From 120b866bf28fb8f6a82404a1254f8e3ad491e0ac Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 26 Jun 2021 22:10:59 +0200 Subject: Import sudoers configuration from vyatta-cfg-system --- debian/vyos-1x.install | 1 + debian/vyos-1x.postinst | 3 +++ src/etc/sudoers.d/vyos | 53 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 src/etc/sudoers.d/vyos diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install index 32a2c4b7c..07827650b 100644 --- a/debian/vyos-1x.install +++ b/debian/vyos-1x.install @@ -4,6 +4,7 @@ etc/ipsec.d etc/netplug etc/opennhrp etc/rsyslog.d +etc/sudoers.d etc/systemd etc/sysctl.d etc/udev diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 136d025d4..2401f730a 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -9,6 +9,9 @@ if [ -x "/etc/init.d/salt-minion" ]; then update-rc.d -f salt-minion remove >/dev/null fi +# Turn off Debian default for %sudo +sed -i -e '/^%sudo/d' /etc/sudoers || true + # Add minion user for salt-minion if ! grep -q '^minion' /etc/passwd; then adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \ diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos new file mode 100644 index 000000000..f760b417f --- /dev/null +++ b/src/etc/sudoers.d/vyos @@ -0,0 +1,53 @@ +# +# VyOS modifications to sudo configuration +# +Defaults syslog_goodpri=info +Defaults env_keep+=VYATTA_* + +# +# Command groups allowed for operator users +# +Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ + /sbin/iptables -L -vn,\ + /sbin/iptables -L * -vn,\ + /sbin/iptables -t * -L *, \ + /sbin/iptables -Z *,\ + /sbin/iptables -Z -t nat, \ + /sbin/iptables -t * -Z * +Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \ + /sbin/ip6tables -t * -L * +Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \ + /usr/sbin/conntrack -G *, \ + /usr/sbin/conntrack -E * +Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ + /sbin/ip route flush cache *,\ + /sbin/ip neigh flush to *, \ + /sbin/ip neigh flush dev *, \ + /sbin/ip -f inet6 route flush cache, \ + /sbin/ip -f inet6 route flush cache *,\ + /sbin/ip -f inet6 neigh flush to *, \ + /sbin/ip -f inet6 neigh flush dev * +Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \ + /sbin/ethtool -S *, \ + /sbin/ethtool -a *, \ + /sbin/ethtool -c *, \ + /sbin/ethtool -i * +Cmnd_Alias DMIDECODE = /usr/sbin/dmidecode +Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d * +Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate +Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats +Cmnd_Alias PCAPTURE = /usr/bin/tcpdump +Cmnd_Alias HWINFO = /usr/bin/lspci +Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \ + /usr/share/heartbeat/hb_standby +%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \ + PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \ + DMIDECODE, DISK, CONNTRACK, IP6TABLES, \ + FORCE_CLUSTER + +# Allow any user to run files in sudo-users +%users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/ + +# Allow members of group sudo to execute any command +%sudo ALL=NOPASSWD: ALL + -- cgit v1.2.3