From 2d450939a0e679ede8bde4a8868105d072813a67 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Oct 2016 07:17:58 +0200
Subject: [PATCH] system: consolidate previous

* system_console_configure() is really system_login_configure()+
* make a template for sudoers config setting
* move auth template generation to single spot
---
 plist                                                 |  3 +++
 src/etc/inc/system.inc                                | 10 ++--------
 src/etc/rc.bootup                                     |  4 ++--
 src/etc/rc.configure_firmware                         |  3 +--
 src/etc/rc.reload_all                                 |  2 +-
 src/opnsense/service/templates/OPNsense/Auth/+TARGETS |  1 +
 src/opnsense/service/templates/OPNsense/Auth/sudoers  |  3 +++
 src/www/system_advanced_admin.php                     |  3 +--
 8 files changed, 14 insertions(+), 15 deletions(-)
 create mode 100644 src/opnsense/service/templates/OPNsense/Auth/sudoers

diff --git a/plist b/plist
index 37c6361be..407b6a5b1 100644
--- a/plist
+++ b/plist
@@ -636,6 +636,9 @@
 /usr/local/opnsense/service/modules/processhandler.py
 /usr/local/opnsense/service/modules/template.py
 /usr/local/opnsense/service/run_unittests.py
+/usr/local/opnsense/service/templates/OPNsense/Auth/+TARGETS
+/usr/local/opnsense/service/templates/OPNsense/Auth/sshd.pam
+/usr/local/opnsense/service/templates/OPNsense/Auth/sudoers
 /usr/local/opnsense/service/templates/OPNsense/Captiveportal/+TARGETS
 /usr/local/opnsense/service/templates/OPNsense/Captiveportal/captiveportal.conf
 /usr/local/opnsense/service/templates/OPNsense/Captiveportal/lighttpd-api-dispatcher.conf
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index 72c63b2d9..1bad6ab8f 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -1876,17 +1876,11 @@ function system_console_types()
     );
 }
 
-function system_console_configure()
+function system_login_configure()
 {
     global $config;
 
-    $sudo_conf = '/usr/local/etc/sudoers.d/opnsense';
-
-    if (!empty($config['system']['sudo_allow_wheel'])) {
-        file_put_contents($sudo_conf, "%wheel ALL=(ALL) ALL\n");
-    } else {
-        @unlink($sudo_conf);
-    }
+    configd_run('template reload OPNsense.Auth', true);
 
     $serialspeed = (!empty($config['system']['serialspeed']) && is_numeric($config['system']['serialspeed'])) ? $config['system']['serialspeed'] : '115200';
     $serial_enabled = isset($config['system']['enableserial']);
diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup
index c3c7fe226..a043f4d81 100755
--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@@ -69,8 +69,8 @@ set_device_perms();
 unmute_kernel_msgs();
 echo "done.\n";
 
-/* configure console menu */
-system_console_configure();
+/* configure login behaviour */
+system_login_configure();
 
 $setup_installer = is_install_media();
 if ($setup_installer) {
diff --git a/src/etc/rc.configure_firmware b/src/etc/rc.configure_firmware
index 34951995a..a4c3acf04 100755
--- a/src/etc/rc.configure_firmware
+++ b/src/etc/rc.configure_firmware
@@ -43,5 +43,4 @@ require_once 'system.inc';
 convert_config(true);
 
 system_firmware_configure();
-system_console_configure();
-configd_run('template reload OPNsense.Auth');
+system_login_configure();
diff --git a/src/etc/rc.reload_all b/src/etc/rc.reload_all
index 5b73050b8..50182a69e 100755
--- a/src/etc/rc.reload_all
+++ b/src/etc/rc.reload_all
@@ -45,7 +45,7 @@ $config = parse_config();
 log_error("rc.reload_all: Reloading all configuration settings.");
 
 system_firmware_configure();
-system_console_configure();
+system_login_configure();
 system_timezone_configure();
 system_hostname_configure();
 system_hosts_generate();
diff --git a/src/opnsense/service/templates/OPNsense/Auth/+TARGETS b/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
index 96e4d89b4..c1bf2d5d5 100644
--- a/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
+++ b/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
@@ -1 +1,2 @@
 sshd.pam:/etc/pam.d/sshd
+sudoers:/usr/local/etc/sudoers.d/opnsense
diff --git a/src/opnsense/service/templates/OPNsense/Auth/sudoers b/src/opnsense/service/templates/OPNsense/Auth/sudoers
new file mode 100644
index 000000000..28bd485f5
--- /dev/null
+++ b/src/opnsense/service/templates/OPNsense/Auth/sudoers
@@ -0,0 +1,3 @@
+{% if system.sudo_allow_wheel|default('0') == '1' %}
+%wheel ALL=(ALL) ALL
+{% endif %}
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index 2db60a3b2..ed59f092a 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -250,13 +250,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $savemsg .= sprintf("<br />" . gettext("One moment...redirecting to %s in 20 seconds."), $url);
         }
 
-        system_console_configure();
+        system_login_configure();
         system_hosts_generate();
         services_dhcpleases_configure();
         services_dnsmasq_configure(false);
         services_unbound_configure(false);
         services_dhcpd_configure();
-        configd_run('template reload OPNsense.Auth');
 
         if ($restart_sshd) {
             configd_run('sshd restart', true);