이 콘텐츠는 선택한 언어로 제공되지 않습니다.
21.2. Setting up sudo Commands and Command Groups
Just as in regular
sudo configuration, any command which will be governed by sudo access must be listed in the configuration. Identity Management adds an extra control measure with sudo command groups, which allow a group of commands to be defined and then applied to the sudo configuration as one.
Adding a command or a command group makes it available to IdM to be defined in a
sudo rule; simply adding a command does not automatically include it in a sudo rule.
21.2.1. Adding sudo Commands
21.2.1.1. Adding sudo Commands with the Web UI
- Click the Policy tab.
- Click the Sudo subtab, and then select the Sudo Commands link.
- Click the Add link at the top of the list of commands.
- Enter the full system path and name of the command and, optionally, a description.
- Click the Add and Edit button to go immediately to the settings pages for the command.
- In the Sudo Command Groups tab, click the Add button to add the sudo command to a command group.
- Click the checkbox by the groups for the command to join, and click the right arrows button, , to move the group to the selection box.
- Click the button.
21.2.1.2. Adding sudo Commands with the Command Line
To add a single command, use the
sudocmd-add command. This requires the full, local path to the command executable and a description of the command:
$ ipa sudocmd-add --desc "description" /local/path/to/command
For example:
$ ipa sudocmd-add --desc 'For reading log files' '/usr/bin/less' ---------------------------------- Added sudo command "/usr/bin/less" ---------------------------------- sudo Command: /usr/bin/less Description: For reading log files
21.2.2. Adding sudo Command Groups
21.2.2.1. Adding sudo Command Groups with the Web UI
- Click the Policy tab.
- Click the Sudo subtab, and then select the Sudo Command Groups link.
- Click the Add link at the top of the list of command groups.
- Enter the name and description for the new command group.
- Click the Add and Edit button to go immediately to the settings pages for the group.
- In the Sudo Commands tab, click the Add button to add a sudo command to the group.
- In the Sudo Commands tab, click the Add button to add a sudo command to the group.
- Click the checkbox by the names of the commands to add, and click the right arrows button, , to move the command to the selection box.
- Click the button.
21.2.2.2. Adding sudo Command Groups with the Command Line
Creating a command group requires creating two entries, one for the group and one for the command itself:
- Create the command group using the
sudocmdgroup-addcommand:$ ipa sudocmdgroup-add --desc 'File editing commands' files ----------------------------------- Added sudo command group "files" ----------------------------------- sudo Command Group: files Description: File editing commands
- Create a command entry using the
sudocmd-addcommand:$ ipa sudocmd-add --desc 'For editing files' '/usr/bin/vim' ---------------------------------- Added sudo command "/usr/bin/vim" ---------------------------------- sudo Command: /usr/bin/vim Description: For editing files
- Add the command, using its full directory location as its name, to the command group using the
sudocmdgroup-add-membercommand:$ ipa sudocmdgroup-add-member --sudocmds '/usr/bin/vim' files sudo Command Group: files Description: File editing commands Member sudo commands: /usr/bin/vim ------------------------- Number of members added 1 -------------------------
