add policy mechanism for user management: per-level policies control

default restricted mode and allowed op/cfg/pipe commands.

1 files changed, 40 insertions, 0 deletions

diff --git a/etc/default/vyatta-cfg b/etc/default/vyatta-cfg
new file mode 100644
index 0000000..d369e0f
--- /dev/null
+++ b/etc/default/vyatta-cfg
@@ -0,0 +1,40 @@
+# Vyatta shell environment variables for config mode
+# should be sourced from /etc/default/vyatta
+
+export VYATTA_ACTIVE_CONFIGURATION_DIR=${vyatta_configdir}/active
+export VYATTA_CHANGES_ONLY_DIR=${vyatta_configdir}/tmp/changes_only_$$
+export VYATTA_TEMP_CONFIG_DIR=${vyatta_configdir}/tmp/new_config_$$
+export VYATTA_CONFIG_TMP=${vyatta_configdir}/tmp/tmp_$$
+export VYATTA_CONFIG_TEMPLATE=$vyatta_cfg_templates
+export VYATTA_EDIT_LEVEL=/
+export VYATTA_TEMPLATE_LEVEL=/
+export VYATTA_TAG_NAME=node.tag
+export VYATTA_MOD_NAME=.modified
+
+# don't set level if already set
+if [ -n "$VYATTA_USER_LEVEL_DIR" ]; then
+  return
+fi
+{
+is_admin=0
+is_users=0
+VYATTA_LEVEL_GROUP_ADMIN=vyattacfg
+VYATTA_LEVEL_GROUP_USERS=quaggavty
+local -a groups=( $(id -Gn) )
+for g in "${groups[@]}"; do
+  if [ "$g" == "$VYATTA_LEVEL_GROUP_ADMIN" ]; then
+    is_admin=1
+  fi
+  if [ "$g" == "$VYATTA_LEVEL_GROUP_USERS" ]; then
+    is_users=1
+  fi
+done
+# check level from high to low
+if [ $is_admin == 1 ]; then
+  declare -x -r VYATTA_USER_LEVEL_DIR=${vyatta_sysconfdir}/shell/level/admin
+else
+  # no need to check is_users since there are only 2 levels for now
+  declare -x -r VYATTA_USER_LEVEL_DIR=${vyatta_sysconfdir}/shell/level/users
+fi
+} 2>/dev/null || :
+