On ti, 22 maalis 2022, Djerk Geurts via FreeIPA-users wrote:
On 22 Mar 2022, at 15:42, Rob Crittenden <[email protected]> wrote:
Djerk Geurts via FreeIPA-users wrote:
This is a topic that I've spent way too much time on recently. The
reason is I'm trying to manage sudo rights for teams and the sudo
ruleset is getting out of hand as no globs I've tried are working
except for maybe an '*' in a pathname. I'm trying to keep things
secure I'd like to allow members of a certain group to manage the
services they're responsible for. These are dev guys so there's a
fair bit of management involved.
Initially, I would create a rule for systemctl start, another for
stop, etc for status, reload and restart. Then I have to add the
journalctl rules for seeing the current logs and the tail options
for those.
In trying to make thing easier when adding rules, and knowing glob
should be supported I was hoping to simplify things to:
/usr/bin/journalctl --unit nodejs@+([a-zA-Z]) @(-t)
/usr/bin/systemctl (start|stop|status|reload|restart) nodejs@+([a-zA-Z])
But alas, none of this is working, what does work is a long list of
rules specific to each separate instantiated service, which is
getting really tiresome and error-prone. Is there anything I can do
to ease maintaining these rules, or do I give up and look at using
Ansible to automate FreeIPA sudo rules?
It may very well depend on the version of sudo you have on the client(s)
whether regular expressions are supported or not.
IPA is only a container for the rules. It just passes them along to
sudo. I'd suggest checking with the sudo team as well.
There may also be distribution-based idiosyncrasies.
rob
Thanks you, I’ll check there as well. It’s mostly Ubuntu 20.04 here
with a few Debian 10 and CentOS 7 machines as well. So far I’ve seen no
difference between them.
Just start with a normal sudoers on the system. Does this set of rules
work there if you put them into /etc/sudoers?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
