ipa sudorule-add-option sudo_rule_name
$ ipa sudorule-add-option sudo_rule_name
Sudo Option: first_option
$ ipa sudorule-add-option sudo_rule_name
Sudo Option: second_option
Similarly, make sure to supply long options on one line. For example, from the command line:
ipa sudorule-add-option sudo_rule_name
$ ipa sudorule-add-option sudo_rule_name
Sudo Option: env_keep="COLORS DISPLAY EDITOR HOSTNAME HISTSIZE INPUTRC KDEDIR LESSSECURE LS_COLORS MAIL PATH PS1 PS2 XAUTHORITY"
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}