matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-03-20. You can view files and clone it, but cannot push or open issues or pull requests.
ee72c068b2
sonic-buildimage/files/image_config/sudoers/sudoers
Saikrishna Arcot 318f3945be Modify the sudoers file to lecture RO users once 
Debian changed the defaults of the sudo package to never lecture the
user when using an unauthorized sudo command, which breaks our use case
of lecturing once. Add a line to lecture once, which is the old
defaults.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00

76 lines
3.3 KiB
Plaintext
Raw Blame History

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
#Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_keep += "SONIC_CLI_IFACE_MODE"
Defaults env_keep += "VTYSH_PAGER"
Defaults lecture = once
Defaults lecture_file = /etc/sudoers.lecture
# Host alias specification
# User alias specification
# Cmnd alias specification
# Note: bcmcmd is dangerous for users in read only netgroups because it may operate ASIC
Cmnd_Alias READ_ONLY_CMDS = /bin/cat /var/log/syslog, /bin/cat /var/log/syslog.1 /var/log/syslog, /bin/cat /var/log/syslog.1, \
/bin/ip netns identify [0-9]*, \
/sbin/brctl show, \
/usr/bin/docker exec snmp cat /etc/snmp/snmpd.conf, \
/usr/bin/docker exec bgp cat /etc/quagga/bgpd.conf, \
/usr/bin/docker images *, \
/usr/bin/docker ps *, \
/usr/bin/docker ps, \
/usr/bin/lldpctl, \
/usr/bin/sensors, \
/usr/bin/tail -F /var/log/syslog, \
/usr/bin/rvtysh *, \
/usr/bin/vtysh -c show version, \
/usr/bin/vtysh -c show bgp ipv[46] summary json, \
/usr/bin/vtysh -n [0-9] -c show version, \
/usr/bin/vtysh -n [0-9] -c show bgp ipv[46] summary json, \
/usr/local/bin/decode-syseeprom, \
/usr/local/bin/generate_dump, \
/usr/local/bin/ipintutil, \
/usr/local/bin/lldpshow, \
/usr/local/bin/pcieutil *, \
/usr/local/bin/psuutil *, \
/usr/local/bin/sonic-installer list, \
/usr/local/bin/sfputil show *, \
/usr/local/bin/storyteller *
Cmnd_Alias PASSWD_CMDS = /usr/local/bin/config tacacs passkey *, \
/usr/local/bin/config radius passkey *, \
/usr/local/bin/config snmp community add *, \
/usr/local/bin/config snmp community del *, \
/usr/local/bin/config snmp community replace * *, \
/usr/sbin/chpasswd *
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow all users to execute read only commands
ALL ALL=NOPASSWD: READ_ONLY_CMDS
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
# Prevent password related command into syslog
Defaults!PASSWD_CMDS !syslog
# Make sure sudo password prompt times out after 5 mins
Defaults passwd_timeout=5
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Reference in New Issue View Git Blame Copy Permalink