主页 / server / 问题 / 499452
Accepted
dawud
Asked: 2013-04-16 02:33:43 +0800 CST

如何在 freeIPA 中为内置的 sudoedit 创建一个 sudorule

  • 772

目前,当我想授予某些用户组编辑文件的权限时,我会按如下方式进行:


ipa sudocmd-add --desc=Vi IMproved default-mode, no-exec, no-suspend mode' '/usr/bin/rvim'
ipa sudocmdgroup-add edition --desc='commands for restricted edition'
ipa sudocmdgroup-add-member edition --sudocmds=/usr/bin/rvim
ipa sudorule-add edition-4-operators --desc='Operator access to restricted edition commands'
ipa sudorule-add-allow-command edition-4-operators --sudocmdgroups=edition

然后是与 HBAC、SELinux 等相关的其余选项。

我想用我的freeIPA服务器的所有 sudorules 中/usr/bin/rvim的内置替换。sudoedit(8)

我需要像往常一样申报sudoeditsudocmd?我可以直接添加sudoeditsudocmdgroup而不声明它sudocmd之前吗?

linux

1 个回答

  1. Best Answer

    这是这样做的方法(实际上,一个实际的例子):

    
#  ipa sudocmd-add --desc='sudoedit configuration file of IPv4 packet filtering and NAT' 'sudoedit /etc/sysconfig/iptables'
--------------------------------------------------------------
Added Sudo Command "sudoedit /etc/sysconfig/iptables"
--------------------------------------------------------------
  Sudo Command: sudoedit /etc/sysconfig/iptables
  Description: sudoedit configuration file of IPv4 packet filtering and NAT

#  ipa sudocmdgroup-add-member networking --sudocmds='sudoedit /etc/sysconfig/iptables'
  Sudo Command Group: networking
  Description: commands for network configuration and troubleshooting
  Member Sudo commands: sudoedit /etc/sysconfig/iptables
-------------------------
Number of members added 1
-------------------------

    作为 sudoedit 内置的 sudo

    # ls -lrt /usr/bin/sudoedit
lrwxrwxrwx. 1 root root 4 Apr  8 09:00 /usr/bin/sudoedit -> sudo*

    尝试使用添加 sudorule/usr/bin/sudoedit将失败并出现此错误:

    $ sudo -e /etc/sysconfig/iptables
Sorry, user joe is not allowed to execute 'sudoedit /etc/sysconfig/iptables' as root on host.domain.com.

    sudo -e对和都能正常工作sudoedit

    • 0

相关问题