From 78be5135b674d8a321b5ff2f9497652831c88157 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Mon, 4 Jan 2010 16:35:23 -0800
Subject: Don't allow operator to run show system login users

Bug 5147
This is a generic way of solving the sudo problem (for now).
---
 Makefile.am                                       |  1 +
 scripts/vyatta-sudo                               | 21 +++++++++++++++++++++
 templates/show/system/login/users/locked/node.def |  2 +-
 templates/show/system/login/users/node.def        |  2 +-
 templates/show/system/login/users/other/node.def  |  2 +-
 5 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100755 scripts/vyatta-sudo

diff --git a/Makefile.am b/Makefile.am
index a9deebe..3629785 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,6 +23,7 @@ bin_SCRIPTS	+= scripts/yesno
 bin_SCRIPTS     += scripts/vyatta-gettime.pl
 bin_SCRIPTS     += scripts/show-users.pl
 bin_SCRIPTS     += scripts/vyatta-boot-image.pl
+bin_SCRIPTS	+= scripts/vyatta-sudo
 
 bin_sudo_users_SCRIPTS      = scripts/vyatta-identify-interface.pl
 bin_sudo_users_SCRIPTS     += scripts/vyatta-delete-log-file.sh
diff --git a/scripts/vyatta-sudo b/scripts/vyatta-sudo
new file mode 100755
index 0000000..bb95ae5
--- /dev/null
+++ b/scripts/vyatta-sudo
@@ -0,0 +1,21 @@
+#! /usr/bin/perl
+#
+
+# Look if user is in sudo group
+use strict;
+use warnings;
+
+sub isadmin {
+    my $gid = getgrnam("sudo");
+    return unless $gid;
+
+    # is $gid in list of current groups
+    return grep { $_ eq $gid } split / /, $(;
+}
+
+die "Missing command arguement\n" unless @ARGV;
+
+exec ('sudo', @ARGV ) if (isadmin());
+
+print "This account is not authorized to run this command\n";
+exit 1;
diff --git a/templates/show/system/login/users/locked/node.def b/templates/show/system/login/users/locked/node.def
index ebd84a0..354c204 100644
--- a/templates/show/system/login/users/locked/node.def
+++ b/templates/show/system/login/users/locked/node.def
@@ -1,2 +1,2 @@
 help: Show information about locked accounts
-run: sudo /opt/vyatta/bin/show-users.pl locked
+run: ${vyatta_bindir}/vyatta-sudo /opt/vyatta/bin/show-users.pl locked
diff --git a/templates/show/system/login/users/node.def b/templates/show/system/login/users/node.def
index 7f3101a..5943122 100644
--- a/templates/show/system/login/users/node.def
+++ b/templates/show/system/login/users/node.def
@@ -1,2 +1,2 @@
 help: Show user account information
-run: sudo /opt/vyatta/bin/show-users.pl
+run: ${vyatta_bindir}/vyatta-sudo /opt/vyatta/bin/show-users.pl
diff --git a/templates/show/system/login/users/other/node.def b/templates/show/system/login/users/other/node.def
index 4c99637..77c4683 100644
--- a/templates/show/system/login/users/other/node.def
+++ b/templates/show/system/login/users/other/node.def
@@ -1,2 +1,2 @@
 help: Show information about non-Vyatta accounts
-run: sudo /opt/vyatta/bin/show-users.pl other
+run: ${vyatta_bindir}/vyatta-sudo /opt/vyatta/bin/show-users.pl other
-- 
cgit v1.2.3