Hi Angus,
I’ve seen the suggestion, but the issue with that would be having to train people on different commands, and me having to write custom scripts. I’m trying avoid further customisation, instead training people how to use systems rather than run services under personal accounts or needlessly as root. It’s a tough call to then turn around and say that it’s okay to run my custom script because there’s no centralised way of managing things. See these scripts would then also need to be deployed to these systems and maintained.
When I issue 'sudo -l’ I see the rules parsed as configured in FreeIPA, which confirms Rob’s point of how the rules are read by sudo. I’m going to have a go at creating some local rules to see if I can use wildcards there.
Failing that it’ll be a CI/CD workflow to deploy a shudders file to /etc/sudoers.d/ And then reference the Cmnd_Alias in a FreeIPA rule. All stuff that introduces more potential issues, but both alternatives are too extreme (my time, versus a complete lack of security).
Thanks,
Djerk
> On 22 Mar 2022, at 16:45, Angus Clarke <angus(a)charworth.com> wrote:
>
> Hi Djerk
>
> Alternatively, you could write/deploy wrapper scripts to run the commands you want.
>
> Regards
> Angus
>
> From: Djerk Geurts via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
>
> > On 22 Mar 2022, at 15:42, Rob Crittenden <rcritten(a)redhat.com> wrote:
> >
> > Djerk Geurts via FreeIPA-users wrote:
> >> This is a topic that I've spent way too much time on recently. The reason is I'm trying to manage sudo rights for teams and the sudo ruleset is getting out of hand as no globs I've tried are working except for maybe an '*' in a pathname. I'm trying to keep things secure I'd like to allow members of a certain group to manage the services they're responsible for. These are dev guys so there's a fair bit of management involved.
> >>
> >> Initially, I would create a rule for systemctl start, another for stop, etc for status, reload and restart. Then I have to add the journalctl rules for seeing the current logs and the tail options for those.
> >>
> >> In trying to make thing easier when adding rules, and knowing glob should be supported I was hoping to simplify things to:
> >>
> >> /usr/bin/journalctl --unit nodejs@+([a-zA-Z]) @(-t)
> >> /usr/bin/systemctl (start|stop|status|reload|restart) nodejs@+([a-zA-Z])
> >>
> >> But alas, none of this is working, what does work is a long list of rules specific to each separate instantiated service, which is getting really tiresome and error-prone. Is there anything I can do to ease maintaining these rules, or do I give up and look at using Ansible to automate FreeIPA sudo rules?
> >
> > It may very well depend on the version of sudo you have on the client(s)
> > whether regular expressions are supported or not.
> >
> > IPA is only a container for the rules. It just passes them along to
> > sudo. I'd suggest checking with the sudo team as well.
> >
> > There may also be distribution-based idiosyncrasies.
> >
> > rob
>
> Thanks you, I’ll check there as well. It’s mostly Ubuntu 20.04 here with a few Debian 10 and CentOS 7 machines as well. So far I’ve seen no difference between them.
>
> Djerk