proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-06 12:21:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

*: Remove ability to install frr_sudoers

Browse Source 
If the user were to uncomment last line
and allow VTYSH_SHOW to be used as a non-root
account, this would allow arbitrary command completion
inside of vtysh via multiple -c ... -c .... lines

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
This commit is contained in:
Donald Sharp 2017-05-09 16:18:04 -04:00
parent 8b3366bae4
commit e08dde01c5
2 changed files with 0 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
cumulus/etc/sudoers.d/frr_sudoers
View File

@ -1,15 +0,0 @@
Defaults env_keep += VTYSH_PAGER
# Allow user in group frr to run vtysh show commands
# without a password by uncommenting the "%frr" line below.
# Subshell commands need to be disallowed, including
# preventing the user passing command line args like 'start-shell'
# Since vtysh allows minimum non-conflicting prefix'es, that means
# anything beginning with the string "st" in any arg. That's a bit
# restrictive.
# Instead, use NOEXEC, to prevent any exec'ed commands.
Cmnd_Alias VTY_SHOW = /usr/bin/vtysh -c show *
# %frr ALL = (root) NOPASSWD:NOEXEC: VTY_SHOW

1
debian/frr.postinst vendored
View File

@ -15,7 +15,6 @@ frrvtygid=`egrep "^frrvty:" $GROUPFILE | awk -F ":" '{ print $3 }'`
chown -R ${frruid}:${frrgid} /etc/frr chown -R ${frruid}:${frrgid} /etc/frr
touch /etc/frr/vtysh.conf touch /etc/frr/vtysh.conf
chgrp ${frrvtygid} /etc/frr/vtysh* chgrp ${frrvtygid} /etc/frr/vtysh*
chmod 440 /etc/sudoers.d/frr_sudoers
chmod 644 /etc/frr/* chmod 644 /etc/frr/*
ENVIRONMENTFILE=/etc/environment ENVIRONMENTFILE=/etc/environment