mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-02 15:34:30 +00:00
*: Remove ability to install frr_sudoers
If the user were to uncomment last line and allow VTYSH_SHOW to be used as a non-root account, this would allow arbitrary command completion inside of vtysh via multiple -c ... -c .... lines Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
This commit is contained in:
parent
8b3366bae4
commit
e08dde01c5
@ -1,15 +0,0 @@
|
||||
Defaults env_keep += VTYSH_PAGER
|
||||
|
||||
# Allow user in group frr to run vtysh show commands
|
||||
# without a password by uncommenting the "%frr" line below.
|
||||
|
||||
# Subshell commands need to be disallowed, including
|
||||
# preventing the user passing command line args like 'start-shell'
|
||||
# Since vtysh allows minimum non-conflicting prefix'es, that means
|
||||
# anything beginning with the string "st" in any arg. That's a bit
|
||||
# restrictive.
|
||||
# Instead, use NOEXEC, to prevent any exec'ed commands.
|
||||
|
||||
Cmnd_Alias VTY_SHOW = /usr/bin/vtysh -c show *
|
||||
# %frr ALL = (root) NOPASSWD:NOEXEC: VTY_SHOW
|
||||
|
1
debian/frr.postinst
vendored
1
debian/frr.postinst
vendored
@ -15,7 +15,6 @@ frrvtygid=`egrep "^frrvty:" $GROUPFILE | awk -F ":" '{ print $3 }'`
|
||||
chown -R ${frruid}:${frrgid} /etc/frr
|
||||
touch /etc/frr/vtysh.conf
|
||||
chgrp ${frrvtygid} /etc/frr/vtysh*
|
||||
chmod 440 /etc/sudoers.d/frr_sudoers
|
||||
chmod 644 /etc/frr/*
|
||||
|
||||
ENVIRONMENTFILE=/etc/environment
|
||||
|
Loading…
Reference in New Issue
Block a user