On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Natxo Asenjo wrote:
> > hi,
> >
> > can you do something like this?
> >
> > ipa group-add wheel --gid=10
> >
> > to substitute the local group wheel? Of course nsswitch.conf indicates
> > local groups get found first ( group: files sss) but, would it work and
> > is it supported?
> What is it you expect or desire to happen in this case?

sorry, I thought it was obvious. To create a wheel ipa group. Members of
this group are automatically 'root'  in sudoers in plenty of distributions
( centos 7, just tested):

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

and in policykit I see this as well:

# cat 50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */

// DO NOT EDIT THIS FILE, it will be overwritten on update
// Default rules for polkit
// See the polkit(8) man page for more information
// about configuring polkit.

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];

So there is already an existing infrastructure for the wheel group that is
waiting to be used ;-)

Hopefully this makes it clear.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to