From f4ad511f3f2c946568e84adfd75b087e4180ad05 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Mon, 30 Jun 2008 16:37:53 -0700
Subject: Change syslogging of authorization related commands

For sucessful sudo, just log it at info level.
Capture any security failures/changes into /var/log/auth.log
but skip normal CLI commands

Turn off the builtin sync after each write to /var/log/messages
by putting - before file name; the sync causes a disk write
each time and therefore can be a performance hit during boot.
---
 debian/vyatta-cfg-system.postinst.in | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'debian')

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 0852319e..8e8b6015 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -57,6 +57,13 @@ EOF
 	echo -e "\n%users ALL=NOPASSWD: ${bindir}/sudo-users/" >> /etc/sudoers
     fi
 
+    # Reduce logging level of good commands
+    if ! grep -q "^Defaults syslog_goodpri" /etc/sudoers; then
+	echo "\nDefaults syslog_goodpri=info" >>/etc/sudoers
+    fi
+	
+    fi
+
     # keep env vars
     if ! grep -q 'env_keep+=VYATTA_*' /etc/sudoers ; then
 	echo "Defaults env_keep+=VYATTA_*" >> /etc/sudoers
-- 
cgit v1.2.3


From fcc66216f9bb362643a3193a76a5762c09b540d4 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Tue, 1 Jul 2008 10:04:12 -0700
Subject: get rid of extra fi from last commit

mismatch
---
 debian/vyatta-cfg-system.postinst.in | 2 --
 1 file changed, 2 deletions(-)

(limited to 'debian')

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 8e8b6015..25dbe94f 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -62,8 +62,6 @@ EOF
 	echo "\nDefaults syslog_goodpri=info" >>/etc/sudoers
     fi
 	
-    fi
-
     # keep env vars
     if ! grep -q 'env_keep+=VYATTA_*' /etc/sudoers ; then
 	echo "Defaults env_keep+=VYATTA_*" >> /etc/sudoers
-- 
cgit v1.2.3


From b9ce1592c0689d3358c9f507c037c0af9a763436 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Tue, 1 Jul 2008 16:27:42 -0700
Subject: Missing -e causes sudoers problem

Missing -e on echo causes unparsable sudoers
---
 debian/vyatta-cfg-system.postinst.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'debian')

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 25dbe94f..d6497529 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -59,7 +59,7 @@ EOF
 
     # Reduce logging level of good commands
     if ! grep -q "^Defaults syslog_goodpri" /etc/sudoers; then
-	echo "\nDefaults syslog_goodpri=info" >>/etc/sudoers
+	echo -e "\nDefaults syslog_goodpri=info" >>/etc/sudoers
     fi
 	
     # keep env vars
-- 
cgit v1.2.3


From 28b7618bf24ea745d5d7e5a287de1aa728111d08 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Fri, 4 Jul 2008 13:06:19 -0700
Subject: Modify upgrade procedure for /etc/sudoers

0) make backup of file
1) remove old glendale entries
2) put all vyatta entries in one block
3) remove vyatta entries on package removal
---
 debian/vyatta-cfg-system.postinst.in | 45 ++++++++++++++++++------------------
 debian/vyatta-cfg-system.postrm      |  3 +++
 2 files changed, 25 insertions(+), 23 deletions(-)

(limited to 'debian')

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index d6497529..735b28e7 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -23,16 +23,27 @@ esac
 ln -sf ../vyatta-net.rules /etc/udev/rules.d/$vyatta_net_rules
 
 if [ "$sysconfdir" != "/etc" ]; then
-    # for "admin" level (FIXME)
+    cp -p /etc/sudoers /etc/sudoers.bak
+
+    # for "admin" level
     sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
     if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
 	echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
     fi
 
-    # Allow operator to do a limited number of commands without password
-    if ! grep -q '^%operator ALL=NOPASSWD:' /etc/sudoers; then
-        cat <<"EOF" >>/etc/sudoers
-### BEGIN VYATTA OPERATOR COMMANDS
+    # cleanup any old entries
+    ed - /etc/sudoers <<EOF
+/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d
+g/sudo-users/d
+g/env_keep+=VYATTA/d
+wq
+EOF
+    # Add Vyatta entries
+    cat <<"EOF" >>/etc/sudoers
+### BEGIN VYATTA 
+Defaults syslog_goodpri=info
+Defaults env_keep+=VYATTA_*
+
 Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
 		      /sbin/iptables -L -vn,\
                       /sbin/iptables -L * -vn,\
@@ -46,26 +57,14 @@ Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
 Cmnd_Alias ETHTOOLP = /usr/sbin/ethtool -p *
 Cmnd_Alias DATE    = /bin/date, /usr/sbin/ntpdate
 Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff
+Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
 %operator ALL=NOPASSWD: /sbin/reboot, DATE, IPTABLES, ETHTOOLP, IPFLUSH, \
-			PPPOE_CMDS, /usr/bin/tshark, /usr/sbin/wanpipemon
-### END VYATTA OPERATOR COMMANDS
+			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon
+EOF
+    cat <<EOF >>/etc/sudoers
+%users ALL=NOPASSWD: ${bindir}/sudo-users/
+### END VYATTA
 EOF
-    fi
-
-    # for "users" level (FIXME)
-    if ! grep -q "^%users ALL=NOPASSWD: ${bindir}/sudo-users/" /etc/sudoers; then
-	echo -e "\n%users ALL=NOPASSWD: ${bindir}/sudo-users/" >> /etc/sudoers
-    fi
-
-    # Reduce logging level of good commands
-    if ! grep -q "^Defaults syslog_goodpri" /etc/sudoers; then
-	echo -e "\nDefaults syslog_goodpri=info" >>/etc/sudoers
-    fi
-	
-    # keep env vars
-    if ! grep -q 'env_keep+=VYATTA_*' /etc/sudoers ; then
-	echo "Defaults env_keep+=VYATTA_*" >> /etc/sudoers
-    fi
 fi
 
 # update crontab for logrotate
diff --git a/debian/vyatta-cfg-system.postrm b/debian/vyatta-cfg-system.postrm
index d668f55d..46ec1aaa 100644
--- a/debian/vyatta-cfg-system.postrm
+++ b/debian/vyatta-cfg-system.postrm
@@ -2,6 +2,9 @@
 
 if [ "$1" = "purge" ]; then
     rm -f /etc/udev/rules.d/*vyatta-net.rules
+
+    sed -i '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers
+
 fi
 
 # Local Variables:
-- 
cgit v1.2.3


From 4e213e1a8148d755bb3921cae3caee847901b54e Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Mon, 7 Jul 2008 17:12:44 -0700
Subject: purge any old entries from sudoers

Make sure to cleanup any leftover vyatta entries
---
 debian/vyatta-cfg-system.postinst.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'debian')

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 735b28e7..b21437a5 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -31,8 +31,9 @@ if [ "$sysconfdir" != "/etc" ]; then
 	echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
     fi
 
-    # cleanup any old entries
+    # cleanup any old entries from previous versions
     ed - /etc/sudoers <<EOF
+/### BEGIN VYATTA/,/### END VYATTA/d
 /Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d
 g/sudo-users/d
 g/env_keep+=VYATTA/d
-- 
cgit v1.2.3