matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-03-20. You can view files and clone it, but cannot push or open issues or pull requests.
e6afc5ad9a
sonic-buildimage/files/image_config/sudoers/sudoers
arlakshm f77157f09d
[baseimage] add ipintutil in sudoer file (#6845) 
show ip interfaces is enhanced recently to support multi ASIC platforms in this PR- https://github.com/Azure/sonic-utilities/pull/1396 .
The ipintutil script as to run as sudo user, to get the ip interface from each namespace.
Add this script to the sudoer file so that show ip interface command is available for user with read-only permissions

Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>
2021-02-22 23:34:28 -08:00

64 lines
2.5 KiB
Plaintext
Raw Blame History

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
#Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_keep += "SONIC_CLI_IFACE_MODE"
Defaults env_keep += "VTYSH_PAGER"
Defaults lecture_file = /etc/sudoers.lecture
# Host alias specification
# User alias specification
# Cmnd alias specification
# Note: bcmcmd is dangerous for users in read only netgroups because it may operate ASIC
Cmnd_Alias READ_ONLY_CMDS = /bin/cat /var/log/syslog*, \
/bin/ip netns identify [0-9]*, \
/sbin/brctl show, \
/usr/bin/docker exec snmp cat /etc/snmp/snmpd.conf, \
/usr/bin/docker exec bgp cat /etc/quagga/bgpd.conf, \
/usr/bin/docker images *, \
/usr/bin/docker ps *, \
/usr/bin/docker ps, \
/usr/bin/lldpctl, \
/usr/bin/sensors, \
/usr/bin/tail -F /var/log/syslog, \
/usr/bin/vtysh -c show *, \
/usr/bin/vtysh -n [0-9] -c show *, \
/usr/local/bin/decode-syseeprom, \
/usr/local/bin/generate_dump, \
/usr/local/bin/ipintutil, \
/usr/local/bin/lldpshow, \
/usr/local/bin/pcieutil *, \
/usr/local/bin/psuutil *, \
/usr/local/bin/sonic-installer list, \
/usr/local/bin/sfputil show *
Cmnd_Alias PASSWD_CMDS = /usr/local/bin/config tacacs passkey *, \
/usr/sbin/chpasswd *
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow all users to execute read only commands
ALL ALL=NOPASSWD: READ_ONLY_CMDS
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
# Prevent password related command into syslog
Defaults!PASSWD_CMDS !syslog
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Reference in New Issue View Git Blame Copy Permalink