diff options
| author | John Southworth <john.southworth@vyatta.com> | 2011-08-03 11:59:21 -0500 |
|---|---|---|
| committer | John Southworth <john.southworth@vyatta.com> | 2011-08-03 11:59:21 -0500 |
| commit | f6e3d3d687bdc82e4fa885864b35d9d7aa9ed5ca (patch) | |
| tree | f15084d2df351671952e98b5da2bb7d4df74fcb8 | |
| parent | 5881df96b478d388813557d7280e55e788b5e175 (diff) | |
| download | vyatta-op-f6e3d3d687bdc82e4fa885864b35d9d7aa9ed5ca.tar.gz vyatta-op-f6e3d3d687bdc82e4fa885864b35d9d7aa9ed5ca.zip | |
Generate unpriviledged allowed-op at compile time. Add script to allow admin user to regenerate it if needed. Fix ambiguous command message.
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile.am | 9 | ||||
| -rw-r--r-- | etc/shell/level/users/allowed-op.in | 20 | ||||
| -rw-r--r-- | functions/interpreter/vyatta-unpriv | 1 | ||||
| -rwxr-xr-x | gen-unpriv-commands.sh | 32 | ||||
| -rw-r--r-- | scripts/vyatta-regen-unpriv-commands.sh | 3 |
6 files changed, 66 insertions, 0 deletions
@@ -23,6 +23,7 @@ libtool /INSTALL /Makefile.in /Makefile +/etc/shell/level/users/allowed-op /src/render_xml diff --git a/Makefile.am b/Makefile.am index 0cc0758..d1f98ff 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,6 +4,7 @@ completiondir = /etc/bash_completion.d completion_DATA = etc/bash_completion.d/vyatta-op opdir = $(datadir)/vyatta-op/templates bin_sudo_usersdir = $(bindir)/sudo-users +etc_shell_leveldir = $(sysconfdir)/shell/level funcdir = $(datadir)/vyatta-op/functions func_DATA = functions/tech-support @@ -11,9 +12,11 @@ func_DATA += functions/tech-support-brief interpdir = $(datadir)/vyatta-op/functions/interpreter interp_DATA = functions/interpreter/vyatta-op-run +interp_DATA += functions/interpreter/vyatta-unpriv interp_DATA += functions/interpreter/vyatta-common interp_DATA += functions/interpreter/vyatta-image-complete + bin_SCRIPTS = scripts/vyatta-show-interfaces bin_SCRIPTS += scripts/vyatta-show-interfaces.pl bin_SCRIPTS += scripts/vyatta-show-version @@ -39,6 +42,7 @@ bin_SCRIPTS += scripts/vyatta-op-cmd-wrapper sbin_SCRIPTS = scripts/dhcpv6-client-show-leases.pl sbin_SCRIPTS += scripts/vyatta-image-tools.pl +sbin_SCRIPTS += scripts/vyatta-regen-unpriv-commands.sh bin_sudo_users_SCRIPTS = scripts/vyatta-identify-interface.pl bin_sudo_users_SCRIPTS += scripts/vyatta-delete-log-file.sh @@ -47,9 +51,14 @@ bin_sudo_users_SCRIPTS += scripts/vyatta-op-dns-forwarding.pl bin_sudo_users_SCRIPTS += scripts/vyatta-op-dynamic-dns.pl bin_sudo_users_SCRIPTS += scripts/vyatta-clear-conntrack +all-local: + ./gen-unpriv-commands.sh + cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ cpio -0pd install-exec-hook: mkdir -p $(DESTDIR)$(opdir) cd templates; $(cpiop) $(DESTDIR)$(opdir) + mkdir -p $(DESTDIR)$(etc_shell_leveldir) + cd etc/shell/level; $(cpiop) $(DESTDIR)$(etc_shell_leveldir) diff --git a/etc/shell/level/users/allowed-op.in b/etc/shell/level/users/allowed-op.in new file mode 100644 index 0000000..a45a92f --- /dev/null +++ b/etc/shell/level/users/allowed-op.in @@ -0,0 +1,20 @@ +clear +connect +debug +delete +disconnect +exit +force +no +ping +ping6 +release +renew +set +show +telnet +terminal +traceroute +traceroute6 +undebug +update diff --git a/functions/interpreter/vyatta-unpriv b/functions/interpreter/vyatta-unpriv index 0b07317..ea1e952 100644 --- a/functions/interpreter/vyatta-unpriv +++ b/functions/interpreter/vyatta-unpriv @@ -13,6 +13,7 @@ vyatta_unpriv_ambiguous () get_prefix_filtered_list $1 op_allowed filtered_cmds _vyatta_op_node_path=${vyatta_op_templates} comps=$(_vyatta_op_help $1 ${filtered_cmds[@]}) + echo -ne "\n Ambiguous command: [$1]\n" echo -e "$comps\n" | sed -e 's/^P/ P/' } diff --git a/gen-unpriv-commands.sh b/gen-unpriv-commands.sh new file mode 100755 index 0000000..cce36a1 --- /dev/null +++ b/gen-unpriv-commands.sh @@ -0,0 +1,32 @@ +#!/bin/bash +source ./functions/interpreter/vyatta-common + +declare -a op_allowed +declare -a toplevel + +op_allowed=( $(cat ./etc/shell/level/users/allowed-op.in) ) +toplevel=( $(ls ./templates/) ) + +vyatta_unpriv_gen_allowed () { + local -a allowed_cmds=() + rm -f ./etc/shell/level/users/allowed-op + for cmd in "${op_allowed[@]}"; do + if is_elem_of ${cmd} toplevel; then + for pos in $(seq 1 ${#cmd}); do + case ${cmd:0:$pos} in + for|do|done|if|fi|case|while|tr ) + continue ;; + *) ;; + esac + if ! is_elem_of ${cmd:0:$pos} allowed_cmds; then + allowed_cmds+=( ${cmd:0:$pos} ) + echo ${cmd:0:$pos} >> ./etc/shell/level/users/allowed-op + fi + done + else + echo ${cmd} >> ./etc/shell/level/users/allowed-op + fi + done +} + +vyatta_unpriv_gen_allowed diff --git a/scripts/vyatta-regen-unpriv-commands.sh b/scripts/vyatta-regen-unpriv-commands.sh new file mode 100644 index 0000000..e6f7e2f --- /dev/null +++ b/scripts/vyatta-regen-unpriv-commands.sh @@ -0,0 +1,3 @@ +#!/bin/bash +source /opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-unpriv +vyatta_unpriv_gen_allowed |