目前,当我想授予某组用户编辑文件的权限时,我会按以下步骤操作:
ipa sudocmd-add --desc=Vi IMproved default-mode, no-exec, no-suspend mode' '/usr/bin/rvim'
ipa sudocmdgroup-add edition --desc='commands for restricted edition'
ipa sudocmdgroup-add-member edition --sudocmds=/usr/bin/rvim
ipa sudorule-add edition-4-operators --desc='Operator access to restricted edition commands'
ipa sudorule-add-allow-command edition-4-operators --sudocmdgroups=edition
然后是与 HBAC、SELinux 等相关的其余选项。
我想用我的所有 sudorules 中的/usr/bin/rvim内置代码替换sudoedit(8)免费IPA服务器。
我是否需要像往常一样将sudoedit其声明为sudocmd?我可以直接添加sudoedit到而sudocmdgroup无需先将其声明为sudocmd?
答案1
这是实现的方法(实际上,是一个实际的例子):
# ipa sudocmd-add --desc='sudoedit configuration file of IPv4 packet filtering and NAT' 'sudoedit /etc/sysconfig/iptables'
--------------------------------------------------------------
Added Sudo Command "sudoedit /etc/sysconfig/iptables"
--------------------------------------------------------------
Sudo Command: sudoedit /etc/sysconfig/iptables
Description: sudoedit configuration file of IPv4 packet filtering and NAT
# ipa sudocmdgroup-add-member networking --sudocmds='sudoedit /etc/sysconfig/iptables'
Sudo Command Group: networking
Description: commands for network configuration and troubleshooting
Member Sudo commands: sudoedit /etc/sysconfig/iptables
-------------------------
Number of members added 1
-------------------------
将 sudoedit 用作 sudo 内置命令
# ls -lrt /usr/bin/sudoedit
lrwxrwxrwx. 1 root root 4 Apr 8 09:00 /usr/bin/sudoedit -> sudo*
尝试使用添加 sudorule/usr/bin/sudoedit将失败并出现以下错误:
$ sudo -e /etc/sysconfig/iptables
Sorry, user joe is not allowed to execute 'sudoedit /etc/sysconfig/iptables' as root on host.domain.com.
sudo -e对于和均能正常工作sudoedit。