[Freeipa-users] FreeIPA and sudo Defaults

Pavel Březina pbrezina at redhat.com
Wed Aug 5 09:10:10 UTC 2015 

On 08/04/2015 11:57 AM, Innes, Duncan wrote:
> Hi folks,
> Struggling with creating a sudo rule in IPA that will allow my
> foreman-proxy to run specific commands.  When I put the following into
> /etc/sudoers.d/foreman:
> [root at puppet01 ~]# cat /etc/sudoers.d/foreman
> foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
> Defaults:foreman-proxy !requiretty
> innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
> Defaults:innesd !requiretty
> [root at puppet01 ~]#
>
> [innesd at puppet01 ~]$ sudo -l
> Matching Defaults entries for innesd on this host:
> !requiretty
> User innesd may run the following commands on this host:
>      (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick *
>      (root) /bin/su
> [innesd at puppet01 ~]$
> Both my user and the foreman-proxy can run the relevant commands both on
> the command line and remotely.
> IT Security are not happy with local sudo rules being condifured around
> the network, so I'm trying to create the same configuration via IPA.
> When I try to get the same rule into IPA, my user can run the command in
> a tty, but the foreman-proxy user is refused.  This looks to be down to
> the lack of !requiretty coming through for the users:
> [root at ipa01 ~]# ipa sudorule-show foreman-proxy
>    Rule name: foreman-proxy
> Enabled: TRUE
>    User category: all
>    Hosts: puppet02.example.com, puppet01.example.com,
> puppet03.example.com, puppet04.example.com
>    Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
>    Sudo Option: !authenticate, !requiretty
> [root at ipa01 ~]#
> and once I've removed the #includedir option from my local sudoers file,
> I get the following as my user:
> [innesd at puppet01 ~]$ sudo -l
> User innesd may run the following commands on this host:
>      (root) /bin/su
>      (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
> [innesd at puppet01 ~]$
> where the noticeable difference is that the !requiretty isn't listed
> under any "Matching Defaults entries" for my user.  With the rule set up
> like this, I can run the command in a tty, but the foreman-proxy user is
> denied when the command is run without a tty.
> How do I go about setting the Defaults for the foreman-proxy user?  Once
> my testing is done, I'd like to move the rule to run only against the
> foreman-proxy external user rather than all users.

Can you also provide sudo logs please?

> And a small follow-up question: how long should I expect it to take for
> a change to the sudo rule on my IPA server to become available on the
> client?  I keep doing sss_cache -E to clear the cache, but it still
> seems to take it's own sweet time to be changed on the client.  It's not
> a huge wait - just a bit of a pain when I'm testing these changes.

Please, set entry_cache_sudo_timeout = 0 in your domain for testing 
purpose. You can also look at ldap_sudo_full_refresh_interval and 
ldap_sudo_smart_refresh_interval that says how often sssd searches for 
new/modified rules.

> Thanks in advance,
> Duncan Innes

More information about the Freeipa-users mailing list