diff options
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 45 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postrm | 3 |
2 files changed, 25 insertions, 23 deletions
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index d6497529..735b28e7 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -23,16 +23,27 @@ esac ln -sf ../vyatta-net.rules /etc/udev/rules.d/$vyatta_net_rules if [ "$sysconfdir" != "/etc" ]; then - # for "admin" level (FIXME) + cp -p /etc/sudoers /etc/sudoers.bak + + # for "admin" level sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers fi - # Allow operator to do a limited number of commands without password - if ! grep -q '^%operator ALL=NOPASSWD:' /etc/sudoers; then - cat <<"EOF" >>/etc/sudoers -### BEGIN VYATTA OPERATOR COMMANDS + # cleanup any old entries + ed - /etc/sudoers <<EOF +/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d +g/sudo-users/d +g/env_keep+=VYATTA/d +wq +EOF + # Add Vyatta entries + cat <<"EOF" >>/etc/sudoers +### BEGIN VYATTA +Defaults syslog_goodpri=info +Defaults env_keep+=VYATTA_* + Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ /sbin/iptables -L -vn,\ /sbin/iptables -L * -vn,\ @@ -46,26 +57,14 @@ Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ Cmnd_Alias ETHTOOLP = /usr/sbin/ethtool -p * Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff +Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump %operator ALL=NOPASSWD: /sbin/reboot, DATE, IPTABLES, ETHTOOLP, IPFLUSH, \ - PPPOE_CMDS, /usr/bin/tshark, /usr/sbin/wanpipemon -### END VYATTA OPERATOR COMMANDS + PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon +EOF + cat <<EOF >>/etc/sudoers +%users ALL=NOPASSWD: ${bindir}/sudo-users/ +### END VYATTA EOF - fi - - # for "users" level (FIXME) - if ! grep -q "^%users ALL=NOPASSWD: ${bindir}/sudo-users/" /etc/sudoers; then - echo -e "\n%users ALL=NOPASSWD: ${bindir}/sudo-users/" >> /etc/sudoers - fi - - # Reduce logging level of good commands - if ! grep -q "^Defaults syslog_goodpri" /etc/sudoers; then - echo -e "\nDefaults syslog_goodpri=info" >>/etc/sudoers - fi - - # keep env vars - if ! grep -q 'env_keep+=VYATTA_*' /etc/sudoers ; then - echo "Defaults env_keep+=VYATTA_*" >> /etc/sudoers - fi fi # update crontab for logrotate diff --git a/debian/vyatta-cfg-system.postrm b/debian/vyatta-cfg-system.postrm index d668f55d..46ec1aaa 100644 --- a/debian/vyatta-cfg-system.postrm +++ b/debian/vyatta-cfg-system.postrm @@ -2,6 +2,9 @@ if [ "$1" = "purge" ]; then rm -f /etc/udev/rules.d/*vyatta-net.rules + + sed -i '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers + fi # Local Variables: |