Freeipa sudorule all users mount -av
This rule demonstrates the users category "all" which is deceptively on the sudorule-mod command and not add-user one.
I want my users to be able to get to /mnt/public and some systems (on wireless networks) wait for the user session to start before mounting /mnt/public. And sometimes the autofs daemon is misbehaving, so /net/public (which mounts the same nfs export) isn't always available. Sometimes I just want to run sudo mount -av. If something shouldn't be mounted with that, then use flag noauto in /etc/fstab, but I have decided anything in /etc/fstab is allowed to be mounted by all users.
ipa sudorule-add "all-users-mount-av" ipa sudorule-add-host "all-users-mount-av" --hostcat="all" ipa sudorule-mod "all-users-mount-av" --usercat="all" ipa sudorule-add-runasuser "all-users-mount-av" --users 'root' ipa sudocmd-add --desc="mount -av" "/usr/bin/mount -av" ipa sudorule-add-allow-command "all-users-mount-av" --sudocmds "/usr/bin/mount -av" ipa sudorule-add-option "all-users-mount-av" --sudooption '!authenticate' ipa sudorule-mod "all-users-mount-av" --desc="all users may run mount -av on any system"
And now a random user can run the comand I've been needing for months!
$ sudo -l -U user1 Matching Defaults entries for public on server8: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty, env_keep+="ftp_proxy http_proxy https_proxy no_proxy", env_keep+="FTP_PROXY HTTP_PROXY HTTPS_PROXY NO_PROXY", env_keep+="DEBUG DEBUG_LEVEL DRYRUN VERBOSE", env_keep+="DRYRUN VERBOSE", env_keep+="DRYRUN VERBOSE MYA_PREFIX DEBUG AUTOMOUNT_USER" User user1 may run the following commands on server8: (root) NOPASSWD: /usr/bin/mount -av
Hm, maybe I should clean up the duplicate DRYRUN, VERBOSE flags. Ah well, different problem for a different day.
Comments