*: Remove ability to install frr_sudoers

If the user were to uncomment last line and allow VTYSH_SHOW to be used as a non-root account, this would allow arbitrary command completion inside of vtysh via multiple -c ... -c .... lines Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
2025-08-13 03:40:48 +00:00 · 2017-05-09 16:18:04 -04:00 · 2017-05-09 16:18:04 -04:00 · e08dde01c5
commit e08dde01c5
parent 8b3366bae4
2 changed files with 0 additions and 16 deletions
--- a/cumulus/etc/sudoers.d/frr_sudoers
+++ b/cumulus/etc/sudoers.d/frr_sudoers
@ -1,15 +0,0 @@
-Defaults env_keep += VTYSH_PAGER
-
-# Allow user in  group frr to run vtysh show commands
-# without a password by uncommenting the "%frr" line below.
-
-# Subshell commands need to be disallowed, including
-# preventing the user passing command line args like 'start-shell'
-# Since vtysh allows minimum non-conflicting prefix'es, that means
-# anything beginning with the string "st" in any arg.  That's a bit
-# restrictive.
-# Instead, use NOEXEC, to prevent any exec'ed commands.
-
-Cmnd_Alias  VTY_SHOW   = /usr/bin/vtysh -c show *
-# %frr ALL = (root) NOPASSWD:NOEXEC: VTY_SHOW
-
--- a/debian/frr.postinst
+++ b/debian/frr.postinst
@ -15,7 +15,6 @@ frrvtygid=`egrep "^frrvty:" $GROUPFILE | awk -F ":" '{ print $3 }'`
 chown -R ${frruid}:${frrgid} /etc/frr
 touch /etc/frr/vtysh.conf
 chgrp ${frrvtygid} /etc/frr/vtysh*
-chmod 440 /etc/sudoers.d/frr_sudoers
 chmod 644 /etc/frr/*

 ENVIRONMENTFILE=/etc/environment