From: Dave Olson <olson@cumulusnetworks.com>
Date: Mon, 27 Jun 2016 16:10:46 +0000 (-0700)
Subject: Provide example on how to run sudo vtysh show commands without password
X-Git-Tag: frr-2.0-rc1~496^2~3
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=82f9fd9646a6798beeafb63e1e818f2d94989aea;p=mirror%2Ffrr.git

Provide example on how to run sudo vtysh show commands without password

Ticket: CM-4709
Reviewed By: dsharp
Testing Done: Uncommented, ran show commands

See the comments added, and in the bug.  Set up for users in group
quagga, with NOEXEC to not open security holes.
---

diff --git a/cumulus/etc/sudoers.d/quagga_sudoers b/cumulus/etc/sudoers.d/quagga_sudoers
index 972966c6a8..4375d7e5fa 100644
--- a/cumulus/etc/sudoers.d/quagga_sudoers
+++ b/cumulus/etc/sudoers.d/quagga_sudoers
@@ -1 +1,15 @@
 Defaults env_keep += VTYSH_PAGER
+
+# Allow user in  group quagga to run vtysh show commands
+# without a password by uncommenting the "%quagga" line below.
+
+# Subshell commands need to be disallowed, including
+# preventing the user passing command line args like 'start-shell'
+# Since vtysh allows minimum non-conflicting prefix'es, that means
+# anything beginning with the string "st" in any arg.  That's a bit
+# restrictive.
+# Instead, use NOEXEC, to prevent any exec'ed commands.
+
+Cmnd_Alias  VTY_SHOW   = /usr/bin/vtysh -c show *
+# %quagga ALL = (root) NOPASSWD:NOEXEC: VTY_SHOW
+