> On 22 Mar 2022, at 15:42, Rob Crittenden <[email protected]> wrote: > > Djerk Geurts via FreeIPA-users wrote: >> This is a topic that I've spent way too much time on recently. The reason is >> I'm trying to manage sudo rights for teams and the sudo ruleset is getting >> out of hand as no globs I've tried are working except for maybe an '*' in a >> pathname. I'm trying to keep things secure I'd like to allow members of a >> certain group to manage the services they're responsible for. These are dev >> guys so there's a fair bit of management involved. >> >> Initially, I would create a rule for systemctl start, another for stop, etc >> for status, reload and restart. Then I have to add the journalctl rules for >> seeing the current logs and the tail options for those. >> >> In trying to make thing easier when adding rules, and knowing glob should be >> supported I was hoping to simplify things to: >> >> /usr/bin/journalctl --unit nodejs@+([a-zA-Z]) @(-t) >> /usr/bin/systemctl (start|stop|status|reload|restart) nodejs@+([a-zA-Z]) >> >> But alas, none of this is working, what does work is a long list of rules >> specific to each separate instantiated service, which is getting really >> tiresome and error-prone. Is there anything I can do to ease maintaining >> these rules, or do I give up and look at using Ansible to automate FreeIPA >> sudo rules? > > It may very well depend on the version of sudo you have on the client(s) > whether regular expressions are supported or not. > > IPA is only a container for the rules. It just passes them along to > sudo. I'd suggest checking with the sudo team as well. > > There may also be distribution-based idiosyncrasies. > > rob
Thanks you, I’ll check there as well. It’s mostly Ubuntu 20.04 here with a few Debian 10 and CentOS 7 machines as well. So far I’ve seen no difference between them. Djerk _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
