summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--debian/vyos-1x.install1
-rw-r--r--debian/vyos-1x.postinst3
-rw-r--r--src/etc/sudoers.d/vyos53
3 files changed, 57 insertions, 0 deletions
diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install
index 32a2c4b7c..07827650b 100644
--- a/debian/vyos-1x.install
+++ b/debian/vyos-1x.install
@@ -4,6 +4,7 @@ etc/ipsec.d
etc/netplug
etc/opennhrp
etc/rsyslog.d
+etc/sudoers.d
etc/systemd
etc/sysctl.d
etc/udev
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 136d025d4..2401f730a 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -9,6 +9,9 @@ if [ -x "/etc/init.d/salt-minion" ]; then
update-rc.d -f salt-minion remove >/dev/null
fi
+# Turn off Debian default for %sudo
+sed -i -e '/^%sudo/d' /etc/sudoers || true
+
# Add minion user for salt-minion
if ! grep -q '^minion' /etc/passwd; then
adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos
new file mode 100644
index 000000000..f760b417f
--- /dev/null
+++ b/src/etc/sudoers.d/vyos
@@ -0,0 +1,53 @@
+#
+# VyOS modifications to sudo configuration
+#
+Defaults syslog_goodpri=info
+Defaults env_keep+=VYATTA_*
+
+#
+# Command groups allowed for operator users
+#
+Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
+ /sbin/iptables -L -vn,\
+ /sbin/iptables -L * -vn,\
+ /sbin/iptables -t * -L *, \
+ /sbin/iptables -Z *,\
+ /sbin/iptables -Z -t nat, \
+ /sbin/iptables -t * -Z *
+Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \
+ /sbin/ip6tables -t * -L *
+Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \
+ /usr/sbin/conntrack -G *, \
+ /usr/sbin/conntrack -E *
+Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
+ /sbin/ip route flush cache *,\
+ /sbin/ip neigh flush to *, \
+ /sbin/ip neigh flush dev *, \
+ /sbin/ip -f inet6 route flush cache, \
+ /sbin/ip -f inet6 route flush cache *,\
+ /sbin/ip -f inet6 neigh flush to *, \
+ /sbin/ip -f inet6 neigh flush dev *
+Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \
+ /sbin/ethtool -S *, \
+ /sbin/ethtool -a *, \
+ /sbin/ethtool -c *, \
+ /sbin/ethtool -i *
+Cmnd_Alias DMIDECODE = /usr/sbin/dmidecode
+Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d *
+Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate
+Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
+Cmnd_Alias PCAPTURE = /usr/bin/tcpdump
+Cmnd_Alias HWINFO = /usr/bin/lspci
+Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
+ /usr/share/heartbeat/hb_standby
+%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
+ PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
+ DMIDECODE, DISK, CONNTRACK, IP6TABLES, \
+ FORCE_CLUSTER
+
+# Allow any user to run files in sudo-users
+%users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/
+
+# Allow members of group sudo to execute any command
+%sudo ALL=NOPASSWD: ALL
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-05 14:50:00 +0000