目前,当我想授予某组用户访问权限以编辑文件时,我按照以下步骤进行操作:
ipa sudocmd-add --desc=Vi IMproved default-mode, no-exec, no-suspend mode' '/usr/bin/rvim' ipa sudocmdgroup-add edition --desc='commands for restricted edition' ipa sudocmdgroup-add-member edition --sudocmds=/usr/bin/rvim ipa sudorule-add edition-4-operators --desc='Operator access to restricted edition commands' ipa sudorule-add-allow-command edition-4-operators --sudocmdgroups=edition 然后是与HBAC,SELinux等相关的其他选项
我想在我的freeIPA服务器的所有sudorule中用内置的sudoedit(8)replace/usr/bin/rvim 。
我需要像往常一样将sudoedit声明为sudocmd吗? 我可以直接将sudoedit添加到sudocmdgroup而sudocmd先前将其声明为sudocmd ?
这是做到这一点的方法(实际上是一个实际的例子):
# ipa sudocmd-add --desc='sudoedit configuration file of IPv4 packet filtering and NAT' 'sudoedit /etc/sysconfig/iptables' -------------------------------------------------------------- Added Sudo Command "sudoedit /etc/sysconfig/iptables" -------------------------------------------------------------- Sudo Command: sudoedit /etc/sysconfig/iptables Description: sudoedit configuration file of IPv4 packet filtering and NAT # ipa sudocmdgroup-add-member networking --sudocmds='sudoedit /etc/sysconfig/iptables' Sudo Command Group: networking Description: commands for network configuration and troubleshooting Member Sudo commands: sudoedit /etc/sysconfig/iptables ------------------------- Number of members added 1 -------------------------
被sudoedit sudo builtin
# ls -lrt /usr/bin/sudoedit lrwxrwxrwx. 1 root root 4 Apr 8 09:00 /usr/bin/sudoedit -> sudo*
尝试使用/usr/bin/sudoedit添加sudorule将会失败,并显示以下错误:
$ sudo -e /etc/sysconfig/iptables Sorry, user joe is not allowed to execute 'sudoedit /etc/sysconfig/iptables' as root on host.domain.com.
适用于sudo -e和sudoedit 。