This is a topic that I've spent way too much time on recently. The reason is I'm trying to manage sudo rights for teams and the sudo ruleset is getting out of hand as no globs I've tried are working except for maybe an '*' in a pathname. I'm trying to keep things secure I'd like to allow members of a certain group to manage the services they're responsible for. These are dev guys so there's a fair bit of management involved.
Initially, I would create a rule for systemctl start, another for stop, etc for status, reload and restart. Then I have to add the journalctl rules for seeing the current logs and the tail options for those. In trying to make thing easier when adding rules, and knowing glob should be supported I was hoping to simplify things to: /usr/bin/journalctl --unit nodejs@+([a-zA-Z]) @(-t) /usr/bin/systemctl (start|stop|status|reload|restart) nodejs@+([a-zA-Z]) But alas, none of this is working, what does work is a long list of rules specific to each separate instantiated service, which is getting really tiresome and error-prone. Is there anything I can do to ease maintaining these rules, or do I give up and look at using Ansible to automate FreeIPA sudo rules? _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
