Product SiteDocumentation Site

13.3. Defining sudo Rules

sudo rules are in a sense similar to access control rules: they define users who are granted access, the commands which are within the scope of the rule, and then the target hosts to which the rule applies. In FreeIPA, additional information can be configured in the rule, such as sudoers options and run-as settings, but the basic elements always define who, what (services), and where (hosts).

13.3.1. About External Users and Hosts

sudo rules define four elements: who can do what, where, and as whom. The who is the regular user, and the as whom is the system or other user identity which the user uses to perform tasks. Those tasks are system commands that can be run (or specifically not run) on a target machine.
Three of those elements — who, as whom, and where — are identities. They are uses and hosts. Most of the time, those identities are going to be entities within the FreeIPA domain because there will be overlap between the system users and machines in the environment and the users and hosts belonging to the FreeIPA domain.
However, that is not necessarily the case with all identities that a sudo policy may realistically cover. For example, sudo rules could be used to grant root access to member of the IT group in FreeIPA, and that root user is not a user in FreeIPA. Or, for another example, administrators may want to block access to certain hosts that are on a network but are not part of the FreeIPA domain.
The sudo rules in FreeIPA support the concept of external users and hosts — meaning, hosts and users which are stored and exist outside of the FreeIPA configuration.
External Entities
Figure 13.1. External Entities

When configuring a sudo rule, the user, run-as, and host settings all can point to an external identity to be included and evaluated in the sudo rule.

13.3.2. About sudo Options Format

The sudo rule can be configured to use any supported sudoers options. (The complete list of options is in the sudoers manpage and at http://www.gratisoft.us/sudo/sudoers.man.html#sudoers_options.)
However, the sudo rule configuration in FreeIPA does not allow the same formatting as the configuration in the /etc/sudoers file. Specifically, FreeIPA does not allow whitespaces in the options parameter, whether it is set in the UI or the CLI.
For example, in the /etc/sudoers file, it is permissible to list options in a comma-separate list with spaces between:
mail_badpass, mail_no_host, mail_no_perms, syslog = local2
However, in FreeIPA, that same configuration would be interpreted as different arguments — including the equals sign (=) since it has spaces around it.
Likewise, linebreaks that are ignored in the /etc/sudoers file are not allowed in the FreeIPA configuration:
env_keep = "COLORS DISPLAY EDITOR HOSTNAME HISTSIZE INPUTRC 
            KDEDIR LESSSECURE LS_COLORS MAIL PATH PS1 PS2 
            QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE 
            LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES 
            LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE 
            LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET 
            XAUTHORITY"
To use multiple sudoers options in FreeIPA, configure each one as a separate option setting, rather than all on one line, as is allowed in the /etc/sudoers file.

13.3.3. Defining sudo Rules in the Web UI

  1. Click the Policy tab.
  2. Click the Sudo subtab, and then select the Sudo Rules link.
  3. Click the Add link at the top of the list of sudo rules.
  4. Enter the name for the rule.
  5. Click the Add and Edit button to go immediately to set the configuration for the rule.
    There are a number of configuration areas for the rule. The most basic elements are set in the Who, Access This Host, and Run Commands areas; the others are optional and are used to refine the rule.
  6. Optional. In the Options area, add any sudoers options. The complete list of options is in the sudoers manpage and at http://www.gratisoft.us/sudo/sudoers.man.html#sudoers_options.

    NOTE

    As described in Section 13.3.2, “About sudo Options Format”, do not use options with whitespace in the values. Rather than adding a list of options in one line, add a single option setting for each desired option.
    1. Click the + Add link at the right of the options list.
    2. Enter the sudoers option.
    3. Click Add.
  7. In the Who area, select the users or user groups to which the sudo rule is applied.
    1. Click the + Add link at the right of the users list.
    2. Click the checkbox by the users to add to the rule, and click the right arrows button, >>, to move the users to the selection box.
    3. Click Add.
    It is possible to configure both FreeIPA users and external system users (Section 13.3.1, “About External Users and Hosts”).
  8. In the Access This Host area, select the hosts on which the sudo rule is in effect.
    1. Click the + Add link at the right of the hosts list.
    2. Click the checkbox by the hosts to include with the rule, and click the right arrows button, >>, to move the hosts to the selection box.
    3. Click Add.
    It is possible to configure both FreeIPA clients and external hosts (Section 13.3.1, “About External Users and Hosts”).
  9. In the Run Commands area, select the commands which are included in the sudo rule. The sudo rule can grant access or deny access to commands, and it can grant allow access to one command and also deny access to another.
    1. In the Allow/Deny area, click the + Add link at the right of the commands list.
    2. Click the checkbox by the commands or command groups to include with the rule, and click the right arrows button, >>, to move the commands to the selection box.
    3. Click Add.
  10. Optional. The sudo rule can be configured to run the given commands as a specific, non-root user.
    1. In the As Whom area, click the + Add link at the right of the users list.
    2. Click the checkbox by the users to run the command as, and click the right arrows button, >>, to move the users to the selection box.
    3. Click Add.

13.3.4. Defining sudo Rules in the Command Line

Each element is added to the rule command using a different command (listed in Table 13.1, “sudo Commands”).
The basic outline of a sudo rule command is:
$ ipa sudorule-add* options ruleName
Example 13.1. Creating Basic sudo Rules
In the most basic case, the sudo configuration is going to grant the right to one user for one command on one host.
The first step is to add the initial rule entry.
$ ipa sudorule-add files-commands
-----------------------------------
Added sudo rule "files-commands"
-----------------------------------
  Rule name: files-commands
  Enabled: TRUE
Next, add the commands to grant access to. This can be a single command, using --sudocmd, or a group of commands, using --sudocmdgroups.
$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/vim" files-commands
  Rule name: files-commands
  Enabled: TRUE
  sudo Commands: /usr/bin/vim
-------------------------
Number of members added 1
-------------------------
Add a host or a host group to the rule.
$ ipa sudorule-add-host --host server.example.com files-commands
  Rule name: files-commands
  Enabled: TRUE
  Hosts: server.example.com
  sudo Commands: /usr/bin/vim
-------------------------
Number of members added 1
-------------------------
Last, add the user or group to the rule. This is the user who is allowed to use sudo as defined in the rule; if no "run-as" user is given, then this user will run the sudo commands as root.
$ ipa sudorule-add-user --user jsmith files-commands
  Rule name: files-commands
  Enabled: TRUE
  Users: jsmith
  Hosts: server.example.com
  sudo Commands: /usr/bin/vim"
-------------------------
Number of members added 1
-------------------------

Example 13.2. Allowing and Denying Commands
The sudo rule can grant access or deny access to commands. For example, this rule would allow read access to files but prevent editing:
$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/less" readfiles
$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/tail" readfiles
$ ipa sudorule-add-deny-command --sudocmd "/usr/bin/vim" readfiles

Example 13.3. Using sudoers Options
The sudoers file has a lot of potential flags that can be set to control the behavior of sudo users, like requiring (or not requiring) passwords to offer a user to authenticate to sudo or using fully-qualified domain names in the sudoers file. The complete list of options is in the sudoers manpage and at http://www.gratisoft.us/sudo/sudoers.man.html#sudoers_options.
Any of these options can be set for the FreeIPA sudo rule using the sudorule-add-option command. When the command is run, it prompts for the option to add:
$ ipa sudorule-add-option readfiles
Sudo Option: !authenticate
-----------------------------------------------------
Added option "!authenticate" to Sudo rule "readfiles"
-----------------------------------------------------

NOTE

As described in Section 13.3.2, “About sudo Options Format”, do not use options with whitespace in the values. Rather than adding a list of options in one line, add a single option setting for each desired option.
Example 13.4. Running as Other Users
The sudo rule also has the option of specifying a non-root user or group to run the commands as. The initial rule has the user or group specified using the --sudorule-add-runasuser or --sudorule-add-runasgroup command, respectively.
$ ipa sudorule-add-runasuser --users=jsmith readfiles
$ ipa sudorule-add-runasgroup --groups=ITadmins readfiles
When creating a rule, the sudorule-add-runasuser or sudorule-add-runasgroup command can only set specific users or groups. However, when editing a rule, it is possible to run sudo as all users or all groups by using the --runasusercat or --runasgroupcat option. For example:
$ ipa sudorule-mod --runasgroupcat=all ruleName

NOTE

The --sudorule-add-runasuser and --sudorule-add-runasgroup commands do not support an all option, only specific user or group names. Specifying all users or all groups can only be used with options with the sudorule-mod command.
Example 13.5. Referencing External Users or Hosts
The "who" in a sudo rule can be a FreeIPA user, but there are many logical and useful rules where one of the referents is a system user. Similarly, a rule may need to grant or deny access to a host machine on the network which is not an FreeIPA client.
In those cases, the sudo policy can refer to an external user or host — an identity created and stored outside of FreeIPA (Section 13.3.1, “About External Users and Hosts”).
There are three options to add an external identity to a sudo rule:
  • --externaluser
  • --runasexternaluser
  • --externalhost
For example:
$ ipa sudorule-add-host --externalhost=external-server.example.com readfiles
$ ipa sudorule-add-user --externaluser=ITAdmin readfiles
$ ipa sudorule-add-runasuser --runasexternaluser=root readfiles

Table 13.1. sudo Commands
Command Description
sudorule-add Adds a sudo rule entry.
sudorule-add-user Adds a user or a user group to the sudo rule. This user (or every member of the group) is then entitled to sudo any of the commands in the rule.
sudorule-add-host Adds a target host for the rule. These are the hosts where the users are granted sudo permissions.
sudorule-add-runasgroup Sets a group to run the sudo commands as. This must be a specific user; to specify all users, modify the rule using sudo-rule.
sudorule-add-runasuser Sets a user to run the sudo commands as. This must be a specific user; to specify all users, modify the rule using sudo-rule.
sudorule-add-allow-command Adds a command that users in the rule have sudo permission to run.
sudorule-add-deny-command Adds a command that users in the rule are explicitly denied sudo permission to run.
sudorule-add-option Adds a sudoers flag to the sudo rule.