* Support readonly vtysh for sudoers (#7383) Why I did it Support readonly version of the command vtysh How I did it Check if the command starting with "show", and verify only contains single command in script. * Fix the type issue in rvtysh
This commit is contained in:
xumia
GitHub
parent
cdca8da7dd
commit
78f90ac7a9
22
dockers/docker-fpm-frr/base_image_files/rvtysh
Executable file
22
dockers/docker-fpm-frr/base_image_files/rvtysh
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# The command rvtysh can be run as root priviledge by any user without password, only allow to execute readonly commands.
|
||||||
|
|
||||||
|
# The options in the show command cannot contains any charactors to run multiple sub-commands potentially, such as "\n", "\r", "|", "&", "$" and ";".
|
||||||
|
if printf -- "$*" | grep -qPz '[\n\r|&$;]'; then
|
||||||
|
echo "Not allow to run the command, please use the comand 'sudo vtysh' instead." 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# The sub commands must start with "show"
|
||||||
|
LAST_PARAM=
|
||||||
|
for param in "$@"
|
||||||
|
do
|
||||||
|
if [ "$LAST_PARAM" == "-c" ] && [[ "$param" != show* ]]; then
|
||||||
|
echo "Not allow to run the command '$param', please use the comand 'sudo vtysh' instead." 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
LAST_PARAM=$param
|
||||||
|
done
|
||||||
|
|
||||||
|
vtysh "$@"
|
||||||
1
dockers/docker-fpm-quagga/base_image_files/rvtysh
Symbolic link
1
dockers/docker-fpm-quagga/base_image_files/rvtysh
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../../docker-fpm-frr/base_image_files/rvtysh
|
||||||
@ -32,6 +32,7 @@ Cmnd_Alias READ_ONLY_CMDS = /sbin/brctl show, \
|
|||||||
/usr/bin/sensors, \
|
/usr/bin/sensors, \
|
||||||
/usr/bin/sfputil show *, \
|
/usr/bin/sfputil show *, \
|
||||||
/usr/bin/teamshow, \
|
/usr/bin/teamshow, \
|
||||||
|
/usr/bin/rvtysh *, \
|
||||||
/usr/bin/vtysh -c show *, \
|
/usr/bin/vtysh -c show *, \
|
||||||
/bin/cat /var/log/syslog*, \
|
/bin/cat /var/log/syslog*, \
|
||||||
/usr/bin/tail -F /var/log/syslog
|
/usr/bin/tail -F /var/log/syslog
|
||||||
|
|||||||
@ -24,4 +24,5 @@ $(DOCKER_FPM_FRR)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
|
|||||||
$(DOCKER_FPM_FRR)_RUN_OPT += -v /etc/sonic/frr:/etc/frr:rw
|
$(DOCKER_FPM_FRR)_RUN_OPT += -v /etc/sonic/frr:/etc/frr:rw
|
||||||
|
|
||||||
$(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += vtysh:/usr/bin/vtysh
|
$(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += vtysh:/usr/bin/vtysh
|
||||||
|
$(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += rvtysh:/usr/bin/rvtysh
|
||||||
$(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += monit_bgp:/etc/monit/conf.d
|
$(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += monit_bgp:/etc/monit/conf.d
|
||||||
|
|||||||
@ -22,3 +22,4 @@ $(DOCKER_FPM_QUAGGA)_RUN_OPT += --net=host --privileged -t
|
|||||||
$(DOCKER_FPM_QUAGGA)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
|
$(DOCKER_FPM_QUAGGA)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
|
||||||
|
|
||||||
$(DOCKER_FPM_QUAGGA)_BASE_IMAGE_FILES += vtysh:/usr/bin/vtysh
|
$(DOCKER_FPM_QUAGGA)_BASE_IMAGE_FILES += vtysh:/usr/bin/vtysh
|
||||||
|
$(DOCKER_FPM_QUAGGA)_BASE_IMAGE_FILES += rvtysh:/usr/bin/rvtysh
|
||||||
|
|||||||
Reference in New Issue
Block a user