summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2022-10-14 17:54:43 +0000
committerViacheslav Hletenko <v.gletenko@vyos.io>2022-10-14 17:54:43 +0000
commit372ccffe5bd1a9f44e18ae796b6f10b9ba5e95c8 (patch)
tree110f6a9f99ec7b8ca0f72394a4a3e6a35e76ff45
parent427ea592ae8d92d29aca245683832b5bd75b643d (diff)
downloadvyos-1x-372ccffe5bd1a9f44e18ae796b6f10b9ba5e95c8.tar.gz
vyos-1x-372ccffe5bd1a9f44e18ae796b6f10b9ba5e95c8.zip
T4533: Allow basic permissions to unprivileged RADIUS users
Unprivileged RADIUS users cannot do simple diagnostics like ping or traceroute. Allow them such tools. Ability to execute op-mode commands for them. It is not new 'operator mode' feature but it allows RADIUS users execute op-mode commands
-rw-r--r--src/etc/sudoers.d/vyos5
1 files changed, 4 insertions, 1 deletions
diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos
index f760b417f..e0fd8cb0b 100644
--- a/src/etc/sudoers.d/vyos
+++ b/src/etc/sudoers.d/vyos
@@ -40,10 +40,13 @@ Cmnd_Alias PCAPTURE = /usr/bin/tcpdump
Cmnd_Alias HWINFO = /usr/bin/lspci
Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
/usr/share/heartbeat/hb_standby
+Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *, \
+ /bin/ip vrf exec * /bin/traceroute *, \
+ /usr/libexec/vyos/op_mode/*
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
DMIDECODE, DISK, CONNTRACK, IP6TABLES, \
- FORCE_CLUSTER
+ FORCE_CLUSTER, DIAGNOSTICS
# Allow any user to run files in sudo-users
%users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/