policy

Sudo Commands

Manage individual sudo commands for use in sudo rules. Commands represent specific executables with full paths that can be permitted or denied via sudo policies. Features include command creation with descriptions, command grouping, and integration with sudo rules for fine-grained privilege escalation control.

5 commands
policy

Overview

Sudo commands represent individual executable programs with full filesystem paths that can be permitted or restricted through sudo policies in IPA. These command entries serve as building blocks for constructing fine-grained sudo rules, enabling administrators to grant specific privilege escalation capabilities while maintaining least-privilege security principles.

Each sudo command entry in IPA defines a single executable path (e.g., /usr/bin/systemctl, /bin/mount, /usr/sbin/iptables) that can be referenced in sudo rules. Commands can be grouped into sudo command groups for easier management, and both individual commands and command groups can be assigned to sudo rules controlling who can execute them, on which hosts, and as which users.

Command Path Specification

Sudo commands must specify the complete absolute path to the executable. This prevents path-based attacks where attackers place malicious programs earlier in the PATH to hijack command execution.

Correct: /usr/bin/systemctl (absolute path) Incorrect: systemctl (relative, unsafe)

The full path ensures sudo only permits the specific executable at the specified location, not any program named “systemctl” anywhere in the filesystem.

Command Arguments and Wildcards

While IPA stores the base command path, sudo rules can specify allowed arguments. Command entries themselves don’t include arguments—those are configured in the sudo rule that references the command.

However, command paths can include wildcards for directory traversal scenarios:

  • /usr/bin/* permits any command in /usr/bin/
  • /home/*/bin/script.sh permits script.sh from any user’s bin directory

Use wildcards sparingly, as they significantly broaden the scope of granted privileges.

Integration with Sudo Rules

Sudo commands don’t grant any privileges by themselves. They must be referenced by sudo rules to become effective:

  1. Create command: Define executable path in IPA
  2. Create/join command group (optional): Organize related commands
  3. Create sudo rule: Reference command(s) and specify users, hosts, and runas targets
  4. Activate rule: Enable the sudo rule for enforcement

Commands can be shared across multiple sudo rules, enabling reuse and consistent command definitions.

Command Descriptions

Each command should include a description explaining its purpose and why it’s defined. Good descriptions help administrators understand command intent months or years after creation:

Good: “systemctl command for service management by DevOps team” Poor: “systemctl”

Commands used as building blocks for sudo

EXAMPLES

Create a new command

ipa sudocmd-add --desc='For reading log files' /usr/bin/less

Remove a command

ipa sudocmd-del /usr/bin/less

Use Cases

Defining Safe Log Viewing Commands

Allow help desk to view log files without granting dangerous text editor capabilities.

# Create safe log viewing commands
ipa sudocmd-add /usr/bin/less --desc="Page through log files safely"
ipa sudocmd-add /usr/bin/tail --desc="View end of log files"
ipa sudocmd-add /usr/bin/grep --desc="Search log file content"
ipa sudocmd-add /usr/bin/cat --desc="Display log file content"

# Create command group for log viewing
ipa sudocmdgroup-add log-viewing --desc="Safe log file viewing commands"
ipa sudocmdgroup-add-member log-viewing \
  --sudocmds=/usr/bin/less,/usr/bin/tail,/usr/bin/grep,/usr/bin/cat

# Create sudo rule allowing helpdesk to view logs
ipa sudorule-add helpdesk-logs --desc="Helpdesk log viewing"
ipa sudorule-add-allow-command helpdesk-logs --sudocmdgroups=log-viewing
ipa sudorule-add-user helpdesk-logs --groups=helpdesk-team
ipa sudorule-mod helpdesk-logs --hostcat=all

# Helpdesk can now: sudo less /var/log/messages
# Cannot: sudo vi /var/log/messages (editor not in allowed commands)

Service Management for DevOps

Grant DevOps teams service restart capability without full root access.

# Define systemctl command for service management
ipa sudocmd-add /usr/bin/systemctl \
  --desc="SystemD service manager for application restarts"

# Create sudo rule for application service management
ipa sudorule-add devops-services --desc="DevOps service management"
ipa sudorule-add-allow-command devops-services --sudocmds=/usr/bin/systemctl
ipa sudorule-add-user devops-services --groups=devops-team
ipa sudorule-add-host devops-services --hostgroups=app-servers

# DevOps team can restart services
# Example: sudo systemctl restart nginx
# Sudo rule can further restrict arguments to specific services

Network Diagnostics for NOC Team

Enable Network Operations Center staff to run diagnostic commands without full access.

# Create network diagnostic commands
ipa sudocmd-add /usr/bin/ping --desc="ICMP connectivity test"
ipa sudocmd-add /usr/bin/traceroute --desc="Network path tracing"
ipa sudocmd-add /usr/bin/mtr --desc="Combined ping and traceroute"
ipa sudocmd-add /usr/sbin/tcpdump --desc="Packet capture for diagnostics"
ipa sudocmd-add /usr/sbin/ip --desc="Network interface and routing management"

# Group network diagnostics
ipa sudocmdgroup-add network-diag --desc="Network diagnostic tools"
ipa sudocmdgroup-add-member network-diag \
  --sudocmds=/usr/bin/ping,/usr/bin/traceroute,/usr/bin/mtr,/usr/sbin/tcpdump,/usr/sbin/ip

# Create sudo rule
ipa sudorule-add noc-diagnostics --desc="NOC network diagnostics"
ipa sudorule-add-allow-command noc-diagnostics --sudocmdgroups=network-diag
ipa sudorule-add-user noc-diagnostics --groups=noc-team
ipa sudorule-mod noc-diagnostics --hostcat=all

Database Administration Commands

Allow DBA team to manage database services and backups.

# Database service management
ipa sudocmd-add /usr/bin/pg_dump --desc="PostgreSQL database backup"
ipa sudocmd-add /usr/bin/pg_restore --desc="PostgreSQL database restore"
ipa sudocmd-add /usr/bin/psql --desc="PostgreSQL interactive client"
ipa sudocmd-add /usr/bin/systemctl --desc="Service management for database"

# Create DBA command group
ipa sudocmdgroup-add dba-tools --desc="Database administration tools"
ipa sudocmdgroup-add-member dba-tools \
  --sudocmds=/usr/bin/pg_dump,/usr/bin/pg_restore,/usr/bin/psql,/usr/bin/systemctl

# Sudo rule for DBA team
ipa sudorule-add dba-operations --desc="DBA database management"
ipa sudorule-add-allow-command dba-operations --sudocmdgroups=dba-tools
ipa sudorule-add-user dba-operations --groups=dba-team
ipa sudorule-add-host dba-operations --hostgroups=database-servers

Package Management for System Administrators

Grant junior admins package installation rights without full root.

# Package management commands
ipa sudocmd-add /usr/bin/dnf --desc="DNF package manager"
ipa sudocmd-add /usr/bin/rpm --desc="RPM package manager"
ipa sudocmd-add /usr/bin/yum --desc="YUM package manager (legacy)"

# Create package management group
ipa sudocmdgroup-add package-mgmt --desc="Package installation and updates"
ipa sudocmdgroup-add-member package-mgmt \
  --sudocmds=/usr/bin/dnf,/usr/bin/rpm,/usr/bin/yum

# Sudo rule for junior admins
ipa sudorule-add junior-pkg-mgmt --desc="Junior admin package management"
ipa sudorule-add-allow-command junior-pkg-mgmt --sudocmdgroups=package-mgmt
ipa sudorule-add-user junior-pkg-mgmt --groups=junior-admins
ipa sudorule-mod junior-pkg-mgmt --hostcat=all

Removing Deprecated Commands

Clean up sudo command entries that are no longer used or have been superseded.

# Find all sudo commands
ipa sudocmd-find

# Identify deprecated command
ipa sudocmd-show /usr/bin/oldtool --all
  Member of Sudo command groups: legacy-tools
  # Command still in use by command group

# Remove from command group first
ipa sudocmdgroup-remove-member legacy-tools --sudocmds=/usr/bin/oldtool

# Verify not used in any sudo rules
ipa sudorule-find --sudocmds=/usr/bin/oldtool
  # Should return no results

# Delete deprecated command
ipa sudocmd-del /usr/bin/oldtool

Wildcard Commands for Script Directories

Allow execution of any script in a specific directory without defining each script individually.

# Create wildcard command for application scripts directory
ipa sudocmd-add "/opt/app/scripts/*" \
  --desc="Any script in application scripts directory"

# Create sudo rule for app operators
ipa sudorule-add app-scripts --desc="Application script execution"
ipa sudorule-add-allow-command app-scripts --sudocmds="/opt/app/scripts/*"
ipa sudorule-add-user app-scripts --groups=app-operators
ipa sudorule-add-host app-scripts --hostgroups=app-servers

# App operators can run: sudo /opt/app/scripts/deploy.sh
# And: sudo /opt/app/scripts/backup.sh
# Without defining each script separately

# Warning: Wildcard grants broad access - ensure scripts directory is secured

Audit Sudo Command Usage

Document all defined sudo commands for compliance and security review.

# List all sudo commands
ipa sudocmd-find --all > /tmp/all-sudocmds.txt

# Show details for each command including membership
for cmd in $(ipa sudocmd-find --pkey-only | grep "Sudo command:" | awk '{print $3}'); do
  echo "=== $cmd ==="
  ipa sudocmd-show "$cmd" --all
  echo ""
done > sudo-command-audit-report.txt

# Review report for:
# - Overly broad wildcards
# - Dangerous commands (chmod, chown, rm with wildcards)
# - Deprecated commands no longer needed
# - Commands missing from command groups

Command Argument Restrictions

Define commands with specific argument restrictions documented in descriptions.

# Create systemctl command with intended argument restrictions
ipa sudocmd-add /usr/bin/systemctl \
  --desc="SystemD service control - sudo rule restricts to restart of nginx only"

# Note: Argument restrictions are enforced in sudo rule, not command definition
# Command description documents intended restriction for administrators

# Create sudo rule with argument restriction
ipa sudorule-add nginx-restart --desc="Restart nginx service only"
ipa sudorule-add-allow-command nginx-restart --sudocmds=/usr/bin/systemctl
# Sudo rule would then be configured on hosts with:
# alice ALL = /usr/bin/systemctl restart nginx
# (Argument restriction configured in sudoers file via sudo rule)

Emergency Access Commands

Define high-risk commands for break-glass emergency scenarios.

# Emergency recovery commands (high risk)
ipa sudocmd-add /usr/sbin/reboot --desc="EMERGENCY: System reboot"
ipa sudocmd-add /usr/sbin/shutdown --desc="EMERGENCY: System shutdown"
ipa sudocmd-add /usr/sbin/init --desc="EMERGENCY: Change runlevel"

# Create emergency command group
ipa sudocmdgroup-add emergency-power --desc="EMERGENCY: System power management"
ipa sudocmdgroup-add-member emergency-power \
  --sudocmds=/usr/sbin/reboot,/usr/sbin/shutdown,/usr/sbin/init

# Create highly restricted sudo rule (normally disabled)
ipa sudorule-add emergency-reboot \
  --desc="EMERGENCY ONLY: System reboot capability"
ipa sudorule-add-allow-command emergency-reboot --sudocmdgroups=emergency-power
ipa sudorule-add-user emergency-reboot --users=emergency-admin
ipa sudorule-disable emergency-reboot

# Enable only during actual emergencies
# ipa sudorule-enable emergency-reboot

Security Considerations

Wildcard commands grant excessive privileges: Commands with wildcards (e.g., /usr/bin/*, /opt/scripts/*) grant access to all executables in that path. Attackers can exploit this by placing malicious scripts in the wildcard directory. Use wildcards only when necessary and secure the target directory strictly.

Relative paths enable hijacking attacks: If sudo commands use relative paths instead of absolute paths (though IPA enforces absolute paths), attackers can manipulate PATH to execute malicious programs. Always use absolute paths like /usr/bin/systemctl, never systemctl.

Dangerous commands require extreme caution: Commands like /bin/sh, /usr/bin/vi, /usr/bin/sudo are shell-escaping or privilege-escalation vectors. Granting sudo access to these commands is equivalent to granting root. Avoid shell-accessible commands in sudo rules.

Symlink attacks bypass command restrictions: If a sudo command is a symlink, attackers might replace the symlink target with a malicious executable. Ensure command paths reference actual binaries, not symlinks, or secure symlink targets.

Argument restrictions not enforced by command definition: IPA sudo command entries only define the executable path. Argument restrictions must be enforced in the sudo rule configuration on hosts. Don’t assume command definitions limit arguments—verify sudo rule implementation.

Command deletion doesn’t revoke active rules: Deleting a sudo command from IPA doesn’t immediately prevent usage if local sudoers files already cached the rule. Sudo rule updates and command deletions may take time to propagate. Force sudo configuration refresh on hosts after command deletion.

Overly broad command groups multiply risk: Large command groups containing many commands simplify management but grant excessive privileges if assigned to rules. A command group with 50 commands grants 50 potential attack vectors. Keep command groups focused on related, similar-risk commands.

Editors and interpreters grant shell access: Commands like /usr/bin/vi, /usr/bin/vim, /usr/bin/emacs, /usr/bin/python, /usr/bin/perl provide shell escape mechanisms. Users can execute arbitrary commands from within these programs. Never grant sudo access to text editors or interpreters.

File manipulation commands enable privilege escalation: Commands like /bin/chmod, /bin/chown, /usr/bin/setfacl can modify file permissions and ownership. With sudo access, users can grant themselves read/write access to sensitive files, enabling privilege escalation.

Package managers can execute arbitrary code: Commands like /usr/bin/dnf, /usr/bin/rpm can install packages containing arbitrary scripts that run as root during installation. Granting sudo access to package managers enables code execution as root.

Network tools can exfiltrate data: Commands like /usr/bin/curl, /usr/bin/wget, /usr/sbin/tcpdump can be used to exfiltrate sensitive data from the system. Even “read-only” network diagnostic tools can leak information if granted sudo access.

Lack of command auditing: IPA tracks sudo command definitions but doesn’t log when users actually execute commands via sudo. Actual command execution logging happens on individual hosts via sudo’s own logging. Centralize sudo execution logs for security monitoring.

Troubleshooting

Cannot Add Command with Relative Path

Symptom: ipa sudocmd-add systemctl fails with error about invalid command format.

Diagnosis: IPA requires absolute paths for sudo commands.

Resolution: Use full absolute path:

# Wrong: relative path
ipa sudocmd-add systemctl
  ipa: ERROR: invalid 'sudocmd': must be full path to a file

# Correct: absolute path
ipa sudocmd-add /usr/bin/systemctl \
  --desc="SystemD service manager"

# Find correct path if unknown
which systemctl
  /usr/bin/systemctl

Command Already Exists Error

Symptom: ipa sudocmd-add /usr/bin/less fails with “command already exists”.

Diagnosis: Command was previously added to IPA.

Resolution: Modify existing command or delete and recreate:

# Verify command exists
ipa sudocmd-show /usr/bin/less

# Option 1: Modify existing command
ipa sudocmd-mod /usr/bin/less --desc="Updated description"

# Option 2: Delete and recreate
ipa sudocmd-del /usr/bin/less
ipa sudocmd-add /usr/bin/less --desc="New description"

Cannot Delete Command Still in Use

Symptom: ipa sudocmd-del /usr/bin/systemctl fails with error about command being in use.

Diagnosis: Command is referenced by sudo command groups or sudo rules.

Resolution: Remove command from groups/rules before deletion:

# Find which groups contain the command
ipa sudocmd-show /usr/bin/systemctl --all | grep "Member of"
  Member of Sudo command groups: service-management

# Remove from command group
ipa sudocmdgroup-remove-member service-management \
  --sudocmds=/usr/bin/systemctl

# Check if directly referenced in any sudo rules
ipa sudorule-find --sudocmds=/usr/bin/systemctl
  # If found, remove from those rules too

# Now delete command
ipa sudocmd-del /usr/bin/systemctl

Wildcard Command Not Matching Expected Executables

Symptom: Created wildcard command /usr/local/bin/* but sudo doesn’t allow expected scripts.

Diagnosis: Sudo configuration on hosts may not interpret wildcards as expected, or IPA-to-sudoers conversion has limitations.

Resolution: Test wildcard behavior and consider specific commands instead:

# Verify wildcard command in IPA
ipa sudocmd-show "/usr/local/bin/*"

# Test on host with sudo
sudo -l
  # Check if wildcard appears in allowed commands

# If wildcard not working, define specific commands instead
ipa sudocmd-add /usr/local/bin/script1.sh
ipa sudocmd-add /usr/local/bin/script2.sh
ipa sudocmd-add /usr/local/bin/script3.sh

# Add to command group for easier management
ipa sudocmdgroup-add local-scripts
ipa sudocmdgroup-add-member local-scripts \
  --sudocmds=/usr/local/bin/script1.sh,/usr/local/bin/script2.sh,/usr/local/bin/script3.sh

Command Description Not Updating

Symptom: Modified command description but sudocmd-show displays old description.

Diagnosis: Caching issue or modification didn’t apply.

Resolution: Verify modification and clear cache:

# Modify description
ipa sudocmd-mod /usr/bin/less --desc="Updated description for log viewing"

# Verify update (use --all to see all attributes)
ipa sudocmd-show /usr/bin/less --all
  Description: Updated description for log viewing

# If still shows old description, clear cache
rm -rf ~/.cache/ipa/
ipa sudocmd-show /usr/bin/less

Symptom: ipa sudocmd-find systemctl returns no results even though command exists.

Diagnosis: Search searches descriptions, not command paths by default.

Resolution: Search in command path specifically:

# Search by description (default)
ipa sudocmd-find "service manager"
  # Returns commands with "service manager" in description

# Search by exact command path
ipa sudocmd-show /usr/bin/systemctl
  # Use exact path for direct lookup

# List all commands and grep
ipa sudocmd-find --pkey-only | grep systemctl
  Sudo command: /usr/bin/systemctl

Sudo Rule Not Working Despite Command Defined

Symptom: Defined sudo command and created sudo rule, but users cannot execute command via sudo.

Diagnosis: Sudo rule may not be enabled, host not included, or user not member of rule.

Resolution: Verify complete sudo rule configuration:

# Verify command exists
ipa sudocmd-show /usr/bin/systemctl

# Verify sudo rule exists and is enabled
ipa sudorule-show devops-services
  Enabled: TRUE

# Verify user is member of rule
ipa sudorule-show devops-services | grep -i user
  Users: alice, bob
  User Groups: devops-team

# Verify host is included in rule
ipa sudorule-show devops-services | grep -i host
  Hosts: app-server01.example.com
  Host Groups: app-servers

# Verify command is in rule
ipa sudorule-show devops-services | grep -i command
  Sudo Allow Commands: /usr/bin/systemctl

# Force SSSD cache refresh on client
ssh client.example.com
sss_cache -E

Command Path Wrong After OS Upgrade

Symptom: After OS upgrade, commands moved locations (e.g., /bin/systemctl/usr/bin/systemctl).

Diagnosis: Operating system reorganized filesystem, command paths changed.

Resolution: Update command definitions to new paths:

# Add command at new location
ipa sudocmd-add /usr/bin/systemctl --desc="SystemD service manager"

# Add to same command groups as old command
ipa sudocmd-show /bin/systemctl --all | grep "Member of"
  Member of Sudo command groups: service-management

ipa sudocmdgroup-add-member service-management \
  --sudocmds=/usr/bin/systemctl

# Remove old command from groups
ipa sudocmdgroup-remove-member service-management \
  --sudocmds=/bin/systemctl

# Delete old command
ipa sudocmd-del /bin/systemctl

Duplicate Commands in Different Groups

Symptom: Same command appears in multiple command groups, creating confusion about usage.

Diagnosis: Command can be member of multiple groups; this may be intentional or oversight.

Resolution: Review group membership and consolidate if needed:

# Show all group memberships for command
ipa sudocmd-show /usr/bin/systemctl --all | grep "Member of"
  Member of Sudo command groups: service-mgmt, devops-tools, admin-commands

# Decide which groups should contain the command
# Remove from unnecessary groups
ipa sudocmdgroup-remove-member admin-commands \
  --sudocmds=/usr/bin/systemctl

# Keep in appropriate groups only
# service-mgmt and devops-tools might both be valid

Permission Denied When Deleting Command

Symptom: ipa sudocmd-del fails with “Insufficient access” error.

Diagnosis: User lacks sudo administrator privileges.

Resolution: Use admin account or grant appropriate role:

# Check current user's roles
ipa user-show $(whoami) | grep -i role

# Need "Sudo Administrator" role for sudo command management
# As admin, grant role:
kinit admin
ipa role-add-member "Sudo Administrator" --users=targetuser

# Or use admin account directly
kinit admin
ipa sudocmd-del /usr/bin/oldcommand

Command Not Appearing in sudoers on Host

Symptom: Command and rule defined in IPA but not appearing in effective sudoers on host.

Diagnosis: SSSD not pulling sudo rules, sudo rule disabled, or cache stale.

Resolution: Verify SSSD configuration and force refresh:

# On host, verify SSSD sudo provider enabled
grep sudo_provider /etc/sssd/sssd.conf
  sudo_provider = ipa

# Restart SSSD
systemctl restart sssd

# Clear sudo cache
sss_cache -E

# Test sudo rule retrieval
sudo -l -U alice
  # Should show allowed commands from IPA sudo rules

# Check SSSD logs for errors
tail -f /var/log/sssd/sssd_sudo.log

Cannot Modify Command Path

Symptom: Want to change command path from /bin/systemctl to /usr/bin/systemctl but no modify option for path.

Diagnosis: Command path is the primary key and cannot be modified.

Resolution: Delete and recreate with new path:

# Cannot modify path:
ipa sudocmd-mod /bin/systemctl --command=/usr/bin/systemctl
  # No such option

# Must delete and recreate:
# First, save description
DESC=$(ipa sudocmd-show /bin/systemctl | grep Description | cut -d: -f2-)

# Delete old command
ipa sudocmd-del /bin/systemctl

# Create with new path and same description
ipa sudocmd-add /usr/bin/systemctl --desc="$DESC"

# Re-add to command groups
ipa sudocmdgroup-add-member service-mgmt --sudocmds=/usr/bin/systemctl

Commands

sudocmd-add

Usage: ipa [global-options] sudocmd-add COMMAND [options]

Create new Sudo Command.

Arguments

ArgumentRequiredDescription
COMMANDyesSudo Command

Options

OptionDescription
--desc DESCA description of this command
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

sudocmd-del

Usage: ipa [global-options] sudocmd-del COMMAND [options]

Delete Sudo Command.

Arguments

ArgumentRequiredDescription
COMMANDyesSudo Command

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

sudocmd-find

Usage: ipa [global-options] sudocmd-find [CRITERIA] [options]

Search for Sudo Commands.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--command COMMANDSudo Command
--desc DESCA description of this command
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“command”)

sudocmd-mod

Usage: ipa [global-options] sudocmd-mod COMMAND [options]

Modify Sudo Command.

Arguments

ArgumentRequiredDescription
COMMANDyesSudo Command

Options

OptionDescription
--desc DESCA description of this command
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

sudocmd-show

Usage: ipa [global-options] sudocmd-show COMMAND [options]

Display Sudo Command.

Arguments

ArgumentRequiredDescription
COMMANDyesSudo Command

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.