Hi all,
I have a question regarding sudo command and rules in FreeIPA, is it possible to allow a user to only install packages and not remove? for example the sudo command will look,like : /usr/bin/dnf install *****
I tried to configure sudo command as "/usr/bin/dnf install" and it didn't work If I use set the command to "/usr/bin/dnf" it works. But the user is also allowed to remove packages!
Any suggestions please?
Best regards,
On Tue, 2 Feb 2021 at 10:03, Mustapha Aissat via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi all,
I have a question regarding sudo command and rules in FreeIPA, is it possible to allow a user to only install packages and not remove? for example the sudo command will look,like : /usr/bin/dnf install *****
I tried to configure sudo command as "/usr/bin/dnf install" and it didn't work If I use set the command to "/usr/bin/dnf" it works. But the user is also allowed to remove packages!
The sudo command only controls the commands that are allowed to be run and not arguments as that has a lot of places where such parsing can go wrong and leak out. Also many commands have some sort of built in shell mode which any parsing would be defeated by. Installing packages is by default a problematic issue because one could have an rpm which on installation removes other packages (or requires packages to be removed for it to be installed).
I would read some tutorials on what you are trying to do as I think this is actually outside of IPA and falls into normal system administration.
Any suggestions please?
Best regards, _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Tue, Feb 2, 2021 at 12:04 PM Mustapha Aissat via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi all,
I have a question regarding sudo command and rules in FreeIPA, is it
possible to allow a user to only install packages and not remove?
for example the sudo command will look,like : /usr/bin/dnf install *****
I tried to configure sudo command as "/usr/bin/dnf install" and it didn't
work
If I use set the command to "/usr/bin/dnf" it works. But the user is also
allowed to remove packages!
Any suggestions please?
From `man sudoers(5)`, you will find that you can use the '!' operator (remember to read its limitations). For example, if you add the following in sudoers file:
admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove
User `admin` will be able to execute all dnf commands with sudo, but `sudo dnf remove` will fail. The problem is that `sudo dnf remove emacs` will succeed.
If you change the configuration to:
admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove *
Then you will have the effect you want, but `sudo dnf -y remove emacs` will remove emacs.
Changing to:
admin ALL=/usr/bin/dnf, !/usr/bin/dnf *remove*
Will prevent `dnf remove` to be executed, but it will also prevent any dnf command that has "remove" anywhere in the command line.
Most of the suggestions I found, for similar issues, include creating a wrapper script and providing access to that script.
Rafael
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
Hi Rafael, Stephen,
Thank you for your replies. Really appreciate it. I know that it's a weird request! But I had a specific case.
Finally, I have implement by simply adding un asterisk at the end:
admin ALL=/usr/bin/dnf install*
Using the "!" operator has another limitation; The user can run "sudo dnf shell" and execute in command inside the dnf shell.
Thank you again for your valuable support.
Best regards, Mustapha AISSAT
On Tue, Feb 2, 2021 at 8:23 PM Rafael Jeffman via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Tue, Feb 2, 2021 at 12:04 PM Mustapha Aissat via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi all,
I have a question regarding sudo command and rules in FreeIPA, is it
possible to allow a user to only install packages and not remove?
for example the sudo command will look,like : /usr/bin/dnf install *****
I tried to configure sudo command as "/usr/bin/dnf install" and it
didn't work
If I use set the command to "/usr/bin/dnf" it works. But the user is
also allowed to remove packages!
Any suggestions please?
From `man sudoers(5)`, you will find that you can use the '!' operator (remember to read its limitations). For example, if you add the following in sudoers file:
admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove
User `admin` will be able to execute all dnf commands with sudo, but `sudo dnf remove` will fail. The problem is that `sudo dnf remove emacs` will succeed.
If you change the configuration to:
admin ALL=/usr/bin/dnf, !/usr/bin/dnf remove *
Then you will have the effect you want, but `sudo dnf -y remove emacs` will remove emacs.
Changing to:
admin ALL=/usr/bin/dnf, !/usr/bin/dnf *remove*
Will prevent `dnf remove` to be executed, but it will also prevent any dnf command that has "remove" anywhere in the command line.
Most of the suggestions I found, for similar issues, include creating a wrapper script and providing access to that script.
Rafael
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Mustapha Aissat -
Rafael Jeffman -
Stephen John Smoogen