diff options
| author | Stephen Hemminger <shemminger@vyatta.com> | 2011-11-23 08:52:53 -0800 |
|---|---|---|
| committer | Stephen Hemminger <shemminger@vyatta.com> | 2011-11-23 08:52:53 -0800 |
| commit | cabdd9d768ec110f0e92076e3a4bcbbcb6552a21 (patch) | |
| tree | 12cab98ddc47aaec480078e8ad369e120ac568b0 /debian/vyatta-cfg-system.postinst.in | |
| parent | dcff7e2c90f21cc7eb7e08ca054c8779dc0b22fd (diff) | |
| download | vyatta-cfg-quagga-cabdd9d768ec110f0e92076e3a4bcbbcb6552a21.tar.gz vyatta-cfg-quagga-cabdd9d768ec110f0e92076e3a4bcbbcb6552a21.zip | |
Move vyatta changes to sudoers to separate file
Bug 6916
Rather than editing /etc/sudoers which can lead to package conflicts,
put Vyatta specific changes into a separate file.
Diffstat (limited to 'debian/vyatta-cfg-system.postinst.in')
| -rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 55 |
1 files changed, 4 insertions, 51 deletions
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index a95b7bcc..ee71c2f5 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -62,12 +62,6 @@ if [ "$sysconfdir" != "/etc" ]; then sed -i '/^UseDNS/d' /etc/ssh/sshd_config echo 'UseDNS yes' >>/etc/ssh/sshd_config - # for "admin" level - sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers - if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then - echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers - fi - # cleanup any old entries from previous versions sed -i /etc/sudoers \ -e '/### BEGIN VYATTA/,/### END VYATTA/d' \ @@ -75,52 +69,11 @@ if [ "$sysconfdir" != "/etc" ]; then -e '/sudo-users/d' \ -e '/env_keep+=VYATTA/d' || true + # Turn off Debian default for %sudo (replaced by value in /etc/sudoers.d/vyatta) + sed -i -e '/^%sudo/d' /etc/sudoers || true + # Add Vyatta entries - cat <<"EOF" >>/etc/sudoers -### BEGIN VYATTA -Defaults syslog_goodpri=info -Defaults env_keep+=VYATTA_* - -Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ - /sbin/iptables -L -vn,\ - /sbin/iptables -L * -vn,\ - /sbin/iptables -t * -L *, \ - /sbin/iptables -Z *,\ - /sbin/iptables -Z -t nat, \ - /sbin/iptables -t * -Z * -Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \ - /sbin/ip6tables -t * -L * -Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \ - /usr/sbin/conntrack -G *, \ - /usr/sbin/conntrack -E * -Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ - /sbin/ip route flush cache *,\ - /sbin/ip neigh flush to *, \ - /sbin/ip neigh flush dev *, \ - /sbin/ip -f inet6 route flush cache, \ - /sbin/ip -f inet6 route flush cache *,\ - /sbin/ip -f inet6 neigh flush to *, \ - /sbin/ip -f inet6 neigh flush dev * -Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \ - /sbin/ethtool -S *, \ - /sbin/ethtool -a *, \ - /sbin/ethtool -c *, \ - /sbin/ethtool -i * -Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d * -Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate -Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats -Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump -Cmnd_Alias HWINFO = /usr/bin/lspci -Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \ - /usr/share/heartbeat/hb_standby -%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \ - PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \ - DISK, CONNTRACK, IP6TABLES, FORCE_CLUSTER -EOF - cat <<EOF >>/etc/sudoers -%users ALL=NOPASSWD: ${bindir}/sudo-users/ -### END VYATTA -EOF + cp $sysconfdir/sudoers /etc/sudoers.d/vyatta # set up blacklists for f in blacklist.DSA-1024 blacklist.RSA-2048; do |