* restrict "users" level sudo permissions to the "sudo-users" directory.

* add wrappers for show commands requiring sudo and put them in "sudo-users" directory.
author: An-Cheng Huang <ancheng@vyatta.com> 2007-12-04 18:53:56 -0800
committer: An-Cheng Huang <ancheng@vyatta.com> 2007-12-04 18:53:56 -0800
commit: 4dbba52a5b7e97d55ea7c4f957f594204350b9b2 (patch)
tree: 43bf92447f731628b831902f8b2253022b75a11a
parent: 478334deb755f9b31fccffdde92971516863dbff (diff)
download: vyatta-op-4dbba52a5b7e97d55ea7c4f957f594204350b9b2.tar.gz
vyatta-op-4dbba52a5b7e97d55ea7c4f957f594204350b9b2.zip
9 files changed, 27 insertions, 10 deletions
diff --git a/Makefile.am b/Makefile.am
index 69d449e..656d279 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3,6 +3,7 @@ default_DATA	 = etc/default/vyatta
 completiondir	 = /etc/bash_completion.d
 completion_DATA	 = etc/bash_completion.d/10vyatta-op
 opdir		 = $(datadir)/vyatta-op/templates
+bin_sudo_usersdir = $(bindir)/sudo-users
 
 funcdir		 = $(datadir)/vyatta-op/functions
 func_DATA	 = functions/tech-support
@@ -12,9 +13,13 @@ allowed_DATA	 = functions/allowed/hosts
 
 bin_SCRIPTS	 = scripts/vyatta-show-interfaces
 bin_SCRIPTS	+= scripts/vyatta-show-dmesg-all
-bin_SCRIPTS	+= scripts/vyatta-show-log-all
 bin_SCRIPTS	+= scripts/vyatta-show-version
 
+bin_sudo_users_SCRIPTS = scripts/vyatta-show-log
+bin_sudo_users_SCRIPTS += scripts/vyatta-show-log-all
+bin_sudo_users_SCRIPTS += scripts/vyatta-show-log-file
+bin_sudo_users_SCRIPTS += scripts/vyatta-ethtool-wrapper
+
 cpiop = find  . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \
 	cpio -0pd
 
diff --git a/scripts/vyatta-ethtool-wrapper b/scripts/vyatta-ethtool-wrapper
new file mode 100755
index 0000000..8753bd6
--- /dev/null
+++ b/scripts/vyatta-ethtool-wrapper
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+ethtool "$@"
+
diff --git a/scripts/vyatta-show-log b/scripts/vyatta-show-log
new file mode 100755
index 0000000..10e46e5
--- /dev/null
+++ b/scripts/vyatta-show-log
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+cat /var/log/messages
+
diff --git a/scripts/vyatta-show-log-file b/scripts/vyatta-show-log-file
new file mode 100755
index 0000000..1f8a0ef
--- /dev/null
+++ b/scripts/vyatta-show-log-file
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if [ -f /var/log/user/$1 ]; then
+  cat /var/log/user/$1
+else
+  echo "No such log file"
+fi
+
diff --git a/templates/show/interfaces/ethernet/node.tag/physical/node.def b/templates/show/interfaces/ethernet/node.tag/physical/node.def
index 0d4dcf1..3e4e2bc 100644
--- a/templates/show/interfaces/ethernet/node.tag/physical/node.def
+++ b/templates/show/interfaces/ethernet/node.tag/physical/node.def
@@ -1,3 +1,3 @@
 help: Show physical device information of given ethernet interface
 allowed: ""
-run: sudo ethtool $4
+run: sudo ${vyatta_bindir}/sudo-users/vyatta-ethtool-wrapper $4
diff --git a/templates/show/interfaces/ethernet/node.tag/vif/node.tag/physical/node.def b/templates/show/interfaces/ethernet/node.tag/vif/node.tag/physical/node.def
index 96cd2a5..d2e8593 100644
--- a/templates/show/interfaces/ethernet/node.tag/vif/node.tag/physical/node.def
+++ b/templates/show/interfaces/ethernet/node.tag/vif/node.tag/physical/node.def
@@ -1,2 +1,2 @@
 help: Show given virtual network interface pseudo-physical information
-run: sudo ethtool $4.$6
+run: sudo ${vyatta_bindir}/sudo-users/vyatta-ethtool-wrapper $4.$6
diff --git a/templates/show/log/all/node.def b/templates/show/log/all/node.def
index 87e959b..26f97a3 100644
--- a/templates/show/log/all/node.def
+++ b/templates/show/log/all/node.def
@@ -1,2 +1,2 @@
 help: Show contents of all master log files
-run: ${vyatta_bindir}/vyatta-show-log-all
+run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-log-all
diff --git a/templates/show/log/file/node.tag/node.def b/templates/show/log/file/node.tag/node.def
index 443458a..65700df 100644
--- a/templates/show/log/file/node.tag/node.def
+++ b/templates/show/log/file/node.tag/node.def
@@ -2,8 +2,4 @@ help: Show contents of user-defined log file
 allowed: local -a array ;
          array=( /var/log/user/* ) ;
          echo  -n ${array[@]##*/}
-run: if [ -f /var/log/user/$4 ]; then
-	cat /var/log/user/$4;
-     else
-	echo "no such file";
-     fi
+run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-log-file $4
diff --git a/templates/show/log/node.def b/templates/show/log/node.def
index 898a7ed..2362962 100644
--- a/templates/show/log/node.def
+++ b/templates/show/log/node.def
@@ -1,2 +1,2 @@
 help: Show contents of current master log file
-run: cat /var/log/messages
+run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-log
author	An-Cheng Huang <ancheng@vyatta.com>	2007-12-04 18:53:56 -0800
committer	An-Cheng Huang <ancheng@vyatta.com>	2007-12-04 18:53:56 -0800
commit	4dbba52a5b7e97d55ea7c4f957f594204350b9b2 (patch)
tree	43bf92447f731628b831902f8b2253022b75a11a
parent	478334deb755f9b31fccffdde92971516863dbff (diff)
download	vyatta-op-4dbba52a5b7e97d55ea7c4f957f594204350b9b2.tar.gz vyatta-op-4dbba52a5b7e97d55ea7c4f957f594204350b9b2.zip