diff options
| author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-01-04 16:35:23 -0800 |
|---|---|---|
| committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-01-04 16:48:57 -0800 |
| commit | 78be5135b674d8a321b5ff2f9497652831c88157 (patch) | |
| tree | 649b62e6f55dca5ca8f5d0dd35bd95777173dc17 | |
| parent | fda8e26509b6b4ddf1b0103b6f9af65d306da360 (diff) | |
| download | vyatta-op-78be5135b674d8a321b5ff2f9497652831c88157.tar.gz vyatta-op-78be5135b674d8a321b5ff2f9497652831c88157.zip | |
Don't allow operator to run show system login users
Bug 5147
This is a generic way of solving the sudo problem (for now).
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rwxr-xr-x | scripts/vyatta-sudo | 21 | ||||
| -rw-r--r-- | templates/show/system/login/users/locked/node.def | 2 | ||||
| -rw-r--r-- | templates/show/system/login/users/node.def | 2 | ||||
| -rw-r--r-- | templates/show/system/login/users/other/node.def | 2 |
5 files changed, 25 insertions, 3 deletions
diff --git a/Makefile.am b/Makefile.am index a9deebe..3629785 100644 --- a/Makefile.am +++ b/Makefile.am @@ -23,6 +23,7 @@ bin_SCRIPTS += scripts/yesno bin_SCRIPTS += scripts/vyatta-gettime.pl bin_SCRIPTS += scripts/show-users.pl bin_SCRIPTS += scripts/vyatta-boot-image.pl +bin_SCRIPTS += scripts/vyatta-sudo bin_sudo_users_SCRIPTS = scripts/vyatta-identify-interface.pl bin_sudo_users_SCRIPTS += scripts/vyatta-delete-log-file.sh diff --git a/scripts/vyatta-sudo b/scripts/vyatta-sudo new file mode 100755 index 0000000..bb95ae5 --- /dev/null +++ b/scripts/vyatta-sudo @@ -0,0 +1,21 @@ +#! /usr/bin/perl +# + +# Look if user is in sudo group +use strict; +use warnings; + +sub isadmin { + my $gid = getgrnam("sudo"); + return unless $gid; + + # is $gid in list of current groups + return grep { $_ eq $gid } split / /, $(; +} + +die "Missing command arguement\n" unless @ARGV; + +exec ('sudo', @ARGV ) if (isadmin()); + +print "This account is not authorized to run this command\n"; +exit 1; diff --git a/templates/show/system/login/users/locked/node.def b/templates/show/system/login/users/locked/node.def index ebd84a0..354c204 100644 --- a/templates/show/system/login/users/locked/node.def +++ b/templates/show/system/login/users/locked/node.def @@ -1,2 +1,2 @@ help: Show information about locked accounts -run: sudo /opt/vyatta/bin/show-users.pl locked +run: ${vyatta_bindir}/vyatta-sudo /opt/vyatta/bin/show-users.pl locked diff --git a/templates/show/system/login/users/node.def b/templates/show/system/login/users/node.def index 7f3101a..5943122 100644 --- a/templates/show/system/login/users/node.def +++ b/templates/show/system/login/users/node.def @@ -1,2 +1,2 @@ help: Show user account information -run: sudo /opt/vyatta/bin/show-users.pl +run: ${vyatta_bindir}/vyatta-sudo /opt/vyatta/bin/show-users.pl diff --git a/templates/show/system/login/users/other/node.def b/templates/show/system/login/users/other/node.def index 4c99637..77c4683 100644 --- a/templates/show/system/login/users/other/node.def +++ b/templates/show/system/login/users/other/node.def @@ -1,2 +1,2 @@ help: Show information about non-Vyatta accounts -run: sudo /opt/vyatta/bin/show-users.pl other +run: ${vyatta_bindir}/vyatta-sudo /opt/vyatta/bin/show-users.pl other |