1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#
# VyOS modifications to sudo configuration
#
Defaults syslog_goodpri=info
Defaults env_keep+=VYATTA_*
#
# Command groups allowed for operator users
#
Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
/sbin/iptables -L -vn,\
/sbin/iptables -L * -vn,\
/sbin/iptables -t * -L *, \
/sbin/iptables -Z *,\
/sbin/iptables -Z -t nat, \
/sbin/iptables -t * -Z *
Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \
/sbin/ip6tables -t * -L *
Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \
/usr/sbin/conntrack -G *, \
/usr/sbin/conntrack -E *
Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
/sbin/ip route flush cache *,\
/sbin/ip neigh flush to *, \
/sbin/ip neigh flush dev *, \
/sbin/ip -f inet6 route flush cache, \
/sbin/ip -f inet6 route flush cache *,\
/sbin/ip -f inet6 neigh flush to *, \
/sbin/ip -f inet6 neigh flush dev *
Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \
/sbin/ethtool -S *, \
/sbin/ethtool -a *, \
/sbin/ethtool -c *, \
/sbin/ethtool -i *
Cmnd_Alias DMIDECODE = /usr/sbin/dmidecode
Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d *
Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate
Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
Cmnd_Alias PCAPTURE = /usr/bin/tcpdump
Cmnd_Alias HWINFO = /usr/bin/lspci
Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
/usr/share/heartbeat/hb_standby
Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *, \
/bin/ip vrf exec * /bin/traceroute *, \
/bin/ip vrf exec * /usr/bin/mtr *, \
/usr/libexec/vyos/op_mode/*
Cmnd_Alias KEA_IP6_ROUTES = /sbin/ip -6 route replace *,\
/sbin/ip -6 route del *
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
DMIDECODE, DISK, CONNTRACK, IP6TABLES, \
FORCE_CLUSTER, DIAGNOSTICS
# Allow any user to run files in sudo-users
%users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/
# Allow members of group sudo to execute any command
%sudo ALL=NOPASSWD: ALL
_kea ALL=NOPASSWD: KEA_IP6_ROUTES
|