system: add sudo configure option to permit admins access; closes #990

This is especially useful for "sudo su" in manually created admins to gain access to the console menu without compromising the root password.
2026-03-19 19:15:22 +00:00 · 2016-08-19 08:07:59 +02:00 · 2016-08-19 08:07:59 +02:00 · 273692e574
commit 273692e574
parent 5f50315c00
2 changed files with 26 additions and 7 deletions
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@ -1910,6 +1910,14 @@ function system_console_configure()
 {
    global $config;

+    $sudo_conf = '/usr/local/etc/sudoers.d/opnsense';
+
+    if (!empty($config['system']['sudo_allow_wheel'])) {
+        file_put_contents($sudo_conf, "%wheel ALL=(ALL) ALL\n");
+    } else {
+        @unlink($sudo_conf);
+    }
+
    $serialspeed = (!empty($config['system']['serialspeed']) && is_numeric($config['system']['serialspeed'])) ? $config['system']['serialspeed'] : '115200';
    $serial_enabled = isset($config['system']['enableserial']);

--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@ -42,6 +42,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
    $pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']);
    $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
+    $pconfig['sudo_allow_wheel'] = isset($config['system']['sudo_allow_wheel']);
    $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
    $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
    $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
@ -115,6 +116,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            unset($config['system']['disableconsolemenu']);
        }

+        if ($pconfig['sudo_allow_wheel'] == "yes") {
+            $config['system']['sudo_allow_wheel'] = true;
+        } elseif (isset($config['system']['sudo_allow_wheel'])) {
+            unset($config['system']['sudo_allow_wheel']);
+        }
+
        if ($pconfig['noantilockout'] == "yes") {
            $config['system']['webgui']['noantilockout'] = true;
        } elseif (isset($config['system']['webgui']['noantilockout'])) {
@ -313,7 +320,7 @@ include("head.inc");
                <td width="22%"><strong><?=gettext("webConfigurator");?></strong></td>
                <td  width="78%" align="right">
                  <small><?=gettext("full help"); ?> </small>
-                  <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page" type="button"></i>
+                  <i class="fa fa-toggle-off text-danger" style="cursor: pointer;" id="show_all_help_page" type="button"></i>
                </td>
              </tr>
                <tr>
@ -491,7 +498,7 @@ include("head.inc");
                <tr>
                  <td><a id="help_for_sshport" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("SSH port"); ?></td>
                  <td width="78%">
-                    <input name="sshport" type="text"  value="<?=$pconfig['sshport'];?>"/>
+                    <input name="sshport" type="text" value="<?=$pconfig['sshport'];?>"/>
                    <div class="hidden" for="help_for_sshport">
                      <?=gettext("Leave this blank for the default of 22."); ?>
                    </div>
@ -559,13 +566,17 @@ include("head.inc");
                  <th colspan="2"><?=gettext("Console Options"); ?></th>
                </tr>
                <tr>
-                  <td><a id="help_for_disableconsolemenu" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Console menu") ?></td>
+                  <td><i class="fa fa-info-circle text-muted"></i></a> <?= gettext("Console menu") ?></td>
                  <td width="78%">
-                    <input name="disableconsolemenu" type="checkbox"  value="yes" <?= empty($pconfig['disableconsolemenu']) ? '' : 'checked="checked"' ?>  />
+                    <input name="disableconsolemenu" type="checkbox" value="yes" <?= empty($pconfig['disableconsolemenu']) ? '' : 'checked="checked"' ?>  />
                    <strong><?=gettext("Password protect the console menu"); ?></strong>
-                    <div class="hidden" for="help_for_disableconsolemenu">
-                      <?=gettext("Changes to this option will take effect after a reboot."); ?>
-                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><i class="fa fa-info-circle text-muted"></i> <?= gettext("Allow SUDO") ?></td>
+                  <td width="78%">
+                    <input name="sudo_allow_wheel" type="checkbox" value="yes" <?= empty($pconfig['sudo_allow_wheel']) ? '' : 'checked="checked"' ?>  />
+                    <strong><?= gettext('Allow administrators to use the SUDO utility') ?></strong>
                  </td>
                </tr>
                <tr>