Sudo Commands
Manage individual sudo commands for use in sudo rules. Commands represent specific executables with full paths that can be permitted or denied via sudo policies. Features include command creation with descriptions, command grouping, and integration with sudo rules for fine-grained privilege escalation control.
Overview
Sudo commands represent individual executable programs with full filesystem paths that can be permitted or restricted through sudo policies in IPA. These command entries serve as building blocks for constructing fine-grained sudo rules, enabling administrators to grant specific privilege escalation capabilities while maintaining least-privilege security principles.
Each sudo command entry in IPA defines a single executable path (e.g., /usr/bin/systemctl, /bin/mount, /usr/sbin/iptables) that can be referenced in sudo rules. Commands can be grouped into sudo command groups for easier management, and both individual commands and command groups can be assigned to sudo rules controlling who can execute them, on which hosts, and as which users.
Command Path Specification
Sudo commands must specify the complete absolute path to the executable. This prevents path-based attacks where attackers place malicious programs earlier in the PATH to hijack command execution.
Correct: /usr/bin/systemctl (absolute path)
Incorrect: systemctl (relative, unsafe)
The full path ensures sudo only permits the specific executable at the specified location, not any program named “systemctl” anywhere in the filesystem.
Command Arguments and Wildcards
While IPA stores the base command path, sudo rules can specify allowed arguments. Command entries themselves don’t include arguments—those are configured in the sudo rule that references the command.
However, command paths can include wildcards for directory traversal scenarios:
/usr/bin/*permits any command in/usr/bin//home/*/bin/script.shpermitsscript.shfrom any user’s bin directory
Use wildcards sparingly, as they significantly broaden the scope of granted privileges.
Integration with Sudo Rules
Sudo commands don’t grant any privileges by themselves. They must be referenced by sudo rules to become effective:
- Create command: Define executable path in IPA
- Create/join command group (optional): Organize related commands
- Create sudo rule: Reference command(s) and specify users, hosts, and runas targets
- Activate rule: Enable the sudo rule for enforcement
Commands can be shared across multiple sudo rules, enabling reuse and consistent command definitions.
Command Descriptions
Each command should include a description explaining its purpose and why it’s defined. Good descriptions help administrators understand command intent months or years after creation:
Good: “systemctl command for service management by DevOps team” Poor: “systemctl”
Commands used as building blocks for sudo
EXAMPLES
Create a new command
ipa sudocmd-add --desc='For reading log files' /usr/bin/lessRemove a command
ipa sudocmd-del /usr/bin/less
Use Cases
Defining Safe Log Viewing Commands
Allow help desk to view log files without granting dangerous text editor capabilities.
# Create safe log viewing commands
ipa sudocmd-add /usr/bin/less --desc="Page through log files safely"
ipa sudocmd-add /usr/bin/tail --desc="View end of log files"
ipa sudocmd-add /usr/bin/grep --desc="Search log file content"
ipa sudocmd-add /usr/bin/cat --desc="Display log file content"
# Create command group for log viewing
ipa sudocmdgroup-add log-viewing --desc="Safe log file viewing commands"
ipa sudocmdgroup-add-member log-viewing \
--sudocmds=/usr/bin/less,/usr/bin/tail,/usr/bin/grep,/usr/bin/cat
# Create sudo rule allowing helpdesk to view logs
ipa sudorule-add helpdesk-logs --desc="Helpdesk log viewing"
ipa sudorule-add-allow-command helpdesk-logs --sudocmdgroups=log-viewing
ipa sudorule-add-user helpdesk-logs --groups=helpdesk-team
ipa sudorule-mod helpdesk-logs --hostcat=all
# Helpdesk can now: sudo less /var/log/messages
# Cannot: sudo vi /var/log/messages (editor not in allowed commands)
Service Management for DevOps
Grant DevOps teams service restart capability without full root access.
# Define systemctl command for service management
ipa sudocmd-add /usr/bin/systemctl \
--desc="SystemD service manager for application restarts"
# Create sudo rule for application service management
ipa sudorule-add devops-services --desc="DevOps service management"
ipa sudorule-add-allow-command devops-services --sudocmds=/usr/bin/systemctl
ipa sudorule-add-user devops-services --groups=devops-team
ipa sudorule-add-host devops-services --hostgroups=app-servers
# DevOps team can restart services
# Example: sudo systemctl restart nginx
# Sudo rule can further restrict arguments to specific services
Network Diagnostics for NOC Team
Enable Network Operations Center staff to run diagnostic commands without full access.
# Create network diagnostic commands
ipa sudocmd-add /usr/bin/ping --desc="ICMP connectivity test"
ipa sudocmd-add /usr/bin/traceroute --desc="Network path tracing"
ipa sudocmd-add /usr/bin/mtr --desc="Combined ping and traceroute"
ipa sudocmd-add /usr/sbin/tcpdump --desc="Packet capture for diagnostics"
ipa sudocmd-add /usr/sbin/ip --desc="Network interface and routing management"
# Group network diagnostics
ipa sudocmdgroup-add network-diag --desc="Network diagnostic tools"
ipa sudocmdgroup-add-member network-diag \
--sudocmds=/usr/bin/ping,/usr/bin/traceroute,/usr/bin/mtr,/usr/sbin/tcpdump,/usr/sbin/ip
# Create sudo rule
ipa sudorule-add noc-diagnostics --desc="NOC network diagnostics"
ipa sudorule-add-allow-command noc-diagnostics --sudocmdgroups=network-diag
ipa sudorule-add-user noc-diagnostics --groups=noc-team
ipa sudorule-mod noc-diagnostics --hostcat=all
Database Administration Commands
Allow DBA team to manage database services and backups.
# Database service management
ipa sudocmd-add /usr/bin/pg_dump --desc="PostgreSQL database backup"
ipa sudocmd-add /usr/bin/pg_restore --desc="PostgreSQL database restore"
ipa sudocmd-add /usr/bin/psql --desc="PostgreSQL interactive client"
ipa sudocmd-add /usr/bin/systemctl --desc="Service management for database"
# Create DBA command group
ipa sudocmdgroup-add dba-tools --desc="Database administration tools"
ipa sudocmdgroup-add-member dba-tools \
--sudocmds=/usr/bin/pg_dump,/usr/bin/pg_restore,/usr/bin/psql,/usr/bin/systemctl
# Sudo rule for DBA team
ipa sudorule-add dba-operations --desc="DBA database management"
ipa sudorule-add-allow-command dba-operations --sudocmdgroups=dba-tools
ipa sudorule-add-user dba-operations --groups=dba-team
ipa sudorule-add-host dba-operations --hostgroups=database-servers
Package Management for System Administrators
Grant junior admins package installation rights without full root.
# Package management commands
ipa sudocmd-add /usr/bin/dnf --desc="DNF package manager"
ipa sudocmd-add /usr/bin/rpm --desc="RPM package manager"
ipa sudocmd-add /usr/bin/yum --desc="YUM package manager (legacy)"
# Create package management group
ipa sudocmdgroup-add package-mgmt --desc="Package installation and updates"
ipa sudocmdgroup-add-member package-mgmt \
--sudocmds=/usr/bin/dnf,/usr/bin/rpm,/usr/bin/yum
# Sudo rule for junior admins
ipa sudorule-add junior-pkg-mgmt --desc="Junior admin package management"
ipa sudorule-add-allow-command junior-pkg-mgmt --sudocmdgroups=package-mgmt
ipa sudorule-add-user junior-pkg-mgmt --groups=junior-admins
ipa sudorule-mod junior-pkg-mgmt --hostcat=all
Removing Deprecated Commands
Clean up sudo command entries that are no longer used or have been superseded.
# Find all sudo commands
ipa sudocmd-find
# Identify deprecated command
ipa sudocmd-show /usr/bin/oldtool --all
Member of Sudo command groups: legacy-tools
# Command still in use by command group
# Remove from command group first
ipa sudocmdgroup-remove-member legacy-tools --sudocmds=/usr/bin/oldtool
# Verify not used in any sudo rules
ipa sudorule-find --sudocmds=/usr/bin/oldtool
# Should return no results
# Delete deprecated command
ipa sudocmd-del /usr/bin/oldtool
Wildcard Commands for Script Directories
Allow execution of any script in a specific directory without defining each script individually.
# Create wildcard command for application scripts directory
ipa sudocmd-add "/opt/app/scripts/*" \
--desc="Any script in application scripts directory"
# Create sudo rule for app operators
ipa sudorule-add app-scripts --desc="Application script execution"
ipa sudorule-add-allow-command app-scripts --sudocmds="/opt/app/scripts/*"
ipa sudorule-add-user app-scripts --groups=app-operators
ipa sudorule-add-host app-scripts --hostgroups=app-servers
# App operators can run: sudo /opt/app/scripts/deploy.sh
# And: sudo /opt/app/scripts/backup.sh
# Without defining each script separately
# Warning: Wildcard grants broad access - ensure scripts directory is secured
Audit Sudo Command Usage
Document all defined sudo commands for compliance and security review.
# List all sudo commands
ipa sudocmd-find --all > /tmp/all-sudocmds.txt
# Show details for each command including membership
for cmd in $(ipa sudocmd-find --pkey-only | grep "Sudo command:" | awk '{print $3}'); do
echo "=== $cmd ==="
ipa sudocmd-show "$cmd" --all
echo ""
done > sudo-command-audit-report.txt
# Review report for:
# - Overly broad wildcards
# - Dangerous commands (chmod, chown, rm with wildcards)
# - Deprecated commands no longer needed
# - Commands missing from command groups
Command Argument Restrictions
Define commands with specific argument restrictions documented in descriptions.
# Create systemctl command with intended argument restrictions
ipa sudocmd-add /usr/bin/systemctl \
--desc="SystemD service control - sudo rule restricts to restart of nginx only"
# Note: Argument restrictions are enforced in sudo rule, not command definition
# Command description documents intended restriction for administrators
# Create sudo rule with argument restriction
ipa sudorule-add nginx-restart --desc="Restart nginx service only"
ipa sudorule-add-allow-command nginx-restart --sudocmds=/usr/bin/systemctl
# Sudo rule would then be configured on hosts with:
# alice ALL = /usr/bin/systemctl restart nginx
# (Argument restriction configured in sudoers file via sudo rule)
Emergency Access Commands
Define high-risk commands for break-glass emergency scenarios.
# Emergency recovery commands (high risk)
ipa sudocmd-add /usr/sbin/reboot --desc="EMERGENCY: System reboot"
ipa sudocmd-add /usr/sbin/shutdown --desc="EMERGENCY: System shutdown"
ipa sudocmd-add /usr/sbin/init --desc="EMERGENCY: Change runlevel"
# Create emergency command group
ipa sudocmdgroup-add emergency-power --desc="EMERGENCY: System power management"
ipa sudocmdgroup-add-member emergency-power \
--sudocmds=/usr/sbin/reboot,/usr/sbin/shutdown,/usr/sbin/init
# Create highly restricted sudo rule (normally disabled)
ipa sudorule-add emergency-reboot \
--desc="EMERGENCY ONLY: System reboot capability"
ipa sudorule-add-allow-command emergency-reboot --sudocmdgroups=emergency-power
ipa sudorule-add-user emergency-reboot --users=emergency-admin
ipa sudorule-disable emergency-reboot
# Enable only during actual emergencies
# ipa sudorule-enable emergency-reboot
Security Considerations
Wildcard commands grant excessive privileges: Commands with wildcards (e.g., /usr/bin/*, /opt/scripts/*) grant access to all executables in that path. Attackers can exploit this by placing malicious scripts in the wildcard directory. Use wildcards only when necessary and secure the target directory strictly.
Relative paths enable hijacking attacks: If sudo commands use relative paths instead of absolute paths (though IPA enforces absolute paths), attackers can manipulate PATH to execute malicious programs. Always use absolute paths like /usr/bin/systemctl, never systemctl.
Dangerous commands require extreme caution: Commands like /bin/sh, /usr/bin/vi, /usr/bin/sudo are shell-escaping or privilege-escalation vectors. Granting sudo access to these commands is equivalent to granting root. Avoid shell-accessible commands in sudo rules.
Symlink attacks bypass command restrictions: If a sudo command is a symlink, attackers might replace the symlink target with a malicious executable. Ensure command paths reference actual binaries, not symlinks, or secure symlink targets.
Argument restrictions not enforced by command definition: IPA sudo command entries only define the executable path. Argument restrictions must be enforced in the sudo rule configuration on hosts. Don’t assume command definitions limit arguments—verify sudo rule implementation.
Command deletion doesn’t revoke active rules: Deleting a sudo command from IPA doesn’t immediately prevent usage if local sudoers files already cached the rule. Sudo rule updates and command deletions may take time to propagate. Force sudo configuration refresh on hosts after command deletion.
Overly broad command groups multiply risk: Large command groups containing many commands simplify management but grant excessive privileges if assigned to rules. A command group with 50 commands grants 50 potential attack vectors. Keep command groups focused on related, similar-risk commands.
Editors and interpreters grant shell access: Commands like /usr/bin/vi, /usr/bin/vim, /usr/bin/emacs, /usr/bin/python, /usr/bin/perl provide shell escape mechanisms. Users can execute arbitrary commands from within these programs. Never grant sudo access to text editors or interpreters.
File manipulation commands enable privilege escalation: Commands like /bin/chmod, /bin/chown, /usr/bin/setfacl can modify file permissions and ownership. With sudo access, users can grant themselves read/write access to sensitive files, enabling privilege escalation.
Package managers can execute arbitrary code: Commands like /usr/bin/dnf, /usr/bin/rpm can install packages containing arbitrary scripts that run as root during installation. Granting sudo access to package managers enables code execution as root.
Network tools can exfiltrate data: Commands like /usr/bin/curl, /usr/bin/wget, /usr/sbin/tcpdump can be used to exfiltrate sensitive data from the system. Even “read-only” network diagnostic tools can leak information if granted sudo access.
Lack of command auditing: IPA tracks sudo command definitions but doesn’t log when users actually execute commands via sudo. Actual command execution logging happens on individual hosts via sudo’s own logging. Centralize sudo execution logs for security monitoring.
Troubleshooting
Cannot Add Command with Relative Path
Symptom: ipa sudocmd-add systemctl fails with error about invalid command format.
Diagnosis: IPA requires absolute paths for sudo commands.
Resolution: Use full absolute path:
# Wrong: relative path
ipa sudocmd-add systemctl
ipa: ERROR: invalid 'sudocmd': must be full path to a file
# Correct: absolute path
ipa sudocmd-add /usr/bin/systemctl \
--desc="SystemD service manager"
# Find correct path if unknown
which systemctl
/usr/bin/systemctl
Command Already Exists Error
Symptom: ipa sudocmd-add /usr/bin/less fails with “command already exists”.
Diagnosis: Command was previously added to IPA.
Resolution: Modify existing command or delete and recreate:
# Verify command exists
ipa sudocmd-show /usr/bin/less
# Option 1: Modify existing command
ipa sudocmd-mod /usr/bin/less --desc="Updated description"
# Option 2: Delete and recreate
ipa sudocmd-del /usr/bin/less
ipa sudocmd-add /usr/bin/less --desc="New description"
Cannot Delete Command Still in Use
Symptom: ipa sudocmd-del /usr/bin/systemctl fails with error about command being in use.
Diagnosis: Command is referenced by sudo command groups or sudo rules.
Resolution: Remove command from groups/rules before deletion:
# Find which groups contain the command
ipa sudocmd-show /usr/bin/systemctl --all | grep "Member of"
Member of Sudo command groups: service-management
# Remove from command group
ipa sudocmdgroup-remove-member service-management \
--sudocmds=/usr/bin/systemctl
# Check if directly referenced in any sudo rules
ipa sudorule-find --sudocmds=/usr/bin/systemctl
# If found, remove from those rules too
# Now delete command
ipa sudocmd-del /usr/bin/systemctl
Wildcard Command Not Matching Expected Executables
Symptom: Created wildcard command /usr/local/bin/* but sudo doesn’t allow expected scripts.
Diagnosis: Sudo configuration on hosts may not interpret wildcards as expected, or IPA-to-sudoers conversion has limitations.
Resolution: Test wildcard behavior and consider specific commands instead:
# Verify wildcard command in IPA
ipa sudocmd-show "/usr/local/bin/*"
# Test on host with sudo
sudo -l
# Check if wildcard appears in allowed commands
# If wildcard not working, define specific commands instead
ipa sudocmd-add /usr/local/bin/script1.sh
ipa sudocmd-add /usr/local/bin/script2.sh
ipa sudocmd-add /usr/local/bin/script3.sh
# Add to command group for easier management
ipa sudocmdgroup-add local-scripts
ipa sudocmdgroup-add-member local-scripts \
--sudocmds=/usr/local/bin/script1.sh,/usr/local/bin/script2.sh,/usr/local/bin/script3.sh
Command Description Not Updating
Symptom: Modified command description but sudocmd-show displays old description.
Diagnosis: Caching issue or modification didn’t apply.
Resolution: Verify modification and clear cache:
# Modify description
ipa sudocmd-mod /usr/bin/less --desc="Updated description for log viewing"
# Verify update (use --all to see all attributes)
ipa sudocmd-show /usr/bin/less --all
Description: Updated description for log viewing
# If still shows old description, clear cache
rm -rf ~/.cache/ipa/
ipa sudocmd-show /usr/bin/less
Cannot Find Command by Search
Symptom: ipa sudocmd-find systemctl returns no results even though command exists.
Diagnosis: Search searches descriptions, not command paths by default.
Resolution: Search in command path specifically:
# Search by description (default)
ipa sudocmd-find "service manager"
# Returns commands with "service manager" in description
# Search by exact command path
ipa sudocmd-show /usr/bin/systemctl
# Use exact path for direct lookup
# List all commands and grep
ipa sudocmd-find --pkey-only | grep systemctl
Sudo command: /usr/bin/systemctl
Sudo Rule Not Working Despite Command Defined
Symptom: Defined sudo command and created sudo rule, but users cannot execute command via sudo.
Diagnosis: Sudo rule may not be enabled, host not included, or user not member of rule.
Resolution: Verify complete sudo rule configuration:
# Verify command exists
ipa sudocmd-show /usr/bin/systemctl
# Verify sudo rule exists and is enabled
ipa sudorule-show devops-services
Enabled: TRUE
# Verify user is member of rule
ipa sudorule-show devops-services | grep -i user
Users: alice, bob
User Groups: devops-team
# Verify host is included in rule
ipa sudorule-show devops-services | grep -i host
Hosts: app-server01.example.com
Host Groups: app-servers
# Verify command is in rule
ipa sudorule-show devops-services | grep -i command
Sudo Allow Commands: /usr/bin/systemctl
# Force SSSD cache refresh on client
ssh client.example.com
sss_cache -E
Command Path Wrong After OS Upgrade
Symptom: After OS upgrade, commands moved locations (e.g., /bin/systemctl → /usr/bin/systemctl).
Diagnosis: Operating system reorganized filesystem, command paths changed.
Resolution: Update command definitions to new paths:
# Add command at new location
ipa sudocmd-add /usr/bin/systemctl --desc="SystemD service manager"
# Add to same command groups as old command
ipa sudocmd-show /bin/systemctl --all | grep "Member of"
Member of Sudo command groups: service-management
ipa sudocmdgroup-add-member service-management \
--sudocmds=/usr/bin/systemctl
# Remove old command from groups
ipa sudocmdgroup-remove-member service-management \
--sudocmds=/bin/systemctl
# Delete old command
ipa sudocmd-del /bin/systemctl
Duplicate Commands in Different Groups
Symptom: Same command appears in multiple command groups, creating confusion about usage.
Diagnosis: Command can be member of multiple groups; this may be intentional or oversight.
Resolution: Review group membership and consolidate if needed:
# Show all group memberships for command
ipa sudocmd-show /usr/bin/systemctl --all | grep "Member of"
Member of Sudo command groups: service-mgmt, devops-tools, admin-commands
# Decide which groups should contain the command
# Remove from unnecessary groups
ipa sudocmdgroup-remove-member admin-commands \
--sudocmds=/usr/bin/systemctl
# Keep in appropriate groups only
# service-mgmt and devops-tools might both be valid
Permission Denied When Deleting Command
Symptom: ipa sudocmd-del fails with “Insufficient access” error.
Diagnosis: User lacks sudo administrator privileges.
Resolution: Use admin account or grant appropriate role:
# Check current user's roles
ipa user-show $(whoami) | grep -i role
# Need "Sudo Administrator" role for sudo command management
# As admin, grant role:
kinit admin
ipa role-add-member "Sudo Administrator" --users=targetuser
# Or use admin account directly
kinit admin
ipa sudocmd-del /usr/bin/oldcommand
Command Not Appearing in sudoers on Host
Symptom: Command and rule defined in IPA but not appearing in effective sudoers on host.
Diagnosis: SSSD not pulling sudo rules, sudo rule disabled, or cache stale.
Resolution: Verify SSSD configuration and force refresh:
# On host, verify SSSD sudo provider enabled
grep sudo_provider /etc/sssd/sssd.conf
sudo_provider = ipa
# Restart SSSD
systemctl restart sssd
# Clear sudo cache
sss_cache -E
# Test sudo rule retrieval
sudo -l -U alice
# Should show allowed commands from IPA sudo rules
# Check SSSD logs for errors
tail -f /var/log/sssd/sssd_sudo.log
Cannot Modify Command Path
Symptom: Want to change command path from /bin/systemctl to /usr/bin/systemctl but no modify option for path.
Diagnosis: Command path is the primary key and cannot be modified.
Resolution: Delete and recreate with new path:
# Cannot modify path:
ipa sudocmd-mod /bin/systemctl --command=/usr/bin/systemctl
# No such option
# Must delete and recreate:
# First, save description
DESC=$(ipa sudocmd-show /bin/systemctl | grep Description | cut -d: -f2-)
# Delete old command
ipa sudocmd-del /bin/systemctl
# Create with new path and same description
ipa sudocmd-add /usr/bin/systemctl --desc="$DESC"
# Re-add to command groups
ipa sudocmdgroup-add-member service-mgmt --sudocmds=/usr/bin/systemctl
Commands
sudocmd-add
Usage: ipa [global-options] sudocmd-add COMMAND [options]
Create new Sudo Command.
Arguments
| Argument | Required | Description |
|---|---|---|
COMMAND | yes | Sudo Command |
Options
| Option | Description |
|---|---|
--desc DESC | A description of this command |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
sudocmd-del
Usage: ipa [global-options] sudocmd-del COMMAND [options]
Delete Sudo Command.
Arguments
| Argument | Required | Description |
|---|---|---|
COMMAND | yes | Sudo Command |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
sudocmd-find
Usage: ipa [global-options] sudocmd-find [CRITERIA] [options]
Search for Sudo Commands.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--command COMMAND | Sudo Command |
--desc DESC | A description of this command |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“command”) |
sudocmd-mod
Usage: ipa [global-options] sudocmd-mod COMMAND [options]
Modify Sudo Command.
Arguments
| Argument | Required | Description |
|---|---|---|
COMMAND | yes | Sudo Command |
Options
| Option | Description |
|---|---|
--desc DESC | A description of this command |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
sudocmd-show
Usage: ipa [global-options] sudocmd-show COMMAND [options]
Display Sudo Command.
Arguments
| Argument | Required | Description |
|---|---|---|
COMMAND | yes | Sudo Command |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |