mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-15 09:04:39 +00:00
system: allow an arbitrary group for sudo like ssh login; closes #3407
This commit is contained in:
Franco Fichtner
parent
db4b4570d5
commit
6e727e43d2
@ -1,5 +1,11 @@
|
||||
{% if system.sudo_allow_wheel|default('0') == '1' %}
|
||||
%wheel ALL=(ALL) ALL
|
||||
{% if system.sudo_allow_group|default('') != '' %}
|
||||
%{{system.sudo_allow_group}} ALL=(ALL) ALL
|
||||
{% endif %}
|
||||
{% elif system.sudo_allow_wheel|default('0') == '2' %}
|
||||
%wheel ALL=(ALL) NOPASSWD: ALL
|
||||
{% if system.sudo_allow_group|default('') != '' %}
|
||||
%{{system.sudo_allow_group}} ALL=(ALL) NOPASSWD: ALL
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
* Copyright (C) 2017-2018 Franco Fichtner <franco@opnsense.org>
|
||||
* Copyright (C) 2017-2019 Franco Fichtner <franco@opnsense.org>
|
||||
* Copyright (C) 2014-2015 Deciso B.V.
|
||||
* Copyright (C) 2005-2010 Scott Ullrich <sullrich@gmail.com>
|
||||
* Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
|
||||
@ -55,6 +55,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
$pconfig['usevirtualterminal'] = isset($config['system']['usevirtualterminal']);
|
||||
$pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']);
|
||||
$pconfig['sudo_allow_wheel'] = $config['system']['sudo_allow_wheel'];
|
||||
$pconfig['sudo_allow_group'] = isset($config['system']['sudo_allow_group']) ? $config['system']['sudo_allow_group'] : null;
|
||||
$pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
|
||||
$pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
|
||||
$pconfig['althostnames'] = $config['system']['webgui']['althostnames'];
|
||||
@ -246,6 +247,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
unset($config['system']['ssh']['group']);
|
||||
}
|
||||
|
||||
if (!empty($pconfig['sudo_allow_group'])) {
|
||||
$config['system']['sudo_allow_group'] = $pconfig['sudo_allow_group'];
|
||||
} elseif (isset($config['system']['sudo_allow_group'])) {
|
||||
unset($config['system']['sudo_allow_group']);
|
||||
}
|
||||
|
||||
if (!empty($pconfig['sshpasswordauth'])) {
|
||||
$config['system']['ssh']['passwordauth'] = true;
|
||||
} elseif (isset($config['system']['ssh']['passwordauth'])) {
|
||||
@ -452,15 +459,13 @@ $(document).ready(function() {
|
||||
<td><a id="help_for_sslcertref" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("SSL Certificate"); ?></td>
|
||||
<td>
|
||||
<select name="ssl-certref" class="selectpicker" data-style="btn-default">
|
||||
<?php
|
||||
foreach ($a_cert as $cert) :?>
|
||||
<?php if (isset($cert['prv'])) :?>
|
||||
<?php foreach ($a_cert as $cert): ?>
|
||||
<?php if (isset($cert['prv'])): ?>
|
||||
<option value="<?=$cert['refid'];?>" <?=$pconfig['ssl-certref'] == $cert['refid'] ? "selected=\"selected\"" : "";?>>
|
||||
<?=$cert['descr'];?>
|
||||
</option>
|
||||
<?php endif; ?>
|
||||
<?php
|
||||
endforeach;?>
|
||||
<?php endif ?>
|
||||
<?php endforeach ?>
|
||||
</select>
|
||||
<div class='hidden' data-for="help_for_sslcertref">
|
||||
<?=sprintf(
|
||||
@ -604,13 +609,11 @@ $(document).ready(function() {
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_webguiinterfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Listen Interfaces') ?></td>
|
||||
<td>
|
||||
<td>
|
||||
<select id="webguiinterface" name="webguiinterfaces[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
|
||||
<?php
|
||||
foreach ($interfaces as $iface => $ifacename): ?>
|
||||
<?php foreach ($interfaces as $iface => $ifacename): ?>
|
||||
<option value="<?= html_safe($iface) ?>" <?= !empty($pconfig['webguiinterfaces']) && in_array($iface, $pconfig['webguiinterfaces']) ? 'selected="selected"' : '' ?>><?= html_safe($ifacename) ?></option>
|
||||
<?php
|
||||
endforeach;?>
|
||||
<?php endforeach ?>
|
||||
</select>
|
||||
<div class="hidden" data-for="help_for_webguiinterfaces">
|
||||
<?= gettext('Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care.') ?>
|
||||
@ -648,14 +651,12 @@ $(document).ready(function() {
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_sshlogingroup" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Login Group') ?></td>
|
||||
<td>
|
||||
<td>
|
||||
<select name="sshlogingroup" class="selectpicker">
|
||||
<option value=""><!-- do not translate: -->wheel</option>
|
||||
<?php
|
||||
foreach ($a_group as $group) :?>
|
||||
<?php foreach ($a_group as $group): ?>
|
||||
<option value="<?= html_safe($group['name']) ?>" <?= $pconfig['sshlogingroup'] == $group['name'] ? 'selected="selected"' : '' ?>><!-- do not translate: -->wheel, <?= html_safe($group['name']) ?></option>
|
||||
<?php
|
||||
endforeach;?>
|
||||
<?php endforeach ?>
|
||||
</select>
|
||||
<div class="hidden" data-for="help_for_sshlogingroup">
|
||||
<?= gettext('Select the allowed groups for remote login. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will. Do not yield remote access to non-adminstrators as every user can access system files using SSH or SFTP.') ?>
|
||||
@ -697,13 +698,11 @@ $(document).ready(function() {
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_sshinterfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Listen Interfaces') ?></td>
|
||||
<td>
|
||||
<td>
|
||||
<select name="sshinterfaces[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
|
||||
<?php
|
||||
foreach ($interfaces as $iface => $ifacename): ?>
|
||||
<?php foreach ($interfaces as $iface => $ifacename): ?>
|
||||
<option value="<?= html_safe($iface) ?>" <?= !empty($pconfig['sshinterfaces']) && in_array($iface, $pconfig['sshinterfaces']) ? 'selected="selected"' : '' ?>><?= html_safe($ifacename) ?></option>
|
||||
<?php
|
||||
endforeach;?>
|
||||
<?php endforeach ?>
|
||||
</select>
|
||||
<div class="hidden" data-for="help_for_sshinterfaces">
|
||||
<?= gettext('Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care.') ?>
|
||||
@ -796,13 +795,11 @@ $(document).ready(function() {
|
||||
<td><a id="help_for_authmode" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Server') ?></td>
|
||||
<td>
|
||||
<select name="authmode[]" multiple="multiple" class="selectpicker" data-style="btn-default">
|
||||
<?php
|
||||
foreach ($a_authmode as $auth_key => $auth_server): ?>
|
||||
<?php foreach ($a_authmode as $auth_key => $auth_server): ?>
|
||||
<option value="<?= html_safe($auth_key) ?>" <?= !empty($pconfig['authmode']) && in_array($auth_key, $pconfig['authmode']) ? 'selected="selected"' : '' ?>>
|
||||
<?= html_safe($auth_server['name']) ?>
|
||||
</option>
|
||||
<?php
|
||||
endforeach ?>
|
||||
<?php endforeach ?>
|
||||
</select>
|
||||
<div class="hidden" data-for="help_for_authmode">
|
||||
<?= gettext('Select one or more authentication servers to validate user credentials against. ' .
|
||||
@ -811,6 +808,16 @@ $(document).ready(function() {
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td></td>
|
||||
<td>
|
||||
<input name="disableintegratedauth" type="checkbox" value="yes" <?= empty($pconfig['disableintegratedauth']) ? '' : 'checked="checked"' ?> />
|
||||
<?=gettext("Disable integrated authentication"); ?>
|
||||
<div class="hidden" data-for="help_for_authmode">
|
||||
<?= gettext('When set, console login, SSH, and other system services can only use standard UNIX account authentication.') ?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_sudo_allow_wheel" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Sudo') ?></td>
|
||||
<td>
|
||||
@ -825,12 +832,16 @@ $(document).ready(function() {
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_disableintegratedauth" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('System') ?></td>
|
||||
<td></td>
|
||||
<td>
|
||||
<input name="disableintegratedauth" type="checkbox" value="yes" <?= empty($pconfig['disableintegratedauth']) ? '' : 'checked="checked"' ?> />
|
||||
<?=gettext("Disable integrated authentication"); ?>
|
||||
<div class="hidden" data-for="help_for_disableintegratedauth">
|
||||
<?= gettext('When set, console login, SSH, and other system services can only use standard UNIX account authentication.') ?>
|
||||
<select name="sudo_allow_group" class="selectpicker">
|
||||
<option value=""><!-- do not translate: -->wheel</option>
|
||||
<?php foreach ($a_group as $group): ?>
|
||||
<option value="<?= html_safe($group['name']) ?>" <?= $pconfig['sudo_allow_group'] == $group['name'] ? 'selected="selected"' : '' ?>><!-- do not translate: -->wheel, <?= html_safe($group['name']) ?></option>
|
||||
<?php endforeach ?>
|
||||
</select>
|
||||
<div class="hidden" data-for="help_for_sudo_allow_wheel">
|
||||
<?= gettext('Select the allowed groups for sudo usage. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will.') ?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user