summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
authorAn-Cheng Huang <ancheng@vyatta.com>2007-12-07 18:19:48 -0800
committerAn-Cheng Huang <ancheng@vyatta.com>2007-12-07 18:19:48 -0800
commit04a54264cfc1041eb9ae238ccafab7f0e4be4a75 (patch)
treef3227b986435f2d88ade3255f406c658beb9a878 /etc
parentfd32d4dfaafe45c9a7fd4099423de36dd6600ef1 (diff)
downloadvyatta-cfg-04a54264cfc1041eb9ae238ccafab7f0e4be4a75.tar.gz
vyatta-cfg-04a54264cfc1041eb9ae238ccafab7f0e4be4a75.zip
add policy mechanism for user management: per-level policies control
default restricted mode and allowed op/cfg/pipe commands.
Diffstat (limited to 'etc')
-rw-r--r--etc/default/vyatta-cfg40
-rw-r--r--etc/shell/level/admin/restricted-mode1
-rw-r--r--etc/shell/level/users/allowed-cfg0
-rw-r--r--etc/shell/level/users/allowed-op3
-rw-r--r--etc/shell/level/users/allowed-pipe10
-rw-r--r--etc/shell/level/users/restricted-mode1
6 files changed, 55 insertions, 0 deletions
diff --git a/etc/default/vyatta-cfg b/etc/default/vyatta-cfg
new file mode 100644
index 0000000..d369e0f
--- /dev/null
+++ b/etc/default/vyatta-cfg
@@ -0,0 +1,40 @@
+# Vyatta shell environment variables for config mode
+# should be sourced from /etc/default/vyatta
+
+export VYATTA_ACTIVE_CONFIGURATION_DIR=${vyatta_configdir}/active
+export VYATTA_CHANGES_ONLY_DIR=${vyatta_configdir}/tmp/changes_only_$$
+export VYATTA_TEMP_CONFIG_DIR=${vyatta_configdir}/tmp/new_config_$$
+export VYATTA_CONFIG_TMP=${vyatta_configdir}/tmp/tmp_$$
+export VYATTA_CONFIG_TEMPLATE=$vyatta_cfg_templates
+export VYATTA_EDIT_LEVEL=/
+export VYATTA_TEMPLATE_LEVEL=/
+export VYATTA_TAG_NAME=node.tag
+export VYATTA_MOD_NAME=.modified
+
+# don't set level if already set
+if [ -n "$VYATTA_USER_LEVEL_DIR" ]; then
+ return
+fi
+{
+is_admin=0
+is_users=0
+VYATTA_LEVEL_GROUP_ADMIN=vyattacfg
+VYATTA_LEVEL_GROUP_USERS=quaggavty
+local -a groups=( $(id -Gn) )
+for g in "${groups[@]}"; do
+ if [ "$g" == "$VYATTA_LEVEL_GROUP_ADMIN" ]; then
+ is_admin=1
+ fi
+ if [ "$g" == "$VYATTA_LEVEL_GROUP_USERS" ]; then
+ is_users=1
+ fi
+done
+# check level from high to low
+if [ $is_admin == 1 ]; then
+ declare -x -r VYATTA_USER_LEVEL_DIR=${vyatta_sysconfdir}/shell/level/admin
+else
+ # no need to check is_users since there are only 2 levels for now
+ declare -x -r VYATTA_USER_LEVEL_DIR=${vyatta_sysconfdir}/shell/level/users
+fi
+} 2>/dev/null || :
+
diff --git a/etc/shell/level/admin/restricted-mode b/etc/shell/level/admin/restricted-mode
new file mode 100644
index 0000000..53752db
--- /dev/null
+++ b/etc/shell/level/admin/restricted-mode
@@ -0,0 +1 @@
+output
diff --git a/etc/shell/level/users/allowed-cfg b/etc/shell/level/users/allowed-cfg
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/etc/shell/level/users/allowed-cfg
diff --git a/etc/shell/level/users/allowed-op b/etc/shell/level/users/allowed-op
new file mode 100644
index 0000000..a2ad52d
--- /dev/null
+++ b/etc/shell/level/users/allowed-op
@@ -0,0 +1,3 @@
+show
+terminal
+exit
diff --git a/etc/shell/level/users/allowed-pipe b/etc/shell/level/users/allowed-pipe
new file mode 100644
index 0000000..3204ef3
--- /dev/null
+++ b/etc/shell/level/users/allowed-pipe
@@ -0,0 +1,10 @@
+more
+1
+no-more
+1
+count
+1
+match
+2
+no-match
+2
diff --git a/etc/shell/level/users/restricted-mode b/etc/shell/level/users/restricted-mode
new file mode 100644
index 0000000..2877147
--- /dev/null
+++ b/etc/shell/level/users/restricted-mode
@@ -0,0 +1 @@
+full