Djerk Geurts via FreeIPA-users wrote: > This is a topic that I've spent way too much time on recently. The reason is > I'm trying to manage sudo rights for teams and the sudo ruleset is getting > out of hand as no globs I've tried are working except for maybe an '*' in a > pathname. I'm trying to keep things secure I'd like to allow members of a > certain group to manage the services they're responsible for. These are dev > guys so there's a fair bit of management involved. > > Initially, I would create a rule for systemctl start, another for stop, etc > for status, reload and restart. Then I have to add the journalctl rules for > seeing the current logs and the tail options for those. > > In trying to make thing easier when adding rules, and knowing glob should be > supported I was hoping to simplify things to: > > /usr/bin/journalctl --unit nodejs@+([a-zA-Z]) @(-t) > /usr/bin/systemctl (start|stop|status|reload|restart) nodejs@+([a-zA-Z]) > > But alas, none of this is working, what does work is a long list of rules > specific to each separate instantiated service, which is getting really > tiresome and error-prone. Is there anything I can do to ease maintaining > these rules, or do I give up and look at using Ansible to automate FreeIPA > sudo rules?
It may very well depend on the version of sudo you have on the client(s) whether regular expressions are supported or not. IPA is only a container for the rules. It just passes them along to sudo. I'd suggest checking with the sudo team as well. There may also be distribution-based idiosyncrasies. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
