From 372ccffe5bd1a9f44e18ae796b6f10b9ba5e95c8 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Fri, 14 Oct 2022 17:54:43 +0000
Subject: T4533: Allow basic permissions to unprivileged RADIUS users

Unprivileged RADIUS users cannot do simple diagnostics like ping
or traceroute. Allow them such tools.
Ability to execute op-mode commands for them.
It is not new 'operator mode' feature but it allows RADIUS users
execute op-mode commands
---
 src/etc/sudoers.d/vyos | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/etc')

diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos
index f760b417f..e0fd8cb0b 100644
--- a/src/etc/sudoers.d/vyos
+++ b/src/etc/sudoers.d/vyos
@@ -40,10 +40,13 @@ Cmnd_Alias PCAPTURE = /usr/bin/tcpdump
 Cmnd_Alias HWINFO   = /usr/bin/lspci
 Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
                            /usr/share/heartbeat/hb_standby
+Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *,       \
+                         /bin/ip vrf exec * /bin/traceroute *, \
+                         /usr/libexec/vyos/op_mode/*
 %operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
 			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
                         DMIDECODE, DISK, CONNTRACK, IP6TABLES,  \
-                        FORCE_CLUSTER
+                        FORCE_CLUSTER, DIAGNOSTICS
 
 # Allow any user to run files in sudo-users
 %users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/
-- 
cgit v1.2.3