Quagga: Restrict Shell Access

Ticket: CM-6926
Reviewed By: CCR-3328
Tested: See bug

Restrict Shell access to those people who intentionally turn it on.
As that it can be used as a exploit to elevate permissions

diff --git a/configure.ac b/configure.ac
index a2cd6ad2f84c93b59ebb96a789e97b8c4cb891ff..e44823262c2d8dd570ad22c890f55c5d2125ccbd 100755 (executable)
--- a/configure.ac
+++ b/configure.ac
@@ -273,6 +273,8 @@ AC_ARG_ENABLE(configfile_mask,
 [  --enable-configfile-mask=ARG  set mask for config files])
 AC_ARG_ENABLE(logfile_mask,
 [  --enable-logfile-mask=ARG     set mask for log files])
+AC_ARG_ENABLE(shell_access
+[  --enable-shell-access    Allow users to access shell/telnet/ssh])
 
 AC_ARG_ENABLE(rtadv,
 [  --disable-rtadv               disable IPV6 router advertisement feature])
@@ -322,6 +324,10 @@ if test x"${enable_time_check}" != x"no" ; then
   fi
 fi
 
+if test "${enable_shell_access}" = "yes"; then
+   AC_DEFINE(HAVE_SHELL_ACCESS,,Allow user to use ssh/telnet/bash)
+fi
+
 if test "${enable_fpm}" = "yes"; then
    AC_DEFINE(HAVE_FPM,,Forwarding Plane Manager support)
 fi

diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index d134c027b6539fe7745b3e2a6c3e782ac683bb54..5d8d319f57ea19eeb07f4ef7003d1c11b35e61c9 100644 (file)
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -2319,6 +2319,7 @@ DEFUN (vtysh_traceroute6,
 }
 #endif
 
+#if defined(HAVE_SHELL_ACCESS)
 DEFUN (vtysh_telnet,
        vtysh_telnet_cmd,
        "telnet WORD",
@@ -2378,6 +2379,7 @@ DEFUN (vtysh_start_zsh,
   execute_command ("zsh", 0, NULL, NULL);
   return CMD_SUCCESS;
 }
+#endif
 
 static void
 vtysh_install_default (enum node_type node)
@@ -2808,9 +2810,11 @@ vtysh_init_vty (void)
   install_element (VIEW_NODE, &vtysh_ping6_cmd);
   install_element (VIEW_NODE, &vtysh_traceroute6_cmd);
 #endif
+#if defined(HAVE_SHELL_ACCESS)
   install_element (VIEW_NODE, &vtysh_telnet_cmd);
   install_element (VIEW_NODE, &vtysh_telnet_port_cmd);
   install_element (VIEW_NODE, &vtysh_ssh_cmd);
+#endif
   install_element (ENABLE_NODE, &vtysh_ping_cmd);
   install_element (ENABLE_NODE, &vtysh_ping_ip_cmd);
   install_element (ENABLE_NODE, &vtysh_traceroute_cmd);
@@ -2819,13 +2823,15 @@ vtysh_init_vty (void)
   install_element (ENABLE_NODE, &vtysh_ping6_cmd);
   install_element (ENABLE_NODE, &vtysh_traceroute6_cmd);
 #endif
+#if defined(HAVE_SHELL_ACCESS)
   install_element (ENABLE_NODE, &vtysh_telnet_cmd);
   install_element (ENABLE_NODE, &vtysh_telnet_port_cmd);
   install_element (ENABLE_NODE, &vtysh_ssh_cmd);
   install_element (ENABLE_NODE, &vtysh_start_shell_cmd);
   install_element (ENABLE_NODE, &vtysh_start_bash_cmd);
   install_element (ENABLE_NODE, &vtysh_start_zsh_cmd);
-  
+#endif
+
   install_element (VIEW_NODE, &vtysh_show_memory_cmd);
   install_element (ENABLE_NODE, &vtysh_show_memory_cmd);