IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
8084b94c17
freeipa/doc/api/sudorule_management.md
Antonio Torres a2667b249e API doc: add usage guides for groups, HBAC and sudo rules 
Include guides with examples for groups, HBAC and sudo rules management.
These cover most of available commands related to these topics.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-08 14:20:38 -05:00

2.8 KiB
Raw Blame History

Sudo rules management examples

Sudo rules provide the system administrator a way to delegate privileges to certain users in order to perform commands either as root or as another user.

Creating a sudo rule

Create a sudo rule that will hold time change commands.

api.Command.sudorule_add("timechange")

Managing sudo commands

Sudo rules must be filled with sudo commands. Create one for date.

api.Command.sudocmd_add("/usr/bin/date")

Then, attach the sudo command to the sudo rule.

api.Command.sudorule_add_allow_command("timechange", sudocmd="/usr/bin/date")

Alternatively, groups of sudo commands can be created and attached to the rule in the same manner.

api.Command.sudocmd_add("/usr/bin/date")
api.Command.sudocmd_add("/usr/bin/timedatectl")
api.Command.sudocmd_add("/usr/sbin/hwclock")
api.Command.sudocmdgroup_add("timecmds")
api.Command.sudocmdgroup_add_member("timecmds", sudocmd="/usr/bin/date")
api.Command.sudocmdgroup_add_member("timecmds", sudocmd="/usr/bin/timedatectl")
api.Command.sudocmdgroup_add_member("timecmds", sudocmd="/usr/sbin/hwclock")
api.Command.sudorule_add_allow_command("timechange", sudocmdgroup="timecmds")

Commands can be denied as well. Deny the rm command to be run as sudo.

api.Command.sudocmd_add("/usr/bin/rm")
api.Command.sudorule_add_deny_command("timechange", sudocmd="/usr/bin/rm")

Adding users and hosts to sudo rules

Add the user bob to the previously created rule.

api.Command.sudorule_add_user("timechange", user="bob")

Restrict the rule to only be available for the client.ipa.test host.

api.Command.sudorule_add_host("timechange", host="client.ipa.test")

Setting "run as" for sudo rules

While sudo rules are run as root by default, a different "run as" can be configured, both for user and group rights.

api.Command.sudorule_add_runasuser("timechange", user="alice")

api.Command.sudorule_add_runasgroup("timechange", group="sysadmins")

Managing sudo options

Set a sudo option for the timechange sudo rule.

api.Command.sudorule_add_option("timechange", ipasudoopt="logfile='/var/log/timechange_log'")

Enabling and disabling sudo rule

Enable a sudo sule.

api.Command.sudorule_enable("timechange")

Disable a sudo sule.

api.Command.sudorule_disable("timechange")