Bug #498: dirty hack to disallow remote command execution for operator level users.

3 files changed, 22 insertions, 1 deletions

diff --git a/Makefile.am b/Makefile.am
index 283f59c2..86f8bb02 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -30,6 +30,7 @@ netplugdown_SCRIPTS = scripts/netplug/linkdown/dhclient
 
 bin_SCRIPTS += scripts/progress-indicator
 bin_SCRIPTS += scripts/vyatta-functions
+bin_SCRIPTS += scripts/restricted-shell
 
 sbin_SCRIPTS += scripts/check_file_in_config_dir
 sbin_SCRIPTS += scripts/rl-system.init
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm
index 411aed6c..d3e9b8bd 100755
--- a/lib/Vyatta/Login/User.pm
+++ b/lib/Vyatta/Login/User.pm
@@ -152,19 +152,28 @@ sub _update_user {
     # Read existing settings
     my $uid = getpwnam($user);
 
+    my $shell;
+    if ($level eq "operator") {
+        $shell = "/opt/vyatta/bin/restricted-shell";
+    }
+    else {
+        $shell = "/bin/vbash";
+    } 
+
     # not found in existing passwd, must be new
     my $cmd;
     unless ( defined($uid) ) {
 	# make new user using vyatta shell
 	#  and make home directory (-m)
 	#  and with default group of 100 (users)
-	$cmd = 'useradd -s /bin/vbash -m -N';
+	$cmd = "useradd -s $shell -m -N";
     } else {
 	# update existing account
 	$cmd = "usermod";
     }
 
     $cmd .= " -p '$pwd'";
+    $cmd .= " -s $shell";
     $cmd .= " -c \"$fname\"" if ( defined $fname );
     $cmd .= " -d \"$home\"" if ( defined $home );
     $cmd .= ' -G ' . join( ',', @groups );
diff --git a/scripts/restricted-shell b/scripts/restricted-shell
new file mode 100755
index 00000000..ffcbb53b
--- /dev/null
+++ b/scripts/restricted-shell
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ $# != 0 ]; then
+    echo "Remote command execution is not allowed for operator level users"
+    args=($@)
+    args_str=$(IFS=" " ; echo "${args[*]}")
+    logger "Operator level user $USER attempted remote command execution: $args_str" 
+    exit 1
+fi
+
+exec vbash