Traditional sudoers files allow specifying ALL for granting complete command access, but FreeIPA's RBAC model implements this differently through sudo command groups. Here's the technical reality:
# Traditional sudoers entry
username ALL=(ALL) ALL
# FreeIPA equivalent requires different implementationFreeIPA actually supports wildcards through POSIX regex patterns. For full access:
ipa sudocmd-add --desc='Full administrative access' '/.*'
ipa sudocmdgroup-add --desc='All commands' all_commands
ipa sudocmdgroup-add-member --sudocmds='/.*' all_commandsHere's the complete workflow to create an equivalent to ALL:
- First create the wildcard command:
- Create the command group:
- Add the wildcard to the group:
- Create the sudo rule:
- Connect the command group:
ipa sudocmd-add --desc='Match all commands' '/.*'ipa sudocmdgroup-add --desc='All commands' all_cmdsipa sudocmdgroup-add-member --sudocmds='/.*' all_cmdsipa sudorule-add --hostcat=all --runasusercat=all full_accessipa sudorule-add-allow-command --sudocmdgroups=all_cmds full_accessAfter implementation, verify with:
ipa sudorule-show full_access
# Should show:
# Member Sudo Command Groups: all_cmds
# ...
# Enabled: TRUEWhile this provides ALL equivalent access, consider these security best practices:
- Use host-based restrictions (
--hostcatparameter) - Implement time-based restrictions
- Combine with other FreeIPA features like HBAC rules
If the wildcard doesn't work:
- Check IPA server version (requires 4.0+)
- Verify client SSSD configuration includes:
sudo_provider = ipa
ipa_server = _srv_FreeIPA implements a more granular approach to sudo command management compared to traditional /etc/sudoers files. While this provides better security control, it requires understanding how to achieve equivalent functionality to the common ALL wildcard.
FreeIPA doesn't directly support the ALL wildcard like in sudoers files. You can't simply specify * or ALL in command definitions. The system requires explicit command paths or well-designed command groups.
Here are three methods to achieve ALL command access:
1. Comprehensive Command Group
Create a group containing all essential commands:
# Create command group
ipa sudocmdgroup-add --desc 'Full administrative access' all_commands
# Add common command paths
ipa sudocmd-add '/bin/*'
ipa sudocmd-add '/sbin/*'
ipa sudocmd-add '/usr/bin/*'
ipa sudocmd-add '/usr/sbin/*'
# Add them to the group
ipa sudocmdgroup-add-member --sudocmds '/bin/*' all_commands
ipa sudocmdgroup-add-member --sudocmds '/sbin/*' all_commands
ipa sudocmdgroup-add-member --sudocmds '/usr/bin/*' all_commands
ipa sudocmdgroup-add-member --sudocmds '/usr/sbin/*' all_commands
2. Using Directory Wildcards
FreeIPA does support limited wildcards in command paths:
# Single command with wildcard
ipa sudocmd-add '/bin/*'
ipa sudocmd-add '/usr/bin/*'
# Then create sudo rule using these
ipa sudorule-add --hostcat=all full_access
ipa sudorule-add-allow-command --sudocmds '/bin/*' full_access
ipa sudorule-add-allow-command --sudocmds '/usr/bin/*' full_access
3. Combining with RunAs Specifications
For comprehensive access, combine with RunAs settings:
# Create rule with wildcard commands
ipa sudorule-add --hostcat=all full_admin_access
ipa sudorule-add-allow-command --sudocmds '/bin/*' full_admin_access
ipa sudorule-add-allow-command --sudocmds '/usr/bin/*' full_admin_access
ipa sudorule-add-runasuser --users root full_admin_access
While these methods provide ALL-like access, they have security implications:
- Directory wildcards might be too permissive
- Consider creating separate rules for different privilege levels
- Regularly audit sudo command usage through FreeIPA reports
Check the effective sudo rules on a client:
sudo -l
# Or for specific user:
sudo -l -U username
For FreeIPA server-side verification:
ipa sudorule-show full_access
ipa sudocmdgroup-show all_commands