From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Wed, 12 Aug 2015 23:11:07 +0000 (-0700)
Subject: Quagga: Restrict Shell Access
X-Git-Tag: frr-2.0-rc1~1281^2~2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=576b6b5d185b3add33a465a5485abe94fe927d60;p=matthieu%2Ffrr.git

Quagga: Restrict Shell Access

Ticket: CM-6926
Reviewed By: CCR-3328
Tested: See bug

Restrict Shell access to those people who intentionally turn it on.
As that it can be used as a exploit to elevate permissions
---

diff --git a/configure.ac b/configure.ac
index a2cd6ad2f8..e44823262c 100755
--- a/configure.ac
+++ b/configure.ac
@@ -273,6 +273,8 @@ AC_ARG_ENABLE(configfile_mask,
 [  --enable-configfile-mask=ARG  set mask for config files])
 AC_ARG_ENABLE(logfile_mask,
 [  --enable-logfile-mask=ARG     set mask for log files])
+AC_ARG_ENABLE(shell_access
+[  --enable-shell-access    Allow users to access shell/telnet/ssh])
 
 AC_ARG_ENABLE(rtadv,
 [  --disable-rtadv               disable IPV6 router advertisement feature])
@@ -322,6 +324,10 @@ if test x"${enable_time_check}" != x"no" ; then
   fi
 fi
 
+if test "${enable_shell_access}" = "yes"; then
+   AC_DEFINE(HAVE_SHELL_ACCESS,,Allow user to use ssh/telnet/bash)
+fi
+
 if test "${enable_fpm}" = "yes"; then
    AC_DEFINE(HAVE_FPM,,Forwarding Plane Manager support)
 fi
diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index d134c027b6..5d8d319f57 100644
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -2319,6 +2319,7 @@ DEFUN (vtysh_traceroute6,
 }
 #endif
 
+#if defined(HAVE_SHELL_ACCESS)
 DEFUN (vtysh_telnet,
        vtysh_telnet_cmd,
        "telnet WORD",
@@ -2378,6 +2379,7 @@ DEFUN (vtysh_start_zsh,
   execute_command ("zsh", 0, NULL, NULL);
   return CMD_SUCCESS;
 }
+#endif
 
 static void
 vtysh_install_default (enum node_type node)
@@ -2808,9 +2810,11 @@ vtysh_init_vty (void)
   install_element (VIEW_NODE, &vtysh_ping6_cmd);
   install_element (VIEW_NODE, &vtysh_traceroute6_cmd);
 #endif
+#if defined(HAVE_SHELL_ACCESS)
   install_element (VIEW_NODE, &vtysh_telnet_cmd);
   install_element (VIEW_NODE, &vtysh_telnet_port_cmd);
   install_element (VIEW_NODE, &vtysh_ssh_cmd);
+#endif
   install_element (ENABLE_NODE, &vtysh_ping_cmd);
   install_element (ENABLE_NODE, &vtysh_ping_ip_cmd);
   install_element (ENABLE_NODE, &vtysh_traceroute_cmd);
@@ -2819,13 +2823,15 @@ vtysh_init_vty (void)
   install_element (ENABLE_NODE, &vtysh_ping6_cmd);
   install_element (ENABLE_NODE, &vtysh_traceroute6_cmd);
 #endif
+#if defined(HAVE_SHELL_ACCESS)
   install_element (ENABLE_NODE, &vtysh_telnet_cmd);
   install_element (ENABLE_NODE, &vtysh_telnet_port_cmd);
   install_element (ENABLE_NODE, &vtysh_ssh_cmd);
   install_element (ENABLE_NODE, &vtysh_start_shell_cmd);
   install_element (ENABLE_NODE, &vtysh_start_bash_cmd);
   install_element (ENABLE_NODE, &vtysh_start_zsh_cmd);
-  
+#endif
+
   install_element (VIEW_NODE, &vtysh_show_memory_cmd);
   install_element (ENABLE_NODE, &vtysh_show_memory_cmd);