如何在freeIPA中为sudo编辑内置程序创建一个旱坑

Question

目前，当我要授予某些用户组编辑文件的权限时，我将按以下方式进行：

ipa sudocmd-add --desc=Vi IMproved default-mode, no-exec, no-suspend mode' '/usr/bin/rvim'
ipa sudocmdgroup-add edition --desc='commands for restricted edition'
ipa sudocmdgroup-add-member edition --sudocmds=/usr/bin/rvim
ipa sudorule-add edition-4-operators --desc='Operator access to restricted edition commands'
ipa sudorule-add-allow-command edition-4-operators --sudocmdgroups=edition

然后是其他与HBAC、SELinux等相关的选项。

我想在我的/usr/bin/rvim服务器的所有模块中用内置的sudoedit(8)替换freeIPA。

是否需要像往常一样将sudoedit声明为sudocmd？我可以直接将sudoedit添加到sudocmdgroup中，而不必在以前将其声明为sudocmd吗？

Answer 1

这就是做这件事的方法(实际上，一个实际的例子)：

#  ipa sudocmd-add --desc='sudoedit configuration file of IPv4 packet filtering and NAT' 'sudoedit /etc/sysconfig/iptables'
--------------------------------------------------------------
Added Sudo Command "sudoedit /etc/sysconfig/iptables"
--------------------------------------------------------------
  Sudo Command: sudoedit /etc/sysconfig/iptables
  Description: sudoedit configuration file of IPv4 packet filtering and NAT

#  ipa sudocmdgroup-add-member networking --sudocmds='sudoedit /etc/sysconfig/iptables'
  Sudo Command Group: networking
  Description: commands for network configuration and troubleshooting
  Member Sudo commands: sudoedit /etc/sysconfig/iptables
-------------------------
Number of members added 1
-------------------------

编辑一个sudo内建物

# ls -lrt /usr/bin/sudoedit
lrwxrwxrwx. 1 root root 4 Apr  8 09:00 /usr/bin/sudoedit -> sudo*

如果试图使用/usr/bin/sudoedit添加服务点，将失败，出现以下错误：

$ sudo -e /etc/sysconfig/iptables
Sorry, user joe is not allowed to execute 'sudoedit /etc/sysconfig/iptables' as root on host.domain.com.

对sudo -e和sudoedit都正确工作。