From 273692e5749079c839cbf4348e298f788050258e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 19 Aug 2016 08:07:59 +0200
Subject: [PATCH] system: add sudo configure option to permit admins access;
 closes #990

This is especially useful for "sudo su" in manually created admins
to gain access to the console menu without compromising the root
password.
---
 src/etc/inc/system.inc            |  8 ++++++++
 src/www/system_advanced_admin.php | 25 ++++++++++++++++++-------
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index 6eba26338..35ddb2bbd 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -1910,6 +1910,14 @@ function system_console_configure()
 {
     global $config;
 
+    $sudo_conf = '/usr/local/etc/sudoers.d/opnsense';
+
+    if (!empty($config['system']['sudo_allow_wheel'])) {
+        file_put_contents($sudo_conf, "%wheel ALL=(ALL) ALL\n");
+    } else {
+        @unlink($sudo_conf);
+    }
+
     $serialspeed = (!empty($config['system']['serialspeed']) && is_numeric($config['system']['serialspeed'])) ? $config['system']['serialspeed'] : '115200';
     $serial_enabled = isset($config['system']['enableserial']);
 
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index 78dec94c1..87a1065d9 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -42,6 +42,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
     $pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']);
     $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
+    $pconfig['sudo_allow_wheel'] = isset($config['system']['sudo_allow_wheel']);
     $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
     $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
     $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
@@ -115,6 +116,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['system']['disableconsolemenu']);
         }
 
+        if ($pconfig['sudo_allow_wheel'] == "yes") {
+            $config['system']['sudo_allow_wheel'] = true;
+        } elseif (isset($config['system']['sudo_allow_wheel'])) {
+            unset($config['system']['sudo_allow_wheel']);
+        }
+
         if ($pconfig['noantilockout'] == "yes") {
             $config['system']['webgui']['noantilockout'] = true;
         } elseif (isset($config['system']['webgui']['noantilockout'])) {
@@ -313,7 +320,7 @@ include("head.inc");
                 <td width="22%"><strong><?=gettext("webConfigurator");?></strong></td>
                 <td  width="78%" align="right">
                   <small><?=gettext("full help"); ?> </small>
-                  <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page" type="button"></i>
+                  <i class="fa fa-toggle-off text-danger" style="cursor: pointer;" id="show_all_help_page" type="button"></i>
                 </td>
               </tr>
                 <tr>
@@ -491,7 +498,7 @@ include("head.inc");
                 <tr>
                   <td><a id="help_for_sshport" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("SSH port"); ?></td>
                   <td width="78%">
-                    <input name="sshport" type="text"  value="<?=$pconfig['sshport'];?>"/>
+                    <input name="sshport" type="text" value="<?=$pconfig['sshport'];?>"/>
                     <div class="hidden" for="help_for_sshport">
                       <?=gettext("Leave this blank for the default of 22."); ?>
                     </div>
@@ -559,13 +566,17 @@ include("head.inc");
                   <th colspan="2"><?=gettext("Console Options"); ?></th>
                 </tr>
                 <tr>
-                  <td><a id="help_for_disableconsolemenu" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Console menu") ?></td>
+                  <td><i class="fa fa-info-circle text-muted"></i></a> <?= gettext("Console menu") ?></td>
                   <td width="78%">
-                    <input name="disableconsolemenu" type="checkbox"  value="yes" <?= empty($pconfig['disableconsolemenu']) ? '' : 'checked="checked"' ?>  />
+                    <input name="disableconsolemenu" type="checkbox" value="yes" <?= empty($pconfig['disableconsolemenu']) ? '' : 'checked="checked"' ?>  />
                     <strong><?=gettext("Password protect the console menu"); ?></strong>
-                    <div class="hidden" for="help_for_disableconsolemenu">
-                      <?=gettext("Changes to this option will take effect after a reboot."); ?>
-                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><i class="fa fa-info-circle text-muted"></i> <?= gettext("Allow SUDO") ?></td>
+                  <td width="78%">
+                    <input name="sudo_allow_wheel" type="checkbox" value="yes" <?= empty($pconfig['sudo_allow_wheel']) ? '' : 'checked="checked"' ?>  />
+                    <strong><?= gettext('Allow administrators to use the SUDO utility') ?></strong>
                   </td>
                 </tr>
                 <tr>