Sudo Command Groups
Manage groups of sudo commands for simplified sudo policy management. Command groups enable collective assignment of multiple commands to sudo rules, reducing administrative overhead. Features include command addition and removal, nested command group membership, and centralized management of related command access policies.
Overview
Sudo command groups aggregate multiple sudo commands into named collections for simplified sudo policy management. Instead of adding dozens of individual commands to sudo rules, administrators create command groups organizing related commands by function (service management, log viewing, package installation), then assign entire groups to sudo rules in a single operation.
Command groups provide several management advantages:
Centralized command management: Update command access by modifying the group membership, not individual sudo rules. Adding a new diagnostic command to the “network-tools” group immediately grants that command to all sudo rules referencing the group.
Consistent policy application: Ensure users with similar job functions receive identical command access by using shared command groups. All helpdesk staff get the “helpdesk-tools” group, ensuring consistent capabilities.
Reduced administrative overhead: Managing 5 command groups is easier than managing 50 individual command-to-rule assignments. Command groups scale better as infrastructure grows.
Logical command organization: Group commands by functional area (database-admin, service-management, security-tools) rather than managing unstructured command lists.
Command Group Membership
Command groups contain sudo commands (individual executables) as members. A group can contain any number of commands:
network-tools group:
- /usr/bin/ping
- /usr/bin/traceroute
- /usr/bin/mtr
- /usr/sbin/tcpdump
- /usr/sbin/ip
Commands can belong to multiple groups simultaneously. The /usr/bin/systemctl command might be a member of both “service-management” and “application-admin” groups if both use cases exist.
Integration with Sudo Rules
Sudo rules reference command groups to grant access:
- Create command group: Define the group and add member commands
- Create sudo rule: Create rule specifying users, hosts, and run-as users
- Add command group to rule: Assign the entire command group to the sudo rule
- Activate rule: Enable the sudo rule for enforcement
When a sudo rule includes a command group, users covered by the rule can execute all commands in the group (subject to argument restrictions configured in the sudo rule itself).
Command vs Command Group in Rules
Sudo rules can reference both individual commands and command groups:
- Individual commands: Direct command assignment for one-off cases
- Command groups: Group assignment for collections of related commands
Most policies use command groups for maintainability, reserving individual command assignments for exceptions.
Manage groups of Sudo Commands.
EXAMPLES
Add a new Sudo Command Group:
ipa sudocmdgroup-add --desc='administrators commands' admincmdsRemove a Sudo Command Group:
ipa sudocmdgroup-del admincmdsManage Sudo Command Group membership, commands:
ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmdsManage Sudo Command Group membership, commands:
ipa sudocmdgroup-remove-member --sudocmds=/usr/bin/less admincmdsShow a Sudo Command Group:
ipa sudocmdgroup-show admincmds
Use Cases
Creating Log Viewing Command Group
Helpdesk teams need safe log viewing capabilities without dangerous editor access. Group safe log commands together.
# Create log viewing command group
ipa sudocmdgroup-add log-viewers \
--desc="Safe log file viewing commands"
# Add safe viewing commands
ipa sudocmdgroup-add-member log-viewers \
--sudocmds=/usr/bin/less,/usr/bin/tail,/usr/bin/head,/usr/bin/grep,/usr/bin/cat
# Verify group membership
ipa sudocmdgroup-show log-viewers
Sudo Command Group: log-viewers
Description: Safe log file viewing commands
Member commands: /usr/bin/less, /usr/bin/tail, /usr/bin/head,
/usr/bin/grep, /usr/bin/cat
# Create sudo rule using command group
ipa sudorule-add helpdesk-logs --desc="Helpdesk log viewing access"
ipa sudorule-add-allow-command helpdesk-logs --sudocmdgroups=log-viewers
ipa sudorule-add-user helpdesk-logs --groups=helpdesk-team
ipa sudorule-mod helpdesk-logs --hostcat=all
Service Management Command Group
DevOps teams need service restart capabilities. Create command group for systemctl operations.
# Create service management command group
ipa sudocmdgroup-add service-management \
--desc="Service start, stop, restart, and status operations"
# Add systemctl and legacy service commands
ipa sudocmdgroup-add-member service-management \
--sudocmds=/usr/bin/systemctl,/usr/sbin/service
# Add to DevOps sudo rule
ipa sudorule-add devops-services --desc="DevOps service management"
ipa sudorule-add-allow-command devops-services \
--sudocmdgroups=service-management
ipa sudorule-add-user devops-services --groups=devops-team
ipa sudorule-add-host devops-services --hostgroups=application-servers
# DevOps can restart services
# Example: sudo systemctl restart nginx
Network Diagnostics Command Group
Network operations center needs comprehensive diagnostic tools. Group all network commands together.
# Create network diagnostics group
ipa sudocmdgroup-add network-diagnostics \
--desc="Network troubleshooting and diagnostic tools"
# Add network diagnostic commands
ipa sudocmdgroup-add-member network-diagnostics \
--sudocmds=/usr/bin/ping \
--sudocmds=/usr/bin/traceroute \
--sudocmds=/usr/bin/mtr \
--sudocmds=/usr/sbin/tcpdump \
--sudocmds=/usr/sbin/ip \
--sudocmds=/usr/bin/netstat \
--sudocmds=/usr/bin/ss
# Create NOC sudo rule
ipa sudorule-add noc-diagnostics --desc="NOC network diagnostics"
ipa sudorule-add-allow-command noc-diagnostics \
--sudocmdgroups=network-diagnostics
ipa sudorule-add-user noc-diagnostics --groups=noc-team
ipa sudorule-mod noc-diagnostics --hostcat=all
Package Management Command Group
System administrators need package installation capabilities. Group package manager commands.
# Create package management group
ipa sudocmdgroup-add package-management \
--desc="Package installation, update, and removal"
# Add package manager commands
ipa sudocmdgroup-add-member package-management \
--sudocmds=/usr/bin/dnf,/usr/bin/rpm,/usr/bin/yum
# Create admin sudo rule
ipa sudorule-add admin-packages --desc="Administrator package management"
ipa sudorule-add-allow-command admin-packages \
--sudocmdgroups=package-management
ipa sudorule-add-user admin-packages --groups=sysadmin-team
ipa sudorule-mod admin-packages --hostcat=all
Removing Command from Group
Update command group membership when commands are deprecated or access should be restricted.
# Show current group membership
ipa sudocmdgroup-show admin-tools
Member commands: /usr/bin/vim, /usr/bin/nano, /usr/bin/less
# Remove text editor (security concern - shell escape)
ipa sudocmdgroup-remove-member admin-tools --sudocmds=/usr/bin/vim
# Verify removal
ipa sudocmdgroup-show admin-tools
Member commands: /usr/bin/nano, /usr/bin/less
# vim no longer accessible via rules using admin-tools group
# Must revoke from all rules at once by group modification
Database Administration Command Group
DBA team needs database-specific tools. Group database commands separately from general admin tools.
# Create database admin command group
ipa sudocmdgroup-add database-admin \
--desc="Database administration and backup tools"
# Add database commands
ipa sudocmdgroup-add-member database-admin \
--sudocmds=/usr/bin/pg_dump \
--sudocmds=/usr/bin/pg_restore \
--sudocmds=/usr/bin/psql \
--sudocmds=/usr/bin/mysql \
--sudocmds=/usr/bin/mysqldump
# Create DBA sudo rule
ipa sudorule-add dba-operations --desc="DBA database management"
ipa sudorule-add-allow-command dba-operations \
--sudocmdgroups=database-admin
ipa sudorule-add-user dba-operations --groups=dba-team
ipa sudorule-add-host dba-operations --hostgroups=database-servers
Auditing Command Group Usage
Identify which sudo rules use specific command groups for impact analysis before changes.
# Show command group details
ipa sudocmdgroup-show service-management --all
Member commands: /usr/bin/systemctl, /usr/sbin/service
Member of Sudo rules: devops-services, admin-full-access
# Modifying service-management group affects both rules
# Impact: devops-services and admin-full-access users
# List all command groups for inventory
ipa sudocmdgroup-find --all
# Review all defined command groups
# Generate audit report
for group in $(ipa sudocmdgroup-find --pkey-only | grep "Sudo Command Group" | awk '{print $4}'); do
echo "=== $group ==="
ipa sudocmdgroup-show "$group" --all
echo ""
done > command-group-audit.txt
Hierarchical Command Groups by Risk Level
Organize commands by risk level for tiered access control.
# Low-risk read-only commands
ipa sudocmdgroup-add low-risk-commands \
--desc="Read-only, low-risk diagnostic commands"
ipa sudocmdgroup-add-member low-risk-commands \
--sudocmds=/usr/bin/cat,/usr/bin/less,/usr/bin/grep,/usr/bin/tail
# Medium-risk service control
ipa sudocmdgroup-add medium-risk-commands \
--desc="Service management and configuration viewing"
ipa sudocmdgroup-add-member medium-risk-commands \
--sudocmds=/usr/bin/systemctl,/usr/sbin/service
# High-risk system modification
ipa sudocmdgroup-add high-risk-commands \
--desc="System-level modifications and dangerous operations"
ipa sudocmdgroup-add-member high-risk-commands \
--sudocmds=/usr/bin/dnf,/usr/sbin/shutdown,/usr/sbin/reboot
# Assign to different user groups based on trust level
ipa sudorule-add tier1-access
ipa sudorule-add-allow-command tier1-access --sudocmdgroups=low-risk-commands
ipa sudorule-add-user tier1-access --groups=tier1-staff
ipa sudorule-add tier2-access
ipa sudorule-add-allow-command tier2-access \
--sudocmdgroups=low-risk-commands,medium-risk-commands
ipa sudorule-add-user tier2-access --groups=tier2-staff
ipa sudorule-add tier3-access
ipa sudorule-add-allow-command tier3-access \
--sudocmdgroups=low-risk-commands,medium-risk-commands,high-risk-commands
ipa sudorule-add-user tier3-access --groups=tier3-staff
Migrating Individual Commands to Command Groups
Convert existing sudo rules using individual commands to use command groups for better management.
# Existing sudo rule uses individual commands
ipa sudorule-show old-rule
Sudo Allow Commands: /usr/bin/less, /usr/bin/tail, /usr/bin/grep
# Create equivalent command group
ipa sudocmdgroup-add log-tools
ipa sudocmdgroup-add-member log-tools \
--sudocmds=/usr/bin/less,/usr/bin/tail,/usr/bin/grep
# Add command group to rule
ipa sudorule-add-allow-command old-rule --sudocmdgroups=log-tools
# Remove individual command assignments
ipa sudorule-remove-allow-command old-rule \
--sudocmds=/usr/bin/less,/usr/bin/tail,/usr/bin/grep
# Now managed via command group for easier future updates
Temporary Command Addition for Emergency Access
Add emergency commands to existing group during incidents, then remove after resolution.
# During incident, need to grant reboot capability
ipa sudocmdgroup-add-member emergency-tools \
--sudocmds=/usr/sbin/reboot
# Emergency responders can now reboot systems
# Incident resolved
# Remove emergency command from group
ipa sudocmdgroup-remove-member emergency-tools \
--sudocmds=/usr/sbin/reboot
# Reboot capability revoked from all rules using emergency-tools group
Security Considerations
Command groups amplify security impact: Adding a dangerous command to a group immediately grants that command to all sudo rules referencing the group. A single command addition to a widely-used group can inadvertently grant excessive privileges to many users.
Group membership changes lack approval workflow: Unlike adding commands directly to sudo rules (which might have review processes), command group modifications often bypass approvals. This creates risk of unauthorized privilege grants through backdoor command additions.
Shared command groups reduce isolation: Multiple teams using the same command group means privilege changes affect all teams simultaneously. Adding a risky command for Team A also grants it to Teams B and C if they share a group. Use team-specific groups for better isolation.
Command group deletion doesn’t revoke rule permissions immediately: Deleting a command group doesn’t necessarily revoke commands from sudo rules until sudo configuration refreshes on clients. There’s a window where deleted groups’ commands remain accessible.
Overly broad “admin” groups grant excessive privileges: Generic command groups like “admin-tools” or “all-commands” often accumulate dangerous commands over time, granting far more access than needed. Create focused, purpose-specific command groups instead.
No command group nesting: Command groups cannot contain other command groups (flat hierarchy only). This prevents building hierarchical privilege structures and requires duplicating commands across groups, increasing management complexity and error risk.
Wildcard commands in groups multiply risk: Adding wildcard commands (e.g., /usr/bin/*) to command groups grants extremely broad access to all rules using that group. A single wildcard can transform a focused command group into an unrestricted privilege grant.
Group name changes break sudo rules: Renaming command groups breaks sudo rule references to the old group name until rules are updated. During transition, users lose access unexpectedly. Command group names should be treated as immutable.
Command group member enumeration aids attack planning: Attackers with read access can enumerate command group membership to understand available privilege escalation paths. Knowing “admin-tools” contains /usr/bin/vim guides attackers toward editor-based shell escapes.
No audit trail for command group modifications: While sudo rule changes may be audited, command group membership modifications (adding/removing commands) often lack detailed audit trails. Unauthorized additions may go undetected until exploitation occurs.
Troubleshooting
Cannot Delete Command Group: In Use by Sudo Rules
Symptom: ipa sudocmdgroup-del fails with error indicating group is used by sudo rules.
Diagnosis: Command group is referenced by one or more active sudo rules.
Resolution: Remove group from sudo rules before deletion:
# Find which rules use the group
ipa sudorule-find --sudocmdgroups=old-group
Sudo Rule name: devops-services
Sudo Rule name: admin-access
# Remove group from each rule
ipa sudorule-remove-allow-command devops-services \
--sudocmdgroups=old-group
ipa sudorule-remove-allow-command admin-access \
--sudocmdgroups=old-group
# Now delete the group
ipa sudocmdgroup-del old-group
Command Group Membership Not Updating in Sudo
Symptom: Added command to command group but users cannot execute it via sudo.
Diagnosis: SSSD sudo cache not refreshed on clients.
Resolution: Force SSSD cache refresh on affected systems:
# Add command to group
ipa sudocmdgroup-add-member admin-tools --sudocmds=/usr/bin/newcommand
# On client systems, clear sudo cache
sss_cache -E
# Restart SSSD if cache clear insufficient
systemctl restart sssd
# Test sudo access
sudo -l -U alice
# Should now show newcommand
Cannot Add Command: Command Does Not Exist
Symptom: ipa sudocmdgroup-add-member fails with “command not found” error.
Diagnosis: Command must be defined in IPA before adding to group.
Resolution: Create sudo command first, then add to group:
# Attempt to add undefined command fails
ipa sudocmdgroup-add-member tools --sudocmds=/usr/bin/newcmd
ipa: ERROR: /usr/bin/newcmd: command not found
# Create command first
ipa sudocmd-add /usr/bin/newcmd --desc="New command for tools group"
# Now add to group
ipa sudocmdgroup-add-member tools --sudocmds=/usr/bin/newcmd
# Success
Command Shows in Group But Not in Sudo Rule
Symptom: Command appears in command group membership but users cannot execute it.
Diagnosis: Sudo rule may not be enabled, user not in rule, or host not included.
Resolution: Verify complete sudo rule configuration:
# Verify command in group
ipa sudocmdgroup-show tools
Member commands: /usr/bin/testcmd
# Verify group in sudo rule
ipa sudorule-show admin-rule
Sudo Allow Command Groups: tools
# Verify rule is enabled
ipa sudorule-show admin-rule | grep Enabled
Enabled: TRUE
# Verify user in rule
ipa sudorule-show admin-rule | grep -i user
Users: alice
# Verify host in rule
ipa sudorule-show admin-rule | grep -i host
Hosts: server01.example.com
# If all correct, force client sudo cache refresh
ssh server01.example.com
sss_cache -E
Duplicate Commands in Multiple Groups
Symptom: Same command appears in multiple command groups, creating confusion about which group grants access.
Diagnosis: Commands can belong to multiple groups; this may be intentional or oversight.
Resolution: Review and consolidate if needed:
# Find all groups containing a command
ipa sudocmd-show /usr/bin/systemctl --all | grep "Member of"
Member of Sudo Command Groups: service-mgmt, admin-tools, devops-commands
# Decide which groups should contain the command
# Remove from unnecessary groups
ipa sudocmdgroup-remove-member admin-tools --sudocmds=/usr/bin/systemctl
# Verify cleanup
ipa sudocmd-show /usr/bin/systemctl --all | grep "Member of"
Member of Sudo Command Groups: service-mgmt, devops-commands
Command Group Modification Not Affecting Expected Rules
Symptom: Modified command group but sudo rules using it don’t reflect changes.
Diagnosis: May be looking at wrong command group, or rules reference group by old name.
Resolution: Verify which groups rules actually reference:
# Show sudo rule command groups
ipa sudorule-show admin-rule
Sudo Allow Command Groups: admin-commands
# Verify this matches modified group
ipa sudocmdgroup-show admin-commands
# Confirm this is the group you modified
# If rule references different group, add correct group
ipa sudorule-add-allow-command admin-rule --sudocmdgroups=correct-group
Cannot Remove All Commands from Group
Symptom: Want to empty command group but removal fails.
Diagnosis: Command group membership can be empty; check if removal syntax correct.
Resolution: Remove commands one by one or in batch:
# Show current members
ipa sudocmdgroup-show temp-group
Member commands: /usr/bin/cmd1, /usr/bin/cmd2, /usr/bin/cmd3
# Remove all members
ipa sudocmdgroup-remove-member temp-group \
--sudocmds=/usr/bin/cmd1,/usr/bin/cmd2,/usr/bin/cmd3
# Verify empty
ipa sudocmdgroup-show temp-group
Member commands:
# Group exists but has no members
Command Group Name Collision
Symptom: Cannot create command group because name already exists.
Diagnosis: Command group with that name already defined.
Resolution: Use different name or modify existing group:
# Attempt to create fails
ipa sudocmdgroup-add admin-tools
ipa: ERROR: admin-tools: command group already exists
# Check existing group
ipa sudocmdgroup-show admin-tools
# Review existing group
# Option 1: Use different name
ipa sudocmdgroup-add admin-tools-v2
# Option 2: Modify existing group
ipa sudocmdgroup-mod admin-tools --desc="Updated description"
ipa sudocmdgroup-add-member admin-tools --sudocmds=/usr/bin/newcmd
Sudo Rule Shows No Command Groups
Symptom: Added command group to sudo rule but rule shows no command groups.
Diagnosis: Wrong command type added (might have added individual command instead of group).
Resolution: Verify command group vs individual command assignment:
# Show rule
ipa sudorule-show myrule
Sudo Allow Commands: /usr/bin/less
# Individual command, not command group
# Add command group
ipa sudorule-add-allow-command myrule --sudocmdgroups=log-tools
# Verify
ipa sudorule-show myrule
Sudo Allow Commands: /usr/bin/less
Sudo Allow Command Groups: log-tools
# Now shows both
Command Group Description Not Helpful
Symptom: Command group descriptions are unclear or missing, making management difficult.
Diagnosis: Descriptions not set or poorly written.
Resolution: Update descriptions to be clear and purposeful:
# Check current description
ipa sudocmdgroup-show tools
Description: tools
# Unhelpful
# Update with meaningful description
ipa sudocmdgroup-mod tools \
--desc="System administration tools for junior admins - service management and log viewing only"
# Verify
ipa sudocmdgroup-show tools
Description: System administration tools for junior admins -
service management and log viewing only
# Now clear what this group is for
Cannot Find Command Group in List
Symptom: Know command group exists but sudocmdgroup-find doesn’t return it.
Diagnosis: Search criteria may not match group name or description.
Resolution: List all groups or use exact name:
# Search by partial name
ipa sudocmdgroup-find admin
# Returns groups with "admin" in name or description
# List all groups
ipa sudocmdgroup-find --all
# Show specific group by exact name
ipa sudocmdgroup-show admin-tools
# Works if exact name known
Commands
sudocmdgroup-add
Usage:
ipa [global-options] sudocmdgroup-add SUDOCMDGROUP-NAME [options]
Create new Sudo Command Group.
Arguments
| Argument | Required | Description |
|---|---|---|
SUDOCMDGROUP-NAME | yes | Sudo Command Group |
Options
| Option | Description |
|---|---|
--desc DESC | Group description |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
sudocmdgroup-add-member
Usage:
ipa [global-options] sudocmdgroup-add-member SUDOCMDGROUP-NAME [options]
Add members to Sudo Command Group.
Arguments
| Argument | Required | Description |
|---|---|---|
SUDOCMDGROUP-NAME | yes | Sudo Command Group |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--sudocmds SUDOCMDS | sudo commands to add |
sudocmdgroup-del
Usage:
ipa [global-options] sudocmdgroup-del SUDOCMDGROUP-NAME [options]
Delete Sudo Command Group.
Arguments
| Argument | Required | Description |
|---|---|---|
SUDOCMDGROUP-NAME | yes | Sudo Command Group |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
sudocmdgroup-find
Usage: ipa [global-options] sudocmdgroup-find [CRITERIA] [options]
Search for Sudo Command Groups.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--sudocmdgroup-name SUDOCMDGROUP-NAME | Sudo Command Group |
--desc DESC | Group description |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“sudocmdgroup-name”) |
sudocmdgroup-mod
Usage:
ipa [global-options] sudocmdgroup-mod SUDOCMDGROUP-NAME [options]
Modify Sudo Command Group.
Arguments
| Argument | Required | Description |
|---|---|---|
SUDOCMDGROUP-NAME | yes | Sudo Command Group |
Options
| Option | Description |
|---|---|
--desc DESC | Group description |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
sudocmdgroup-remove-member
Usage:
ipa [global-options] sudocmdgroup-remove-member SUDOCMDGROUP-NAME [options]
Remove members from Sudo Command Group.
Arguments
| Argument | Required | Description |
|---|---|---|
SUDOCMDGROUP-NAME | yes | Sudo Command Group |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--sudocmds SUDOCMDS | sudo commands to remove |
sudocmdgroup-show
Usage:
ipa [global-options] sudocmdgroup-show SUDOCMDGROUP-NAME [options]
Display Sudo Command Group.
Arguments
| Argument | Required | Description |
|---|---|---|
SUDOCMDGROUP-NAME | yes | Sudo Command Group |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |