matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
8a04487499
sonic-buildimage/files/image_config/sudoers/sudoers
arlakshm 2b41f6bd5c
Add the vtysh command with newly added "-n" option for multi asic to the read_only_cmds (#5845) 
In multi asic platforms the "show ip bgp summary" commands is not available for user with read only privileges, so to fix this the vtysh command with the new "-n" option, added for multi asic platforms, needs to be added to the READ_ONLY_COMMANDS list in the sudoers files. Added the command vtysh -n [0-9] -c show * to list of READ_ONLY_COMMANDS in the sudoers files in this commit.

Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>
2020-11-10 12:18:49 -08:00

60 lines
2.3 KiB
Plaintext
Raw Blame History

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
#Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_keep += "SONIC_CLI_IFACE_MODE"
Defaults env_keep += "VTYSH_PAGER"
Defaults lecture_file = /etc/sudoers.lecture
# Host alias specification
# User alias specification
# Cmnd alias specification
# Note: bcmcmd is dangerous for users in read only netgroups because it may operate ASIC
Cmnd_Alias READ_ONLY_CMDS = /bin/cat /var/log/syslog*, \
/sbin/brctl show, \
/usr/bin/docker exec snmp cat /etc/snmp/snmpd.conf, \
/usr/bin/docker exec bgp cat /etc/quagga/bgpd.conf, \
/usr/bin/docker exec * ps aux, \
/usr/bin/docker images *, \
/usr/bin/docker ps*, \
/usr/bin/lldpctl, \
/usr/bin/sensors, \
/usr/bin/tail -F /var/log/syslog, \
/usr/bin/vtysh -c show *, \
/usr/bin/vtysh -n [0-9] -c show *, \
/usr/local/bin/decode-syseeprom, \
/usr/local/bin/generate_dump, \
/usr/local/bin/lldpshow, \
/usr/local/bin/psuutil *, \
/usr/local/bin/sonic-installer list, \
/usr/local/bin/sfputil show *
Cmnd_Alias PASSWD_CMDS = /usr/local/bin/config tacacs passkey *, \
/usr/sbin/chpasswd *
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow all users to execute read only commands
ALL ALL=NOPASSWD: READ_ONLY_CMDS
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
# Prevent password related command into syslog
Defaults!PASSWD_CMDS !syslog
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Reference in New Issue View Git Blame Copy Permalink