Contact us
ArticlesRocky Linux

Listing All Sudo Rules for a FreeIPA User

freeipahow-torocky linuxsecuritysssdsudo

Ahmer M.
Customer Support Engineer

Apr 14, 2025

Introduction

When a host is enrolled in FreeIPA and configured to source sudo rules through the System Security Services Daemon (SSSD), a user's effective sudo privileges can come from several places at once: rules applied directly to the user, and rules inherited from one or more group memberships. This article shows how to list every sudo rule that applies to a given user from a single command, instead of cross-referencing the FreeIPA web UI by hand.

Problem

Sudo rules can be applied directly to a user or through one or more group memberships in FreeIPA. There is no single ipa command that lists the complete, effective set of sudo rules for a user. Verifying a user's privileges through the FreeIPA web UI therefore requires a lot of clicking, cross-checking each group the user belongs to, and manual effort that is easy to get wrong.

Resolution

Use the sudo command's own listing mode, which queries SSSD (and therefore FreeIPA) for the effective rules. Run the following as root, or prefixed with sudo, because querying another user's privileges requires elevated access:

sudo -ll -U <username>
  • -l (lowercase L) lists allowed (and forbidden) commands.
  • A second -l (-ll) prints the rules in the longer, more readable format, including where each rule comes from.
  • -U <username> selects the target user to report on, rather than the user running the command.

For each matching rule, the output shows the source as an LDAP Role, confirming the rule was delivered from FreeIPA through SSSD:

LDAP Role: sudo_rule
    RunAsUsers: ALL
    RunAsGroups: ALL
    Options: !authenticate
    Commands:
        /bin/su
        /usr/bin/top
        /usr/bin/du
        /usr/bin/df

Each LDAP Role block is one FreeIPA sudo rule that applies to the user, whether it was assigned directly or inherited through a group. This gives you the complete, effective picture in one place.

Root Cause

FreeIPA has no dedicated ipa subcommand that resolves and lists every sudo rule applied to a user, including rules inherited through group membership. The sudo -ll -U command fills this gap because it evaluates the rules exactly as they are enforced on the host.

Notes

  • The host must be enrolled in FreeIPA with SSSD configured to provide sudo rules (the sudo service enabled in SSSD and sudoers: sss present in /etc/nsswitch.conf). If sudo rules are not sourced from SSSD, only local /etc/sudoers rules appear.
  • SSSD caches sudo rules. If a rule was changed recently in FreeIPA and is not yet reflected, refresh the cache with sudo sss_cache -E (or restart sssd) and run the command again.