As FreeIPA admin, I want to administer local machines enrolled into an IPA domain.
Members of the IPA admins group are considered "global admins". But they are not allowed by default to run sudo commands. This is somewhat an "unbreak my configuration" step, as IPA admins members can give this privilege to themselves. So it should just be done by default, to simplify installation and documentation.
admins
sudo
First, run ipa-client-install on a fresh machine, and enroll into the realm. Then log in as admin@machine:
ipa-client-install
admin@machine
$ id uid=953000000(admin) gid=953000000(admins) groups=953000000(admins) context=[...] $ sudo whoami [sudo] password for admin: admin is not allowed to run sudo on x0. This incident will be reported.
But admin can allow it to themselves:
$ ipa sudorule-add --hostcat=all --cmdcat=all All $ ipa sudorule-add-user --groups=admins All
Now wait a bit for the caches to expire, or reboot the computer, or log into a different machine in the same realm.
$ sudo whoami [sudo] password for admin: root
So adding such a rule by default does not change any security properties of the system, just makes the setup more convenient.
freeipa-server-4.6.90.pre1-6.1.fc28.x86_64
If it isn't desirable to do this by default for some reason, it could also become an ipa advise hint. (Thanks to @abbra for pointing this out)
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1609873
Issue linked to Bugzilla: Bug 1609873
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1
Metadata Update from @rcritten: - Issue assigned to rcritten
https://github.com/freeipa/freeipa/pull/2349
master:
ipa-4-7:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Note that the RFE was to provide these sudo rules by default. We implemented this as an ipa-advise script instead, keeping the default still conservative.
The argument for adding by default was that an admin could add these rules themselves so there was no protection by the existing default, but the argument against that was this represents a big change from the previous default.
Log in to comment on this ticket.