summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-04 16:35:23 -0800
committerStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-04 16:48:57 -0800
commit78be5135b674d8a321b5ff2f9497652831c88157 (patch)
tree649b62e6f55dca5ca8f5d0dd35bd95777173dc17
parentfda8e26509b6b4ddf1b0103b6f9af65d306da360 (diff)
downloadvyatta-op-78be5135b674d8a321b5ff2f9497652831c88157.tar.gz
vyatta-op-78be5135b674d8a321b5ff2f9497652831c88157.zip
Don't allow operator to run show system login users
Bug 5147 This is a generic way of solving the sudo problem (for now).
-rw-r--r--Makefile.am1
-rwxr-xr-xscripts/vyatta-sudo21
-rw-r--r--templates/show/system/login/users/locked/node.def2
-rw-r--r--templates/show/system/login/users/node.def2
-rw-r--r--templates/show/system/login/users/other/node.def2
5 files changed, 25 insertions, 3 deletions
diff --git a/Makefile.am b/Makefile.am
index a9deebe..3629785 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,6 +23,7 @@ bin_SCRIPTS += scripts/yesno
bin_SCRIPTS += scripts/vyatta-gettime.pl
bin_SCRIPTS += scripts/show-users.pl
bin_SCRIPTS += scripts/vyatta-boot-image.pl
+bin_SCRIPTS += scripts/vyatta-sudo
bin_sudo_users_SCRIPTS = scripts/vyatta-identify-interface.pl
bin_sudo_users_SCRIPTS += scripts/vyatta-delete-log-file.sh
diff --git a/scripts/vyatta-sudo b/scripts/vyatta-sudo
new file mode 100755
index 0000000..bb95ae5
--- /dev/null
+++ b/scripts/vyatta-sudo
@@ -0,0 +1,21 @@
+#! /usr/bin/perl
+#
+
+# Look if user is in sudo group
+use strict;
+use warnings;
+
+sub isadmin {
+ my $gid = getgrnam("sudo");
+ return unless $gid;
+
+ # is $gid in list of current groups
+ return grep { $_ eq $gid } split / /, $(;
+}
+
+die "Missing command arguement\n" unless @ARGV;
+
+exec ('sudo', @ARGV ) if (isadmin());
+
+print "This account is not authorized to run this command\n";
+exit 1;
diff --git a/templates/show/system/login/users/locked/node.def b/templates/show/system/login/users/locked/node.def
index ebd84a0..354c204 100644
--- a/templates/show/system/login/users/locked/node.def
+++ b/templates/show/system/login/users/locked/node.def
@@ -1,2 +1,2 @@
help: Show information about locked accounts
-run: sudo /opt/vyatta/bin/show-users.pl locked
+run: ${vyatta_bindir}/vyatta-sudo /opt/vyatta/bin/show-users.pl locked
diff --git a/templates/show/system/login/users/node.def b/templates/show/system/login/users/node.def
index 7f3101a..5943122 100644
--- a/templates/show/system/login/users/node.def
+++ b/templates/show/system/login/users/node.def
@@ -1,2 +1,2 @@
help: Show user account information
-run: sudo /opt/vyatta/bin/show-users.pl
+run: ${vyatta_bindir}/vyatta-sudo /opt/vyatta/bin/show-users.pl
diff --git a/templates/show/system/login/users/other/node.def b/templates/show/system/login/users/other/node.def
index 4c99637..77c4683 100644
--- a/templates/show/system/login/users/other/node.def
+++ b/templates/show/system/login/users/other/node.def
@@ -1,2 +1,2 @@
help: Show information about non-Vyatta accounts
-run: sudo /opt/vyatta/bin/show-users.pl other
+run: ${vyatta_bindir}/vyatta-sudo /opt/vyatta/bin/show-users.pl other