From e27aa82a4e6a7be0898bef504901dbb1d32e3dbf Mon Sep 17 00:00:00 2001
From: An-Cheng Huang <ancheng@vyatta.com>
Date: Wed, 5 Dec 2007 13:42:35 -0800
Subject: restrict allowed operational commands in "full" mode.

---
 eval.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'eval.c')

diff --git a/eval.c b/eval.c
index 4f090c6..2e12ab4 100644
--- a/eval.c
+++ b/eval.c
@@ -335,12 +335,23 @@ is_vyatta_op_command(const char *cmd)
   char *dir = getenv("vyatta_op_templates");
   DIR *dp = NULL;
   struct dirent *dent = NULL;
+  char *restrict_exclude_commands[]
+    = { "clear", "configure", "init-floppy", "install-system", "no",
+        "reboot", "set", "telnet", NULL };
   char *other_commands[] = { "exit", NULL };
   int ret = 0;
 
   if (dir == NULL || (dp = opendir(dir)) == NULL) {
     return 0;
   }
+
+  /* FIXME this assumes FULL == "users" */
+  if (in_vyatta_restricted_mode(FULL)
+      && is_in_command_list(cmd, restrict_exclude_commands)) {
+    /* command not allowed in "full" restricted mode */
+    return 0;
+  }
+
   while (dent = readdir(dp)) {
     if (strncmp(dent->d_name, ".", 1) == 0) {
       continue;
-- 
cgit v1.2.3