diff options
author | Stephen Hemminger <shemminger@vyatta.com> | 2011-11-23 08:52:53 -0800 |
---|---|---|
committer | Stephen Hemminger <shemminger@vyatta.com> | 2011-11-23 08:52:53 -0800 |
commit | cabdd9d768ec110f0e92076e3a4bcbbcb6552a21 (patch) | |
tree | 12cab98ddc47aaec480078e8ad369e120ac568b0 | |
parent | dcff7e2c90f21cc7eb7e08ca054c8779dc0b22fd (diff) | |
download | vyatta-cfg-system-cabdd9d768ec110f0e92076e3a4bcbbcb6552a21.tar.gz vyatta-cfg-system-cabdd9d768ec110f0e92076e3a4bcbbcb6552a21.zip |
Move vyatta changes to sudoers to separate file
Bug 6916
Rather than editing /etc/sudoers which can lead to package conflicts,
put Vyatta specific changes into a separate file.
-rw-r--r-- | Makefile.am | 1 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 55 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postrm | 1 | ||||
-rw-r--r-- | sysconf/sudoers | 51 |
4 files changed, 56 insertions, 52 deletions
diff --git a/Makefile.am b/Makefile.am index 0bfd2c4f..7a7559f7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -107,6 +107,7 @@ sysconf_DATA += sysconf/pam_radius.cfg sysconf_DATA += sysconf/filecaps sysconf_DATA += sysconf/capability.conf sysconf_DATA += sysconf/cpufrequtils +sysconf_DATA += sysconf/sudoers libudevdir = /lib/udev udevrulesdir = /lib/udev/rules.d diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index a95b7bcc..ee71c2f5 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -62,12 +62,6 @@ if [ "$sysconfdir" != "/etc" ]; then sed -i '/^UseDNS/d' /etc/ssh/sshd_config echo 'UseDNS yes' >>/etc/ssh/sshd_config - # for "admin" level - sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers - if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then - echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers - fi - # cleanup any old entries from previous versions sed -i /etc/sudoers \ -e '/### BEGIN VYATTA/,/### END VYATTA/d' \ @@ -75,52 +69,11 @@ if [ "$sysconfdir" != "/etc" ]; then -e '/sudo-users/d' \ -e '/env_keep+=VYATTA/d' || true + # Turn off Debian default for %sudo (replaced by value in /etc/sudoers.d/vyatta) + sed -i -e '/^%sudo/d' /etc/sudoers || true + # Add Vyatta entries - cat <<"EOF" >>/etc/sudoers -### BEGIN VYATTA -Defaults syslog_goodpri=info -Defaults env_keep+=VYATTA_* - -Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ - /sbin/iptables -L -vn,\ - /sbin/iptables -L * -vn,\ - /sbin/iptables -t * -L *, \ - /sbin/iptables -Z *,\ - /sbin/iptables -Z -t nat, \ - /sbin/iptables -t * -Z * -Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \ - /sbin/ip6tables -t * -L * -Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \ - /usr/sbin/conntrack -G *, \ - /usr/sbin/conntrack -E * -Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ - /sbin/ip route flush cache *,\ - /sbin/ip neigh flush to *, \ - /sbin/ip neigh flush dev *, \ - /sbin/ip -f inet6 route flush cache, \ - /sbin/ip -f inet6 route flush cache *,\ - /sbin/ip -f inet6 neigh flush to *, \ - /sbin/ip -f inet6 neigh flush dev * -Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \ - /sbin/ethtool -S *, \ - /sbin/ethtool -a *, \ - /sbin/ethtool -c *, \ - /sbin/ethtool -i * -Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d * -Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate -Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats -Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump -Cmnd_Alias HWINFO = /usr/bin/lspci -Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \ - /usr/share/heartbeat/hb_standby -%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \ - PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \ - DISK, CONNTRACK, IP6TABLES, FORCE_CLUSTER -EOF - cat <<EOF >>/etc/sudoers -%users ALL=NOPASSWD: ${bindir}/sudo-users/ -### END VYATTA -EOF + cp $sysconfdir/sudoers /etc/sudoers.d/vyatta # set up blacklists for f in blacklist.DSA-1024 blacklist.RSA-2048; do diff --git a/debian/vyatta-cfg-system.postrm b/debian/vyatta-cfg-system.postrm index 413780b5..752265e2 100644 --- a/debian/vyatta-cfg-system.postrm +++ b/debian/vyatta-cfg-system.postrm @@ -1,7 +1,6 @@ #!/bin/bash if [ "$1" = "purge" ]; then - sed -i -e '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers sed -i -e 'g/^password/d' /etc/pam.d/password update-rc.d vyatta-config-reboot-params remove fi diff --git a/sysconf/sudoers b/sysconf/sudoers new file mode 100644 index 00000000..8152be2b --- /dev/null +++ b/sysconf/sudoers @@ -0,0 +1,51 @@ +# +# Vyatta modifications to sudo configuration +# +Defaults syslog_goodpri=info +Defaults env_keep+=VYATTA_* + +# +# Command groups allowed for operator users +# +Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ + /sbin/iptables -L -vn,\ + /sbin/iptables -L * -vn,\ + /sbin/iptables -t * -L *, \ + /sbin/iptables -Z *,\ + /sbin/iptables -Z -t nat, \ + /sbin/iptables -t * -Z * +Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \ + /sbin/ip6tables -t * -L * +Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \ + /usr/sbin/conntrack -G *, \ + /usr/sbin/conntrack -E * +Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ + /sbin/ip route flush cache *,\ + /sbin/ip neigh flush to *, \ + /sbin/ip neigh flush dev *, \ + /sbin/ip -f inet6 route flush cache, \ + /sbin/ip -f inet6 route flush cache *,\ + /sbin/ip -f inet6 neigh flush to *, \ + /sbin/ip -f inet6 neigh flush dev * +Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \ + /sbin/ethtool -S *, \ + /sbin/ethtool -a *, \ + /sbin/ethtool -c *, \ + /sbin/ethtool -i * +Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d * +Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate +Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats +Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump +Cmnd_Alias HWINFO = /usr/bin/lspci +Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \ + /usr/share/heartbeat/hb_standby +%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \ + PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \ + DISK, CONNTRACK, IP6TABLES, FORCE_CLUSTER + +# Allow any user to run files in sudo-users +%users ALL=NOPASSWD: ${bindir}/sudo-users/ + +# Allow members of group sudo to execute any command +%sudo ALL=NOPASSWD: ALL + |