policy

Sudo Command Groups

Manage groups of sudo commands for simplified sudo policy management. Command groups enable collective assignment of multiple commands to sudo rules, reducing administrative overhead. Features include command addition and removal, nested command group membership, and centralized management of related command access policies.

7 commands
policy

Overview

Sudo command groups aggregate multiple sudo commands into named collections for simplified sudo policy management. Instead of adding dozens of individual commands to sudo rules, administrators create command groups organizing related commands by function (service management, log viewing, package installation), then assign entire groups to sudo rules in a single operation.

Command groups provide several management advantages:

Centralized command management: Update command access by modifying the group membership, not individual sudo rules. Adding a new diagnostic command to the “network-tools” group immediately grants that command to all sudo rules referencing the group.

Consistent policy application: Ensure users with similar job functions receive identical command access by using shared command groups. All helpdesk staff get the “helpdesk-tools” group, ensuring consistent capabilities.

Reduced administrative overhead: Managing 5 command groups is easier than managing 50 individual command-to-rule assignments. Command groups scale better as infrastructure grows.

Logical command organization: Group commands by functional area (database-admin, service-management, security-tools) rather than managing unstructured command lists.

Command Group Membership

Command groups contain sudo commands (individual executables) as members. A group can contain any number of commands:

network-tools group:
  - /usr/bin/ping
  - /usr/bin/traceroute
  - /usr/bin/mtr
  - /usr/sbin/tcpdump
  - /usr/sbin/ip

Commands can belong to multiple groups simultaneously. The /usr/bin/systemctl command might be a member of both “service-management” and “application-admin” groups if both use cases exist.

Integration with Sudo Rules

Sudo rules reference command groups to grant access:

  1. Create command group: Define the group and add member commands
  2. Create sudo rule: Create rule specifying users, hosts, and run-as users
  3. Add command group to rule: Assign the entire command group to the sudo rule
  4. Activate rule: Enable the sudo rule for enforcement

When a sudo rule includes a command group, users covered by the rule can execute all commands in the group (subject to argument restrictions configured in the sudo rule itself).

Command vs Command Group in Rules

Sudo rules can reference both individual commands and command groups:

  • Individual commands: Direct command assignment for one-off cases
  • Command groups: Group assignment for collections of related commands

Most policies use command groups for maintainability, reserving individual command assignments for exceptions.

Manage groups of Sudo Commands.

EXAMPLES

Add a new Sudo Command Group:

ipa sudocmdgroup-add --desc='administrators commands' admincmds

Remove a Sudo Command Group:

ipa sudocmdgroup-del admincmds

Manage Sudo Command Group membership, commands:

ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmds

Manage Sudo Command Group membership, commands:

ipa sudocmdgroup-remove-member --sudocmds=/usr/bin/less admincmds

Show a Sudo Command Group:

ipa sudocmdgroup-show admincmds

Use Cases

Creating Log Viewing Command Group

Helpdesk teams need safe log viewing capabilities without dangerous editor access. Group safe log commands together.

# Create log viewing command group
ipa sudocmdgroup-add log-viewers \
  --desc="Safe log file viewing commands"

# Add safe viewing commands
ipa sudocmdgroup-add-member log-viewers \
  --sudocmds=/usr/bin/less,/usr/bin/tail,/usr/bin/head,/usr/bin/grep,/usr/bin/cat

# Verify group membership
ipa sudocmdgroup-show log-viewers
  Sudo Command Group: log-viewers
  Description: Safe log file viewing commands
  Member commands: /usr/bin/less, /usr/bin/tail, /usr/bin/head,
                   /usr/bin/grep, /usr/bin/cat

# Create sudo rule using command group
ipa sudorule-add helpdesk-logs --desc="Helpdesk log viewing access"
ipa sudorule-add-allow-command helpdesk-logs --sudocmdgroups=log-viewers
ipa sudorule-add-user helpdesk-logs --groups=helpdesk-team
ipa sudorule-mod helpdesk-logs --hostcat=all

Service Management Command Group

DevOps teams need service restart capabilities. Create command group for systemctl operations.

# Create service management command group
ipa sudocmdgroup-add service-management \
  --desc="Service start, stop, restart, and status operations"

# Add systemctl and legacy service commands
ipa sudocmdgroup-add-member service-management \
  --sudocmds=/usr/bin/systemctl,/usr/sbin/service

# Add to DevOps sudo rule
ipa sudorule-add devops-services --desc="DevOps service management"
ipa sudorule-add-allow-command devops-services \
  --sudocmdgroups=service-management
ipa sudorule-add-user devops-services --groups=devops-team
ipa sudorule-add-host devops-services --hostgroups=application-servers

# DevOps can restart services
# Example: sudo systemctl restart nginx

Network Diagnostics Command Group

Network operations center needs comprehensive diagnostic tools. Group all network commands together.

# Create network diagnostics group
ipa sudocmdgroup-add network-diagnostics \
  --desc="Network troubleshooting and diagnostic tools"

# Add network diagnostic commands
ipa sudocmdgroup-add-member network-diagnostics \
  --sudocmds=/usr/bin/ping \
  --sudocmds=/usr/bin/traceroute \
  --sudocmds=/usr/bin/mtr \
  --sudocmds=/usr/sbin/tcpdump \
  --sudocmds=/usr/sbin/ip \
  --sudocmds=/usr/bin/netstat \
  --sudocmds=/usr/bin/ss

# Create NOC sudo rule
ipa sudorule-add noc-diagnostics --desc="NOC network diagnostics"
ipa sudorule-add-allow-command noc-diagnostics \
  --sudocmdgroups=network-diagnostics
ipa sudorule-add-user noc-diagnostics --groups=noc-team
ipa sudorule-mod noc-diagnostics --hostcat=all

Package Management Command Group

System administrators need package installation capabilities. Group package manager commands.

# Create package management group
ipa sudocmdgroup-add package-management \
  --desc="Package installation, update, and removal"

# Add package manager commands
ipa sudocmdgroup-add-member package-management \
  --sudocmds=/usr/bin/dnf,/usr/bin/rpm,/usr/bin/yum

# Create admin sudo rule
ipa sudorule-add admin-packages --desc="Administrator package management"
ipa sudorule-add-allow-command admin-packages \
  --sudocmdgroups=package-management
ipa sudorule-add-user admin-packages --groups=sysadmin-team
ipa sudorule-mod admin-packages --hostcat=all

Removing Command from Group

Update command group membership when commands are deprecated or access should be restricted.

# Show current group membership
ipa sudocmdgroup-show admin-tools
  Member commands: /usr/bin/vim, /usr/bin/nano, /usr/bin/less

# Remove text editor (security concern - shell escape)
ipa sudocmdgroup-remove-member admin-tools --sudocmds=/usr/bin/vim

# Verify removal
ipa sudocmdgroup-show admin-tools
  Member commands: /usr/bin/nano, /usr/bin/less

# vim no longer accessible via rules using admin-tools group
# Must revoke from all rules at once by group modification

Database Administration Command Group

DBA team needs database-specific tools. Group database commands separately from general admin tools.

# Create database admin command group
ipa sudocmdgroup-add database-admin \
  --desc="Database administration and backup tools"

# Add database commands
ipa sudocmdgroup-add-member database-admin \
  --sudocmds=/usr/bin/pg_dump \
  --sudocmds=/usr/bin/pg_restore \
  --sudocmds=/usr/bin/psql \
  --sudocmds=/usr/bin/mysql \
  --sudocmds=/usr/bin/mysqldump

# Create DBA sudo rule
ipa sudorule-add dba-operations --desc="DBA database management"
ipa sudorule-add-allow-command dba-operations \
  --sudocmdgroups=database-admin
ipa sudorule-add-user dba-operations --groups=dba-team
ipa sudorule-add-host dba-operations --hostgroups=database-servers

Auditing Command Group Usage

Identify which sudo rules use specific command groups for impact analysis before changes.

# Show command group details
ipa sudocmdgroup-show service-management --all
  Member commands: /usr/bin/systemctl, /usr/sbin/service
  Member of Sudo rules: devops-services, admin-full-access

# Modifying service-management group affects both rules
# Impact: devops-services and admin-full-access users

# List all command groups for inventory
ipa sudocmdgroup-find --all
  # Review all defined command groups

# Generate audit report
for group in $(ipa sudocmdgroup-find --pkey-only | grep "Sudo Command Group" | awk '{print $4}'); do
  echo "=== $group ==="
  ipa sudocmdgroup-show "$group" --all
  echo ""
done > command-group-audit.txt

Hierarchical Command Groups by Risk Level

Organize commands by risk level for tiered access control.

# Low-risk read-only commands
ipa sudocmdgroup-add low-risk-commands \
  --desc="Read-only, low-risk diagnostic commands"
ipa sudocmdgroup-add-member low-risk-commands \
  --sudocmds=/usr/bin/cat,/usr/bin/less,/usr/bin/grep,/usr/bin/tail

# Medium-risk service control
ipa sudocmdgroup-add medium-risk-commands \
  --desc="Service management and configuration viewing"
ipa sudocmdgroup-add-member medium-risk-commands \
  --sudocmds=/usr/bin/systemctl,/usr/sbin/service

# High-risk system modification
ipa sudocmdgroup-add high-risk-commands \
  --desc="System-level modifications and dangerous operations"
ipa sudocmdgroup-add-member high-risk-commands \
  --sudocmds=/usr/bin/dnf,/usr/sbin/shutdown,/usr/sbin/reboot

# Assign to different user groups based on trust level
ipa sudorule-add tier1-access
ipa sudorule-add-allow-command tier1-access --sudocmdgroups=low-risk-commands
ipa sudorule-add-user tier1-access --groups=tier1-staff

ipa sudorule-add tier2-access
ipa sudorule-add-allow-command tier2-access \
  --sudocmdgroups=low-risk-commands,medium-risk-commands
ipa sudorule-add-user tier2-access --groups=tier2-staff

ipa sudorule-add tier3-access
ipa sudorule-add-allow-command tier3-access \
  --sudocmdgroups=low-risk-commands,medium-risk-commands,high-risk-commands
ipa sudorule-add-user tier3-access --groups=tier3-staff

Migrating Individual Commands to Command Groups

Convert existing sudo rules using individual commands to use command groups for better management.

# Existing sudo rule uses individual commands
ipa sudorule-show old-rule
  Sudo Allow Commands: /usr/bin/less, /usr/bin/tail, /usr/bin/grep

# Create equivalent command group
ipa sudocmdgroup-add log-tools
ipa sudocmdgroup-add-member log-tools \
  --sudocmds=/usr/bin/less,/usr/bin/tail,/usr/bin/grep

# Add command group to rule
ipa sudorule-add-allow-command old-rule --sudocmdgroups=log-tools

# Remove individual command assignments
ipa sudorule-remove-allow-command old-rule \
  --sudocmds=/usr/bin/less,/usr/bin/tail,/usr/bin/grep

# Now managed via command group for easier future updates

Temporary Command Addition for Emergency Access

Add emergency commands to existing group during incidents, then remove after resolution.

# During incident, need to grant reboot capability
ipa sudocmdgroup-add-member emergency-tools \
  --sudocmds=/usr/sbin/reboot

# Emergency responders can now reboot systems
# Incident resolved

# Remove emergency command from group
ipa sudocmdgroup-remove-member emergency-tools \
  --sudocmds=/usr/sbin/reboot

# Reboot capability revoked from all rules using emergency-tools group

Security Considerations

Command groups amplify security impact: Adding a dangerous command to a group immediately grants that command to all sudo rules referencing the group. A single command addition to a widely-used group can inadvertently grant excessive privileges to many users.

Group membership changes lack approval workflow: Unlike adding commands directly to sudo rules (which might have review processes), command group modifications often bypass approvals. This creates risk of unauthorized privilege grants through backdoor command additions.

Shared command groups reduce isolation: Multiple teams using the same command group means privilege changes affect all teams simultaneously. Adding a risky command for Team A also grants it to Teams B and C if they share a group. Use team-specific groups for better isolation.

Command group deletion doesn’t revoke rule permissions immediately: Deleting a command group doesn’t necessarily revoke commands from sudo rules until sudo configuration refreshes on clients. There’s a window where deleted groups’ commands remain accessible.

Overly broad “admin” groups grant excessive privileges: Generic command groups like “admin-tools” or “all-commands” often accumulate dangerous commands over time, granting far more access than needed. Create focused, purpose-specific command groups instead.

No command group nesting: Command groups cannot contain other command groups (flat hierarchy only). This prevents building hierarchical privilege structures and requires duplicating commands across groups, increasing management complexity and error risk.

Wildcard commands in groups multiply risk: Adding wildcard commands (e.g., /usr/bin/*) to command groups grants extremely broad access to all rules using that group. A single wildcard can transform a focused command group into an unrestricted privilege grant.

Group name changes break sudo rules: Renaming command groups breaks sudo rule references to the old group name until rules are updated. During transition, users lose access unexpectedly. Command group names should be treated as immutable.

Command group member enumeration aids attack planning: Attackers with read access can enumerate command group membership to understand available privilege escalation paths. Knowing “admin-tools” contains /usr/bin/vim guides attackers toward editor-based shell escapes.

No audit trail for command group modifications: While sudo rule changes may be audited, command group membership modifications (adding/removing commands) often lack detailed audit trails. Unauthorized additions may go undetected until exploitation occurs.

Troubleshooting

Cannot Delete Command Group: In Use by Sudo Rules

Symptom: ipa sudocmdgroup-del fails with error indicating group is used by sudo rules.

Diagnosis: Command group is referenced by one or more active sudo rules.

Resolution: Remove group from sudo rules before deletion:

# Find which rules use the group
ipa sudorule-find --sudocmdgroups=old-group
  Sudo Rule name: devops-services
  Sudo Rule name: admin-access

# Remove group from each rule
ipa sudorule-remove-allow-command devops-services \
  --sudocmdgroups=old-group
ipa sudorule-remove-allow-command admin-access \
  --sudocmdgroups=old-group

# Now delete the group
ipa sudocmdgroup-del old-group

Command Group Membership Not Updating in Sudo

Symptom: Added command to command group but users cannot execute it via sudo.

Diagnosis: SSSD sudo cache not refreshed on clients.

Resolution: Force SSSD cache refresh on affected systems:

# Add command to group
ipa sudocmdgroup-add-member admin-tools --sudocmds=/usr/bin/newcommand

# On client systems, clear sudo cache
sss_cache -E

# Restart SSSD if cache clear insufficient
systemctl restart sssd

# Test sudo access
sudo -l -U alice
  # Should now show newcommand

Cannot Add Command: Command Does Not Exist

Symptom: ipa sudocmdgroup-add-member fails with “command not found” error.

Diagnosis: Command must be defined in IPA before adding to group.

Resolution: Create sudo command first, then add to group:

# Attempt to add undefined command fails
ipa sudocmdgroup-add-member tools --sudocmds=/usr/bin/newcmd
  ipa: ERROR: /usr/bin/newcmd: command not found

# Create command first
ipa sudocmd-add /usr/bin/newcmd --desc="New command for tools group"

# Now add to group
ipa sudocmdgroup-add-member tools --sudocmds=/usr/bin/newcmd
  # Success

Command Shows in Group But Not in Sudo Rule

Symptom: Command appears in command group membership but users cannot execute it.

Diagnosis: Sudo rule may not be enabled, user not in rule, or host not included.

Resolution: Verify complete sudo rule configuration:

# Verify command in group
ipa sudocmdgroup-show tools
  Member commands: /usr/bin/testcmd

# Verify group in sudo rule
ipa sudorule-show admin-rule
  Sudo Allow Command Groups: tools

# Verify rule is enabled
ipa sudorule-show admin-rule | grep Enabled
  Enabled: TRUE

# Verify user in rule
ipa sudorule-show admin-rule | grep -i user
  Users: alice

# Verify host in rule
ipa sudorule-show admin-rule | grep -i host
  Hosts: server01.example.com

# If all correct, force client sudo cache refresh
ssh server01.example.com
sss_cache -E

Duplicate Commands in Multiple Groups

Symptom: Same command appears in multiple command groups, creating confusion about which group grants access.

Diagnosis: Commands can belong to multiple groups; this may be intentional or oversight.

Resolution: Review and consolidate if needed:

# Find all groups containing a command
ipa sudocmd-show /usr/bin/systemctl --all | grep "Member of"
  Member of Sudo Command Groups: service-mgmt, admin-tools, devops-commands

# Decide which groups should contain the command
# Remove from unnecessary groups
ipa sudocmdgroup-remove-member admin-tools --sudocmds=/usr/bin/systemctl

# Verify cleanup
ipa sudocmd-show /usr/bin/systemctl --all | grep "Member of"
  Member of Sudo Command Groups: service-mgmt, devops-commands

Command Group Modification Not Affecting Expected Rules

Symptom: Modified command group but sudo rules using it don’t reflect changes.

Diagnosis: May be looking at wrong command group, or rules reference group by old name.

Resolution: Verify which groups rules actually reference:

# Show sudo rule command groups
ipa sudorule-show admin-rule
  Sudo Allow Command Groups: admin-commands

# Verify this matches modified group
ipa sudocmdgroup-show admin-commands
  # Confirm this is the group you modified

# If rule references different group, add correct group
ipa sudorule-add-allow-command admin-rule --sudocmdgroups=correct-group

Cannot Remove All Commands from Group

Symptom: Want to empty command group but removal fails.

Diagnosis: Command group membership can be empty; check if removal syntax correct.

Resolution: Remove commands one by one or in batch:

# Show current members
ipa sudocmdgroup-show temp-group
  Member commands: /usr/bin/cmd1, /usr/bin/cmd2, /usr/bin/cmd3

# Remove all members
ipa sudocmdgroup-remove-member temp-group \
  --sudocmds=/usr/bin/cmd1,/usr/bin/cmd2,/usr/bin/cmd3

# Verify empty
ipa sudocmdgroup-show temp-group
  Member commands:
  # Group exists but has no members

Command Group Name Collision

Symptom: Cannot create command group because name already exists.

Diagnosis: Command group with that name already defined.

Resolution: Use different name or modify existing group:

# Attempt to create fails
ipa sudocmdgroup-add admin-tools
  ipa: ERROR: admin-tools: command group already exists

# Check existing group
ipa sudocmdgroup-show admin-tools
  # Review existing group

# Option 1: Use different name
ipa sudocmdgroup-add admin-tools-v2

# Option 2: Modify existing group
ipa sudocmdgroup-mod admin-tools --desc="Updated description"
ipa sudocmdgroup-add-member admin-tools --sudocmds=/usr/bin/newcmd

Sudo Rule Shows No Command Groups

Symptom: Added command group to sudo rule but rule shows no command groups.

Diagnosis: Wrong command type added (might have added individual command instead of group).

Resolution: Verify command group vs individual command assignment:

# Show rule
ipa sudorule-show myrule
  Sudo Allow Commands: /usr/bin/less
  # Individual command, not command group

# Add command group
ipa sudorule-add-allow-command myrule --sudocmdgroups=log-tools

# Verify
ipa sudorule-show myrule
  Sudo Allow Commands: /usr/bin/less
  Sudo Allow Command Groups: log-tools
  # Now shows both

Command Group Description Not Helpful

Symptom: Command group descriptions are unclear or missing, making management difficult.

Diagnosis: Descriptions not set or poorly written.

Resolution: Update descriptions to be clear and purposeful:

# Check current description
ipa sudocmdgroup-show tools
  Description: tools
  # Unhelpful

# Update with meaningful description
ipa sudocmdgroup-mod tools \
  --desc="System administration tools for junior admins - service management and log viewing only"

# Verify
ipa sudocmdgroup-show tools
  Description: System administration tools for junior admins -
               service management and log viewing only
  # Now clear what this group is for

Cannot Find Command Group in List

Symptom: Know command group exists but sudocmdgroup-find doesn’t return it.

Diagnosis: Search criteria may not match group name or description.

Resolution: List all groups or use exact name:

# Search by partial name
ipa sudocmdgroup-find admin
  # Returns groups with "admin" in name or description

# List all groups
ipa sudocmdgroup-find --all

# Show specific group by exact name
ipa sudocmdgroup-show admin-tools
  # Works if exact name known

Commands

sudocmdgroup-add

Usage: ipa [global-options] sudocmdgroup-add SUDOCMDGROUP-NAME [options]

Create new Sudo Command Group.

Arguments

ArgumentRequiredDescription
SUDOCMDGROUP-NAMEyesSudo Command Group

Options

OptionDescription
--desc DESCGroup description
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

sudocmdgroup-add-member

Usage: ipa [global-options] sudocmdgroup-add-member SUDOCMDGROUP-NAME [options]

Add members to Sudo Command Group.

Arguments

ArgumentRequiredDescription
SUDOCMDGROUP-NAMEyesSudo Command Group

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--sudocmds SUDOCMDSsudo commands to add

sudocmdgroup-del

Usage: ipa [global-options] sudocmdgroup-del SUDOCMDGROUP-NAME [options]

Delete Sudo Command Group.

Arguments

ArgumentRequiredDescription
SUDOCMDGROUP-NAMEyesSudo Command Group

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

sudocmdgroup-find

Usage: ipa [global-options] sudocmdgroup-find [CRITERIA] [options]

Search for Sudo Command Groups.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--sudocmdgroup-name SUDOCMDGROUP-NAMESudo Command Group
--desc DESCGroup description
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“sudocmdgroup-name”)

sudocmdgroup-mod

Usage: ipa [global-options] sudocmdgroup-mod SUDOCMDGROUP-NAME [options]

Modify Sudo Command Group.

Arguments

ArgumentRequiredDescription
SUDOCMDGROUP-NAMEyesSudo Command Group

Options

OptionDescription
--desc DESCGroup description
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

sudocmdgroup-remove-member

Usage: ipa [global-options] sudocmdgroup-remove-member SUDOCMDGROUP-NAME [options]

Remove members from Sudo Command Group.

Arguments

ArgumentRequiredDescription
SUDOCMDGROUP-NAMEyesSudo Command Group

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--sudocmds SUDOCMDSsudo commands to remove

sudocmdgroup-show

Usage: ipa [global-options] sudocmdgroup-show SUDOCMDGROUP-NAME [options]

Display Sudo Command Group.

Arguments

ArgumentRequiredDescription
SUDOCMDGROUP-NAMEyesSudo Command Group

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

Related Topics