On 08/04/2015 11:57 AM, Innes, Duncan wrote:
Hi folks,
Struggling with creating a sudo rule in IPA that will allow my
foreman-proxy to run specific commands.  When I put the following into
/etc/sudoers.d/foreman:
[root@puppet01 ~]# cat /etc/sudoers.d/foreman
foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
Defaults:foreman-proxy !requiretty
innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
Defaults:innesd !requiretty
[root@puppet01 ~]#

[innesd@puppet01 ~]$ sudo -l
Matching Defaults entries for innesd on this host:
!requiretty
User innesd may run the following commands on this host:
     (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick *
     (root) /bin/su
[innesd@puppet01 ~]$
Both my user and the foreman-proxy can run the relevant commands both on
the command line and remotely.
IT Security are not happy with local sudo rules being condifured around
the network, so I'm trying to create the same configuration via IPA.
When I try to get the same rule into IPA, my user can run the command in
a tty, but the foreman-proxy user is refused.  This looks to be down to
the lack of !requiretty coming through for the users:
[root@ipa01 ~]# ipa sudorule-show foreman-proxy
   Rule name: foreman-proxy
Enabled: TRUE
   User category: all
   Hosts: puppet02.example.com, puppet01.example.com,
puppet03.example.com, puppet04.example.com
   Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
   Sudo Option: !authenticate, !requiretty
[root@ipa01 ~]#
and once I've removed the #includedir option from my local sudoers file,
I get the following as my user:
[innesd@puppet01 ~]$ sudo -l
User innesd may run the following commands on this host:
     (root) /bin/su
     (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
[innesd@puppet01 ~]$
where the noticeable difference is that the !requiretty isn't listed
under any "Matching Defaults entries" for my user.  With the rule set up
like this, I can run the command in a tty, but the foreman-proxy user is
denied when the command is run without a tty.
How do I go about setting the Defaults for the foreman-proxy user?  Once
my testing is done, I'd like to move the rule to run only against the
foreman-proxy external user rather than all users.

Can you also provide sudo logs please?

And a small follow-up question: how long should I expect it to take for
a change to the sudo rule on my IPA server to become available on the
client?  I keep doing sss_cache -E to clear the cache, but it still
seems to take it's own sweet time to be changed on the client.  It's not
a huge wait - just a bit of a pain when I'm testing these changes.

Please, set entry_cache_sudo_timeout = 0 in your domain for testing purpose. You can also look at ldap_sudo_full_refresh_interval and ldap_sudo_smart_refresh_interval that says how often sssd searches for new/modified rules.

Thanks in advance,
Duncan Innes

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to