summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.in10
-rw-r--r--eval.c222
-rw-r--r--general.c101
-rw-r--r--general.h16
-rw-r--r--vyatta-restricted.c345
-rw-r--r--vyatta-restricted.h44
6 files changed, 399 insertions, 339 deletions
diff --git a/Makefile.in b/Makefile.in
index a98b3ab..d4dbc00 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -399,7 +399,7 @@ CSOURCES = shell.c eval.c parse.y general.c make_cmd.c print_cmd.c y.tab.c \
input.c bashhist.c array.c arrayfunc.c sig.c pathexp.c \
unwind_prot.c siglist.c bashline.c bracecomp.c error.c \
list.c stringlib.c locale.c findcmd.c redir.c \
- pcomplete.c pcomplib.c syntax.c xmalloc.c
+ pcomplete.c pcomplib.c syntax.c xmalloc.c vyatta-restricted.c
HSOURCES = shell.h flags.h trap.h hashcmd.h hashlib.h jobs.h builtins.h \
general.h variables.h config.h $(ALLOC_HEADERS) alias.h \
@@ -408,6 +408,7 @@ HSOURCES = shell.h flags.h trap.h hashcmd.h hashlib.h jobs.h builtins.h \
subst.h externs.h siglist.h bashhist.h bashline.h bashtypes.h \
array.h arrayfunc.h sig.h mailcheck.h bashintl.h bashjmp.h \
execute_cmd.h parser.h pathexp.h pathnames.h pcomplete.h \
+ vyatta-restricted.h \
$(BASHINCFILES)
SOURCES = $(CSOURCES) $(HSOURCES) $(BUILTIN_DEFS)
@@ -426,7 +427,7 @@ OBJECTS = shell.o eval.o y.tab.o general.o make_cmd.o print_cmd.o $(GLOBO) \
trap.o input.o unwind_prot.o pathexp.o sig.o test.o version.o \
alias.o array.o arrayfunc.o braces.o bracecomp.o bashhist.o \
bashline.o $(SIGLIST_O) list.o stringlib.o locale.o findcmd.o redir.o \
- pcomplete.o pcomplib.o syntax.o xmalloc.o
+ pcomplete.o pcomplib.o syntax.o xmalloc.o vyatta-restricted.o
# Where the source code of the shell builtins resides.
BUILTIN_SRCDIR=$(srcdir)/builtins
@@ -834,6 +835,7 @@ eval.o: general.h xmalloc.h bashtypes.h variables.h arrayfunc.h conftypes.h arra
eval.o: quit.h ${BASHINCDIR}/maxpath.h unwind_prot.h dispose_cmd.h
eval.o: make_cmd.h subst.h sig.h pathnames.h externs.h
eval.o: input.h execute_cmd.h
+eval.o: vyatta-restricted.h
execute_cmd.o: config.h bashtypes.h ${BASHINCDIR}/filecntl.h ${BASHINCDIR}/posixstat.h bashansi.h ${BASHINCDIR}/ansi_stdlib.h
execute_cmd.o: shell.h syntax.h config.h bashjmp.h ${BASHINCDIR}/posixjmp.h command.h ${BASHINCDIR}/stdc.h error.h
execute_cmd.o: general.h xmalloc.h bashtypes.h variables.h arrayfunc.h conftypes.h array.h hashlib.h
@@ -934,6 +936,7 @@ shell.o: make_cmd.h subst.h sig.h pathnames.h externs.h
shell.o: flags.h trap.h mailcheck.h builtins.h $(DEFSRC)/common.h
shell.o: jobs.h siglist.h input.h execute_cmd.h findcmd.h bashhist.h
shell.o: ${GLOB_LIBSRC}/strmatch.h ${BASHINCDIR}/posixtime.h
+shell.o: vyatta-restricted.h
sig.o: config.h bashtypes.h
sig.o: shell.h syntax.h config.h bashjmp.h ${BASHINCDIR}/posixjmp.h command.h ${BASHINCDIR}/stdc.h error.h
sig.o: general.h xmalloc.h bashtypes.h variables.h arrayfunc.h conftypes.h array.h hashlib.h
@@ -983,6 +986,7 @@ variables.o: pcomplete.h ${BASHINCDIR}/chartypes.h
variables.o: ${BASHINCDIR}/posixtime.h
version.o: conftypes.h patchlevel.h version.h
xmalloc.o: config.h bashtypes.h ${BASHINCDIR}/ansi_stdlib.h error.h
+vyatta-restricted.o: shell.h command.h vyatta-restricted.h
# job control
@@ -1036,6 +1040,7 @@ pcomplete.o: ${BASHINCDIR}/stdc.h hashlib.h pcomplete.h shell.h syntax.h
pcomplete.o: bashjmp.h command.h general.h xmalloc.h error.h variables.h arrayfunc.h conftypes.h quit.h
pcomplete.o: unwind_prot.h dispose_cmd.h make_cmd.h subst.h sig.h pathnames.h
pcomplete.o: externs.h ${BASHINCDIR}/maxpath.h execute_cmd.h
+pcomplete.o: vyatta-restricted.h
# library support files
@@ -1055,6 +1060,7 @@ bashline.o: make_cmd.h subst.h sig.h pathnames.h externs.h
bashline.o: builtins.h bashhist.h bashline.h execute_cmd.h findcmd.h pathexp.h
bashline.o: $(DEFSRC)/common.h $(GLOB_LIBSRC)/glob.h alias.h
bashline.o: pcomplete.h ${BASHINCDIR}/chartypes.h input.h
+bashline.o: vyatta-restricted.h
bracecomp.o: config.h bashansi.h ${BASHINCDIR}/ansi_stdlib.h
bracecomp.o: shell.h syntax.h config.h bashjmp.h ${BASHINCDIR}/posixjmp.h command.h ${BASHINCDIR}/stdc.h error.h
bracecomp.o: general.h xmalloc.h bashtypes.h variables.h arrayfunc.h conftypes.h array.h hashlib.h
diff --git a/eval.c b/eval.c
index 2e12ab4..6c9508b 100644
--- a/eval.c
+++ b/eval.c
@@ -29,7 +29,6 @@
#include "bashansi.h"
#include <stdio.h>
-#include <dirent.h>
#include "bashintl.h"
@@ -198,227 +197,6 @@ send_pwd_to_eterm ()
fprintf (stderr, "\032/%s\n", pwd);
}
-static int
-is_in_command_list(const char *cmd, char *cmds[])
-{
- int idx = 0;
- for (idx = 0; cmds[idx]; idx++) {
- if (strcmp(cmd, cmds[idx]) == 0) {
- return 1;
- }
- }
- return 0;
-}
-
-static int
-is_vyatta_restricted_pipe_command(WORD_LIST *words)
-{
- char *allowed_commands[] = { "more", NULL };
- if (words) {
- if (!words->next) {
- /* only 1 word */
- if (is_in_command_list(words->word->word, allowed_commands)) {
- /* allowed */
- return 1;
- }
- }
- }
- /* not allowed */
- return 0;
-}
-
-static void
-make_restricted_word(WORD_DESC *word)
-{
- char *c, *ns, *n;
- int sq_count = 0;
- char *uqs = string_quote_removal(word->word, 0);
-
- for (c = uqs; *c; c++) {
- if (*c == '\'') {
- sq_count++;
- }
- }
-
- /* strlen + start/end quotes + \0 + extra "'\''" */
- ns = (char *) xmalloc(strlen(uqs) + 2 + 1 + (3 * sq_count));
- n = ns;
- *n = '\'';
- n++;
- for (c = uqs; *c; c++) {
- if (*c == '\'') {
- *n = '\'';
- *(n + 1) = '\\';
- *(n + 2) = '\'';
- *(n + 3) = '\'';
- n += 4;
- } else {
- *n = *c;
- n++;
- }
- }
- *n = '\'';
- *(n + 1) = '\0';
-
- free(word->word);
- free(uqs);
- word->word = ns;
- word->flags = W_QUOTED;
-}
-
-static void
-make_restricted_wordlist(WORD_LIST *words)
-{
- WORD_LIST *l = words->next; /* skip the first word */
- for (; l; l = l->next) {
- make_restricted_word(l->word);
- }
-}
-
-static int
-is_vyatta_restricted_command(COMMAND *cmd)
-{
- struct simple_com *cS;
- struct connection *cC;
-
- if (!cmd) {
- return 1;
- }
-
- switch (cmd->type) {
- case cm_simple:
- cS = cmd->value.Simple;
- if (!(cS->redirects)) {
- /* simple command, no redirects */
- /* make sure the words are allowed */
- make_restricted_wordlist(cS->words);
- return 1;
- }
- break;
- case cm_connection:
- cC = cmd->value.Connection;
- if (cC->connector == '|') {
- if ((cC->first->type == cm_simple) && (cC->second->type == cm_simple)) {
- struct simple_com *cS1 = cC->first->value.Simple;
- struct simple_com *cS2 = cC->second->value.Simple;
- if (!(cS1->redirects) && !(cS2->redirects)) {
- /* both are simple and no redirects */
- /* make sure the words are allowed */
- make_restricted_wordlist(cS1->words);
- make_restricted_wordlist(cS2->words);
- if (is_vyatta_restricted_pipe_command(cS2->words)) {
- /* pipe command is allowed => allowed */
- return 1;
- }
- }
- }
- }
- break;
- default:
- break;
- }
- /* not allowed */
- return 0;
-}
-
-static int
-is_vyatta_cfg_command(const char *cmd)
-{
- char *valid_commands[] = { "set", "delete", "commit", "save", "load",
- "show", "exit", "edit", "run", NULL };
- return is_in_command_list(cmd, valid_commands);
-}
-
-static int
-is_vyatta_op_command(const char *cmd)
-{
- char *dir = getenv("vyatta_op_templates");
- DIR *dp = NULL;
- struct dirent *dent = NULL;
- char *restrict_exclude_commands[]
- = { "clear", "configure", "init-floppy", "install-system", "no",
- "reboot", "set", "telnet", NULL };
- char *other_commands[] = { "exit", NULL };
- int ret = 0;
-
- if (dir == NULL || (dp = opendir(dir)) == NULL) {
- return 0;
- }
-
- /* FIXME this assumes FULL == "users" */
- if (in_vyatta_restricted_mode(FULL)
- && is_in_command_list(cmd, restrict_exclude_commands)) {
- /* command not allowed in "full" restricted mode */
- return 0;
- }
-
- while (dent = readdir(dp)) {
- if (strncmp(dent->d_name, ".", 1) == 0) {
- continue;
- }
- if (strcmp(dent->d_name, cmd) == 0) {
- ret = 1;
- break;
- }
- }
- closedir(dp);
- return (ret) ? 1 : is_in_command_list(cmd, other_commands);
-}
-
-static char *prev_cmdline = NULL;
-
-static int
-is_vyatta_command(char *cmdline, COMMAND *cmd)
-{
- char *cfg = getenv("_OFR_CONFIGURE");
- int in_cfg = (cfg) ? (strcmp(cfg, "ok") == 0) : 0;
- char *start = cmdline;
- char *end = NULL;
- char save = 0;
- int ret = 0;
-
- if (!prev_cmdline) {
- prev_cmdline = strdup("");
- }
- if (strcmp(cmdline, prev_cmdline) == 0) {
- /* still at the same line. not checking. */
- return 1;
- }
- if (!is_vyatta_restricted_command(cmd)) {
- return 0;
- }
-
- while (*start && (whitespace(*start) || *start == '\n')) {
- start++;
- }
- if (*start == 0) {
- /* empty command line is valid */
- free(prev_cmdline);
- prev_cmdline = strdup(cmdline);
- return 1;
- }
- end = start;
- while (*end && (!whitespace(*end) && *end != '\n')) {
- end++;
- }
- save = *end;
- *end = 0;
-
- if (in_cfg) {
- ret = is_vyatta_cfg_command(start);
- } else {
- ret = is_vyatta_op_command(start);
- }
- *end = save;
-
- if (ret) {
- /* valid command */
- free(prev_cmdline);
- prev_cmdline = strdup(cmdline);
- }
- return ret;
-}
-
/* Call the YACC-generated parser and return the status of the parse.
Input is read from the current input stream (bash_input). yyparse
leaves the parsed command in the global variable GLOBAL_COMMAND.
diff --git a/general.c b/general.c
index d027ad6..3384e84 100644
--- a/general.c
+++ b/general.c
@@ -1023,104 +1023,3 @@ get_group_array (ngp)
*ngp = ngroups;
return group_iarray;
}
-
-static int
-vyatta_user_in_group(uid_t ruid, char *grp_name)
-{
- int ret = 0;
- struct passwd pw;
- struct passwd *pwp = NULL;
- struct group grp;
- struct group *grpp = NULL;
- char *pbuf = NULL, *gbuf = NULL;
- long psize = 0, gsize = 0;
-
- if (!grp_name) {
- return 0;
- }
-
- do {
- psize = sysconf(_SC_GETPW_R_SIZE_MAX);
- pbuf = (char *) xmalloc(psize);
- if (!pbuf) {
- break;
- }
-
- gsize = sysconf(_SC_GETGR_R_SIZE_MAX);
- gbuf = (char *) xmalloc(gsize);
- if (!gbuf) {
- break;
- }
-
- ret = getpwuid_r(ruid, &pw, pbuf, psize, &pwp);
- if (!pwp) {
- break;
- }
-
- ret = getgrnam_r(grp_name, &grp, gbuf, gsize, &grpp);
- if (!grpp) {
- break;
- }
-
- {
- int i = 0;
- for (i = 0; grp.gr_mem[i]; i++) {
- if (strcmp(pw.pw_name, grp.gr_mem[i]) == 0) {
- ret = 1;
- break;
- }
- }
- }
- } while (0);
-
- if (pbuf) {
- free(pbuf);
- }
- if (gbuf) {
- free(gbuf);
- }
- return ret;
-}
-
-static int vyatta_default_output_restricted = 0;
-static int vyatta_default_full_restricted = 0;
-
-#define VYATTA_OUTPUT_RESTRICTED_GROUP "vyattacfg"
-
-void
-set_vyatta_restricted_mode()
-{
- uid_t ruid = getuid();
- if (vyatta_user_in_group(ruid, VYATTA_OUTPUT_RESTRICTED_GROUP)) {
- vyatta_default_output_restricted = 1;
- vyatta_default_full_restricted = 0;
- } else {
- /* if not in the output restricted group, default to full */
- vyatta_default_output_restricted = 0;
- vyatta_default_full_restricted = 1;
- }
-}
-
-int
-in_vyatta_restricted_mode(enum vyatta_restricted_type type)
-{
- char *rval = getenv("VYATTA_RESTRICTED_MODE");
- int output = vyatta_default_output_restricted;
- int full = vyatta_default_full_restricted;
-
- /* environment var overrides default */
- if (rval) {
- output = (strcmp(rval, "output") == 0);
- full = (strcmp(rval, "full") == 0);
- }
-
- if (type == OUTPUT && (output || full)) {
- return 1;
- }
- if (type == FULL && full) {
- return 1;
- }
-
- return 0;
-}
-
diff --git a/general.h b/general.h
index 397264f..dcb775c 100644
--- a/general.h
+++ b/general.h
@@ -43,18 +43,10 @@
# include <limits.h>
#endif
-#if defined(HAVE_UNISTD_H)
-# include <unistd.h>
-#endif
-
-#include <pwd.h>
-
-#if defined(HAVE_GRP_H)
-# include <grp.h>
-#endif
-
#include "xmalloc.h"
+#include "vyatta-restricted.h"
+
/* NULL pointer type. */
#if !defined (NULL)
# if defined (__STDC__)
@@ -327,8 +319,4 @@ extern int group_member __P((gid_t));
extern char **get_group_list __P((int *));
extern int *get_group_array __P((int *));
-extern void set_vyatta_restricted_mode __P((void));
-enum vyatta_restricted_type { OUTPUT, FULL };
-extern int in_vyatta_restricted_mode __P((enum vyatta_restricted_type));
-
#endif /* _GENERAL_H_ */
diff --git a/vyatta-restricted.c b/vyatta-restricted.c
new file mode 100644
index 0000000..fc9ea6d
--- /dev/null
+++ b/vyatta-restricted.c
@@ -0,0 +1,345 @@
+/* vyatta-restricted.c -- Vyatta restricted mode functionality */
+
+/* This file is part of GNU Bash, the Bourne Again SHell.
+
+ Bash is free software; you can redistribute it and/or modify it under
+ the terms of the GNU General Public License as published by the Free
+ Software Foundation; either version 2, or (at your option) any later
+ version.
+
+ Bash is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with Bash; see the file COPYING. If not, write to the Free Software
+ Foundation, 59 Temple Place, Suite 330, Boston, MA 02111 USA.
+
+ This code was originally developed by Vyatta, Inc.
+ Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. */
+
+#include "shell.h"
+#include "vyatta-restricted.h"
+
+static int
+is_in_command_list(const char *cmd, char *cmds[])
+{
+ int idx = 0;
+ for (idx = 0; cmds[idx]; idx++) {
+ if (strcmp(cmd, cmds[idx]) == 0) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
+static int
+is_vyatta_restricted_pipe_command(WORD_LIST *words)
+{
+ char *allowed_commands[] = { "more", NULL };
+ if (words) {
+ if (!words->next) {
+ /* only 1 word */
+ if (is_in_command_list(words->word->word, allowed_commands)) {
+ /* allowed */
+ return 1;
+ }
+ }
+ }
+ /* not allowed */
+ return 0;
+}
+
+static void
+make_restricted_word(WORD_DESC *word)
+{
+ char *c, *ns, *n;
+ int sq_count = 0;
+ char *uqs = string_quote_removal(word->word, 0);
+
+ for (c = uqs; *c; c++) {
+ if (*c == '\'') {
+ sq_count++;
+ }
+ }
+
+ /* strlen + start/end quotes + \0 + extra "'\''" */
+ ns = (char *) xmalloc(strlen(uqs) + 2 + 1 + (3 * sq_count));
+ n = ns;
+ *n = '\'';
+ n++;
+ for (c = uqs; *c; c++) {
+ if (*c == '\'') {
+ *n = '\'';
+ *(n + 1) = '\\';
+ *(n + 2) = '\'';
+ *(n + 3) = '\'';
+ n += 4;
+ } else {
+ *n = *c;
+ n++;
+ }
+ }
+ *n = '\'';
+ *(n + 1) = '\0';
+
+ free(word->word);
+ free(uqs);
+ word->word = ns;
+ word->flags = W_QUOTED;
+}
+
+static void
+make_restricted_wordlist(WORD_LIST *words)
+{
+ WORD_LIST *l = words->next; /* skip the first word */
+ for (; l; l = l->next) {
+ make_restricted_word(l->word);
+ }
+}
+
+static int
+is_vyatta_restricted_command(COMMAND *cmd)
+{
+ struct simple_com *cS;
+ struct connection *cC;
+
+ if (!cmd) {
+ return 1;
+ }
+
+ switch (cmd->type) {
+ case cm_simple:
+ cS = cmd->value.Simple;
+ if (!(cS->redirects)) {
+ /* simple command, no redirects */
+ /* make sure the words are allowed */
+ make_restricted_wordlist(cS->words);
+ return 1;
+ }
+ break;
+ case cm_connection:
+ cC = cmd->value.Connection;
+ if (cC->connector == '|') {
+ if ((cC->first->type == cm_simple) && (cC->second->type == cm_simple)) {
+ struct simple_com *cS1 = cC->first->value.Simple;
+ struct simple_com *cS2 = cC->second->value.Simple;
+ if (!(cS1->redirects) && !(cS2->redirects)) {
+ /* both are simple and no redirects */
+ /* make sure the words are allowed */
+ make_restricted_wordlist(cS1->words);
+ make_restricted_wordlist(cS2->words);
+ if (is_vyatta_restricted_pipe_command(cS2->words)) {
+ /* pipe command is allowed => allowed */
+ return 1;
+ }
+ }
+ }
+ }
+ break;
+ default:
+ break;
+ }
+ /* not allowed */
+ return 0;
+}
+
+static int
+is_vyatta_cfg_command(const char *cmd)
+{
+ char *valid_commands[] = { "set", "delete", "commit", "save", "load",
+ "show", "exit", "edit", "run", NULL };
+ return is_in_command_list(cmd, valid_commands);
+}
+
+static int
+is_vyatta_op_command(const char *cmd)
+{
+ char *dir = getenv("vyatta_op_templates");
+ DIR *dp = NULL;
+ struct dirent *dent = NULL;
+ char *restrict_exclude_commands[]
+ = { "clear", "configure", "init-floppy", "install-system", "no",
+ "reboot", "set", "telnet", NULL };
+ char *other_commands[] = { "exit", NULL };
+ int ret = 0;
+
+ if (dir == NULL || (dp = opendir(dir)) == NULL) {
+ return 0;
+ }
+
+ /* FIXME this assumes FULL == "users" */
+ if (in_vyatta_restricted_mode(FULL)
+ && is_in_command_list(cmd, restrict_exclude_commands)) {
+ /* command not allowed in "full" restricted mode */
+ return 0;
+ }
+
+ while (dent = readdir(dp)) {
+ if (strncmp(dent->d_name, ".", 1) == 0) {
+ continue;
+ }
+ if (strcmp(dent->d_name, cmd) == 0) {
+ ret = 1;
+ break;
+ }
+ }
+ closedir(dp);
+ return (ret) ? 1 : is_in_command_list(cmd, other_commands);
+}
+
+static char *prev_cmdline = NULL;
+
+int
+is_vyatta_command(char *cmdline, COMMAND *cmd)
+{
+ char *cfg = getenv("_OFR_CONFIGURE");
+ int in_cfg = (cfg) ? (strcmp(cfg, "ok") == 0) : 0;
+ char *start = cmdline;
+ char *end = NULL;
+ char save = 0;
+ int ret = 0;
+
+ if (!prev_cmdline) {
+ prev_cmdline = strdup("");
+ }
+ if (strcmp(cmdline, prev_cmdline) == 0) {
+ /* still at the same line. not checking. */
+ return 1;
+ }
+ if (!is_vyatta_restricted_command(cmd)) {
+ return 0;
+ }
+
+ while (*start && (whitespace(*start) || *start == '\n')) {
+ start++;
+ }
+ if (*start == 0) {
+ /* empty command line is valid */
+ free(prev_cmdline);
+ prev_cmdline = strdup(cmdline);
+ return 1;
+ }
+ end = start;
+ while (*end && (!whitespace(*end) && *end != '\n')) {
+ end++;
+ }
+ save = *end;
+ *end = 0;
+
+ if (in_cfg) {
+ ret = is_vyatta_cfg_command(start);
+ } else {
+ ret = is_vyatta_op_command(start);
+ }
+ *end = save;
+
+ if (ret) {
+ /* valid command */
+ free(prev_cmdline);
+ prev_cmdline = strdup(cmdline);
+ }
+ return ret;
+}
+
+static int
+vyatta_user_in_group(uid_t ruid, char *grp_name)
+{
+ int ret = 0;
+ struct passwd pw;
+ struct passwd *pwp = NULL;
+ struct group grp;
+ struct group *grpp = NULL;
+ char *pbuf = NULL, *gbuf = NULL;
+ long psize = 0, gsize = 0;
+
+ if (!grp_name) {
+ return 0;
+ }
+
+ do {
+ psize = sysconf(_SC_GETPW_R_SIZE_MAX);
+ pbuf = (char *) xmalloc(psize);
+ if (!pbuf) {
+ break;
+ }
+
+ gsize = sysconf(_SC_GETGR_R_SIZE_MAX);
+ gbuf = (char *) xmalloc(gsize);
+ if (!gbuf) {
+ break;
+ }
+
+ ret = getpwuid_r(ruid, &pw, pbuf, psize, &pwp);
+ if (!pwp) {
+ break;
+ }
+
+ ret = getgrnam_r(grp_name, &grp, gbuf, gsize, &grpp);
+ if (!grpp) {
+ break;
+ }
+
+ {
+ int i = 0;
+ for (i = 0; grp.gr_mem[i]; i++) {
+ if (strcmp(pw.pw_name, grp.gr_mem[i]) == 0) {
+ ret = 1;
+ break;
+ }
+ }
+ }
+ } while (0);
+
+ if (pbuf) {
+ free(pbuf);
+ }
+ if (gbuf) {
+ free(gbuf);
+ }
+ return ret;
+}
+
+static int vyatta_default_output_restricted = 0;
+static int vyatta_default_full_restricted = 0;
+
+#define VYATTA_OUTPUT_RESTRICTED_GROUP "vyattacfg"
+
+void
+set_vyatta_restricted_mode()
+{
+ uid_t ruid = getuid();
+ if (vyatta_user_in_group(ruid, VYATTA_OUTPUT_RESTRICTED_GROUP)) {
+ vyatta_default_output_restricted = 1;
+ vyatta_default_full_restricted = 0;
+ } else {
+ /* if not in the output restricted group, default to full */
+ vyatta_default_output_restricted = 0;
+ vyatta_default_full_restricted = 1;
+ }
+}
+
+int
+in_vyatta_restricted_mode(enum vyatta_restricted_type type)
+{
+ char *rval = getenv("VYATTA_RESTRICTED_MODE");
+ int output = vyatta_default_output_restricted;
+ int full = vyatta_default_full_restricted;
+
+ /* environment var overrides default */
+ if (rval) {
+ output = (strcmp(rval, "output") == 0);
+ full = (strcmp(rval, "full") == 0);
+ }
+
+ if (type == OUTPUT && (output || full)) {
+ return 1;
+ }
+ if (type == FULL && full) {
+ return 1;
+ }
+
+ return 0;
+}
+
diff --git a/vyatta-restricted.h b/vyatta-restricted.h
new file mode 100644
index 0000000..beda140
--- /dev/null
+++ b/vyatta-restricted.h
@@ -0,0 +1,44 @@
+/* vyatta-restricted.h -- header for Vyatta restricted mode functionality */
+
+/* This file is part of GNU Bash, the Bourne Again SHell.
+
+ Bash is free software; you can redistribute it and/or modify it under
+ the terms of the GNU General Public License as published by the Free
+ Software Foundation; either version 2, or (at your option) any later
+ version.
+
+ Bash is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with Bash; see the file COPYING. If not, write to the Free Software
+ Foundation, 59 Temple Place, Suite 330, Boston, MA 02111 USA.
+
+ This code was originally developed by Vyatta, Inc.
+ Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. */
+
+#include "command.h"
+
+#if !defined(_VYATTA_RESTRICTED_H_)
+#define _VYATTA_RESTRICTED_H_
+
+#if defined(HAVE_UNISTD_H)
+# include <unistd.h>
+#endif
+
+#include <pwd.h>
+#include <dirent.h>
+
+#if defined(HAVE_GRP_H)
+# include <grp.h>
+#endif
+
+extern void set_vyatta_restricted_mode __P((void));
+enum vyatta_restricted_type { OUTPUT, FULL };
+extern int in_vyatta_restricted_mode __P((enum vyatta_restricted_type));
+extern int is_vyatta_command __P((char *, COMMAND *));
+
+#endif /* _VYATTA_RESTRICTED_H_ */
+