summaryrefslogtreecommitdiff
path: root/src/etc/sudoers.d/vyos
blob: 67d7babc44de9db95936f901511ec8c8f0b8c2ad (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#
# VyOS modifications to sudo configuration
#
Defaults syslog_goodpri=info
Defaults env_keep+=VYATTA_*

#
# Command groups allowed for operator users
#
Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
		      /sbin/iptables -L -vn,\
                      /sbin/iptables -L * -vn,\
		      /sbin/iptables -t * -L *, \
                      /sbin/iptables -Z *,\
		      /sbin/iptables -Z -t nat, \
                      /sbin/iptables -t * -Z *
Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \
                       /sbin/ip6tables -t * -L *
Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \
                       /usr/sbin/conntrack -G *, \
		       /usr/sbin/conntrack -E *
Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
		     /sbin/ip route flush cache *,\
		     /sbin/ip neigh flush to *, \
		     /sbin/ip neigh flush dev *, \
                     /sbin/ip -f inet6 route flush cache, \
		     /sbin/ip -f inet6 route flush cache *,\
		     /sbin/ip -f inet6 neigh flush to *, \
		     /sbin/ip -f inet6 neigh flush dev *
Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \
                     /sbin/ethtool -S *, \
                     /sbin/ethtool -a *, \
                     /sbin/ethtool -c *, \
                     /sbin/ethtool -i *
Cmnd_Alias DMIDECODE = /usr/sbin/dmidecode
Cmnd_Alias DISK    = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d *
Cmnd_Alias DATE    = /bin/date, /usr/sbin/ntpdate
Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
Cmnd_Alias PCAPTURE = /usr/bin/tcpdump
Cmnd_Alias HWINFO   = /usr/bin/lspci
Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
                           /usr/share/heartbeat/hb_standby
Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *,       \
                         /bin/ip vrf exec * /bin/traceroute *, \
                         /bin/ip vrf exec * /usr/bin/mtr *, \
                         /usr/libexec/vyos/op_mode/*
Cmnd_Alias KEA_IP6_ROUTES = /sbin/ip -6 route replace *,\
                           /sbin/ip -6 route del *
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
                        DMIDECODE, DISK, CONNTRACK, IP6TABLES,  \
                        FORCE_CLUSTER, DIAGNOSTICS

# Allow any user to run files in sudo-users
%users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/

# Allow members of group sudo to execute any command
%sudo ALL=NOPASSWD: ALL

# Allow any user to query Machine Owner Key status
%sudo ALL=NOPASSWD: /usr/bin/mokutil

_kea ALL=NOPASSWD: KEA_IP6_ROUTES