From 6e727e43d2fde40e9d23ed3554c0404eb4ef153a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 4 May 2019 10:43:32 +0200
Subject: [PATCH] system: allow an arbitrary group for sudo like ssh login;
 closes #3407

---
 .../service/templates/OPNsense/Auth/sudoers   |  6 ++
 src/www/system_advanced_admin.php             | 73 +++++++++++--------
 2 files changed, 48 insertions(+), 31 deletions(-)

diff --git a/src/opnsense/service/templates/OPNsense/Auth/sudoers b/src/opnsense/service/templates/OPNsense/Auth/sudoers
index 5ea54fcce..86de0925f 100644
--- a/src/opnsense/service/templates/OPNsense/Auth/sudoers
+++ b/src/opnsense/service/templates/OPNsense/Auth/sudoers
@@ -1,5 +1,11 @@
 {% if system.sudo_allow_wheel|default('0') == '1' %}
 %wheel ALL=(ALL) ALL
+{% if system.sudo_allow_group|default('') != '' %}
+%{{system.sudo_allow_group}} ALL=(ALL) ALL
+{% endif %}
 {% elif system.sudo_allow_wheel|default('0') == '2' %}
 %wheel ALL=(ALL) NOPASSWD: ALL
+{% if system.sudo_allow_group|default('') != '' %}
+%{{system.sudo_allow_group}} ALL=(ALL) NOPASSWD: ALL
+{% endif %}
 {% endif %}
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index b5d347c26..b843bddb7 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2017-2018 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2017-2019 Franco Fichtner <franco@opnsense.org>
  * Copyright (C) 2014-2015 Deciso B.V.
  * Copyright (C) 2005-2010 Scott Ullrich <sullrich@gmail.com>
  * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
@@ -55,6 +55,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['usevirtualterminal'] = isset($config['system']['usevirtualterminal']);
     $pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']);
     $pconfig['sudo_allow_wheel'] = $config['system']['sudo_allow_wheel'];
+    $pconfig['sudo_allow_group'] = isset($config['system']['sudo_allow_group']) ? $config['system']['sudo_allow_group'] : null;
     $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
     $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
     $pconfig['althostnames'] = $config['system']['webgui']['althostnames'];
@@ -246,6 +247,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['system']['ssh']['group']);
         }
 
+        if (!empty($pconfig['sudo_allow_group'])) {
+            $config['system']['sudo_allow_group'] = $pconfig['sudo_allow_group'];
+        } elseif (isset($config['system']['sudo_allow_group'])) {
+            unset($config['system']['sudo_allow_group']);
+        }
+
         if (!empty($pconfig['sshpasswordauth'])) {
             $config['system']['ssh']['passwordauth'] = true;
         } elseif (isset($config['system']['ssh']['passwordauth'])) {
@@ -452,15 +459,13 @@ $(document).ready(function() {
                 <td><a id="help_for_sslcertref" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("SSL Certificate"); ?></td>
                 <td>
                   <select name="ssl-certref" class="selectpicker" data-style="btn-default">
-<?php
-                  foreach ($a_cert as $cert) :?>
-<?php             if (isset($cert['prv'])) :?>
+<?php foreach ($a_cert as $cert): ?>
+<?php if (isset($cert['prv'])): ?>
                     <option value="<?=$cert['refid'];?>" <?=$pconfig['ssl-certref'] == $cert['refid'] ? "selected=\"selected\"" : "";?>>
                       <?=$cert['descr'];?>
                     </option>
-<?php             endif; ?>
-<?php
-                  endforeach;?>
+<?php endif ?>
+<?php endforeach ?>
                   </select>
                   <div class='hidden' data-for="help_for_sslcertref">
                     <?=sprintf(
@@ -604,13 +609,11 @@ $(document).ready(function() {
               </tr>
               <tr>
                 <td><a id="help_for_webguiinterfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Listen Interfaces') ?></td>
-                  <td>
+                <td>
                   <select id="webguiinterface" name="webguiinterfaces[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
-<?php
-                  foreach ($interfaces as $iface => $ifacename): ?>
+<?php foreach ($interfaces as $iface => $ifacename): ?>
                       <option value="<?= html_safe($iface) ?>" <?= !empty($pconfig['webguiinterfaces']) && in_array($iface, $pconfig['webguiinterfaces']) ? 'selected="selected"' : '' ?>><?= html_safe($ifacename) ?></option>
-<?php
-                  endforeach;?>
+<?php endforeach ?>
                   </select>
                   <div class="hidden" data-for="help_for_webguiinterfaces">
                     <?= gettext('Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care.') ?>
@@ -648,14 +651,12 @@ $(document).ready(function() {
               </tr>
               <tr>
                 <td><a id="help_for_sshlogingroup" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Login Group') ?></td>
-                  <td>
+                <td>
                   <select name="sshlogingroup" class="selectpicker">
                       <option value=""><!-- do not translate: -->wheel</option>
-<?php
-                  foreach ($a_group as $group) :?>
+<?php foreach ($a_group as $group): ?>
                       <option value="<?= html_safe($group['name']) ?>" <?= $pconfig['sshlogingroup'] == $group['name'] ? 'selected="selected"' : '' ?>><!-- do not translate: -->wheel, <?= html_safe($group['name']) ?></option>
-<?php
-                  endforeach;?>
+<?php endforeach ?>
                   </select>
                   <div class="hidden" data-for="help_for_sshlogingroup">
                     <?= gettext('Select the allowed groups for remote login. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will. Do not yield remote access to non-adminstrators as every user can access system files using SSH or SFTP.') ?>
@@ -697,13 +698,11 @@ $(document).ready(function() {
               </tr>
               <tr>
                 <td><a id="help_for_sshinterfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Listen Interfaces') ?></td>
-                  <td>
+                <td>
                   <select name="sshinterfaces[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
-<?php
-                  foreach ($interfaces as $iface => $ifacename): ?>
+<?php foreach ($interfaces as $iface => $ifacename): ?>
                       <option value="<?= html_safe($iface) ?>" <?= !empty($pconfig['sshinterfaces']) && in_array($iface, $pconfig['sshinterfaces']) ? 'selected="selected"' : '' ?>><?= html_safe($ifacename) ?></option>
-<?php
-                  endforeach;?>
+<?php endforeach ?>
                   </select>
                   <div class="hidden" data-for="help_for_sshinterfaces">
                     <?= gettext('Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care.') ?>
@@ -796,13 +795,11 @@ $(document).ready(function() {
                 <td><a id="help_for_authmode" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Server') ?></td>
                 <td>
                   <select name="authmode[]" multiple="multiple" class="selectpicker" data-style="btn-default">
-<?php
-                  foreach ($a_authmode as $auth_key => $auth_server): ?>
+<?php foreach ($a_authmode as $auth_key => $auth_server): ?>
                     <option value="<?= html_safe($auth_key) ?>" <?= !empty($pconfig['authmode']) && in_array($auth_key, $pconfig['authmode']) ? 'selected="selected"' : '' ?>>
                       <?= html_safe($auth_server['name']) ?>
                     </option>
-<?php
-                  endforeach ?>
+<?php endforeach ?>
                   </select>
                   <div class="hidden" data-for="help_for_authmode">
                     <?= gettext('Select one or more authentication servers to validate user credentials against. ' .
@@ -811,6 +808,16 @@ $(document).ready(function() {
                   </div>
                 </td>
               </tr>
+              <tr>
+                <td></td>
+                <td>
+                  <input name="disableintegratedauth" type="checkbox" value="yes" <?= empty($pconfig['disableintegratedauth']) ? '' : 'checked="checked"' ?>  />
+                  <?=gettext("Disable integrated authentication"); ?>
+                  <div class="hidden" data-for="help_for_authmode">
+                    <?= gettext('When set, console login, SSH, and other system services can only use standard UNIX account authentication.') ?>
+                  </div>
+                </td>
+              </tr>
               <tr>
                 <td><a id="help_for_sudo_allow_wheel" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Sudo') ?></td>
                 <td>
@@ -825,12 +832,16 @@ $(document).ready(function() {
                 </td>
               </tr>
               <tr>
-                <td><a id="help_for_disableintegratedauth" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('System') ?></td>
+                <td></td>
                 <td>
-                  <input name="disableintegratedauth" type="checkbox" value="yes" <?= empty($pconfig['disableintegratedauth']) ? '' : 'checked="checked"' ?>  />
-                  <?=gettext("Disable integrated authentication"); ?>
-                  <div class="hidden" data-for="help_for_disableintegratedauth">
-                    <?= gettext('When set, console login, SSH, and other system services can only use standard UNIX account authentication.') ?>
+                  <select name="sudo_allow_group" class="selectpicker">
+                      <option value=""><!-- do not translate: -->wheel</option>
+<?php foreach ($a_group as $group): ?>
+                      <option value="<?= html_safe($group['name']) ?>" <?= $pconfig['sudo_allow_group'] == $group['name'] ? 'selected="selected"' : '' ?>><!-- do not translate: -->wheel, <?= html_safe($group['name']) ?></option>
+<?php endforeach ?>
+                  </select>
+                  <div class="hidden" data-for="help_for_sudo_allow_wheel">
+                    <?= gettext('Select the allowed groups for sudo usage. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will.') ?>
                   </div>
                 </td>
               </tr>