[Freeipa-users] FreeIPA and sudo Defaults
Jakub Hrozek
jhrozek at redhat.com
Tue Aug 4 12:34:58 UTC 2015
On Tue, Aug 04, 2015 at 10:57:34AM +0100, Innes, Duncan wrote:
> Hi folks,
>
> Struggling with creating a sudo rule in IPA that will allow my
> foreman-proxy to run specific commands. When I put the following into
> /etc/sudoers.d/foreman:
>
> [root at puppet01 ~]# cat /etc/sudoers.d/foreman
> foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet
> kick *
> Defaults:foreman-proxy !requiretty
> innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
> Defaults:innesd !requiretty
> [root at puppet01 ~]#
>
> [innesd at puppet01 ~]$ sudo -l
> Matching Defaults entries for innesd on this host:
> !requiretty
>
> User innesd may run the following commands on this host:
> (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick
> *
> (root) /bin/su
> [innesd at puppet01 ~]$
>
> Both my user and the foreman-proxy can run the relevant commands both on
> the command line and remotely.
>
> IT Security are not happy with local sudo rules being condifured around
> the network, so I'm trying to create the same configuration via IPA.
>
> When I try to get the same rule into IPA, my user can run the command in
> a tty, but the foreman-proxy user is refused. This looks to be down to
> the lack of !requiretty coming through for the users:
>
> [root at ipa01 ~]# ipa sudorule-show foreman-proxy
> Rule name: foreman-proxy
> Enabled: TRUE
> User category: all
> Hosts: puppet02.example.com, puppet01.example.com,
> puppet03.example.com, puppet04.example.com
> Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
> Sudo Option: !authenticate, !requiretty
> [root at ipa01 ~]#
I'm adding Pavel Brezina who might have some hints.
More information about the Freeipa-users
mailing list