[Freeipa-devel] [PATCH] 113 Add missing attribute labels for sudorule
Rob Crittenden
rcritten at redhat.com
Wed Aug 17 20:12:35 UTC 2011
Martin Kosek wrote:
> I had doubts how to name ipasudorunasgroup_group attribute, this is the
> result. Btw what is the difference between attributes
> ipasudorunasgroup_group and ipasudorunas_group?
>
ACK
This confused me as well so I double-checked with JR.
ipasudorunasgroup sets the gid to <group> when executing the command.
ipasudorunas group sets a group of allowed users to run a command as.
JR's example was: sudo -u rcrit /bin/less
If rcrit is in either the ipasudorunas user or group then you can run
the command as me.
I opened ticket 1657 to improve the documentation. I think connecting it
to the sudo options and/or providing examples like this will help.
pushed to master and ipa-2-1
rob
More information about the Freeipa-devel
mailing list