From 82f9fd9646a6798beeafb63e1e818f2d94989aea Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Mon, 27 Jun 2016 09:10:46 -0700 Subject: [PATCH] Provide example on how to run sudo vtysh show commands without password Ticket: CM-4709 Reviewed By: dsharp Testing Done: Uncommented, ran show commands See the comments added, and in the bug. Set up for users in group quagga, with NOEXEC to not open security holes. --- cumulus/etc/sudoers.d/quagga_sudoers | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cumulus/etc/sudoers.d/quagga_sudoers b/cumulus/etc/sudoers.d/quagga_sudoers index 972966c6a8..4375d7e5fa 100644 --- a/cumulus/etc/sudoers.d/quagga_sudoers +++ b/cumulus/etc/sudoers.d/quagga_sudoers @@ -1 +1,15 @@ Defaults env_keep += VTYSH_PAGER + +# Allow user in group quagga to run vtysh show commands +# without a password by uncommenting the "%quagga" line below. + +# Subshell commands need to be disallowed, including +# preventing the user passing command line args like 'start-shell' +# Since vtysh allows minimum non-conflicting prefix'es, that means +# anything beginning with the string "st" in any arg. That's a bit +# restrictive. +# Instead, use NOEXEC, to prevent any exec'ed commands. + +Cmnd_Alias VTY_SHOW = /usr/bin/vtysh -c show * +# %quagga ALL = (root) NOPASSWD:NOEXEC: VTY_SHOW + -- 2.39.5