*: Remove ability to install frr_sudoers

If the user were to uncomment last line
and allow VTYSH_SHOW to be used as a non-root
account, this would allow arbitrary command completion
inside of vtysh via multiple -c ... -c .... lines

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

diff --git a/cumulus/etc/sudoers.d/frr_sudoers b/cumulus/etc/sudoers.d/frr_sudoers
deleted file mode 100644 (file)
index 4a42fb2..0000000
--- a/cumulus/etc/sudoers.d/frr_sudoers
+++ /dev/null
@@ -1,15 +0,0 @@
-Defaults env_keep += VTYSH_PAGER
-
-# Allow user in  group frr to run vtysh show commands
-# without a password by uncommenting the "%frr" line below.
-
-# Subshell commands need to be disallowed, including
-# preventing the user passing command line args like 'start-shell'
-# Since vtysh allows minimum non-conflicting prefix'es, that means
-# anything beginning with the string "st" in any arg.  That's a bit
-# restrictive.
-# Instead, use NOEXEC, to prevent any exec'ed commands.
-
-Cmnd_Alias  VTY_SHOW   = /usr/bin/vtysh -c show *
-# %frr ALL = (root) NOPASSWD:NOEXEC: VTY_SHOW
-

diff --git a/debian/frr.postinst b/debian/frr.postinst
index 43d3ffa9e0bcd789c993b80e98cd03e93af51051..9020d7bf7a9dac45776acfdbcadeeb2b6ea0e32d 100644 (file)
--- a/debian/frr.postinst
+++ b/debian/frr.postinst
@@ -15,7 +15,6 @@ frrvtygid=`egrep "^frrvty:" $GROUPFILE | awk -F ":" '{ print $3 }'`
 chown -R ${frruid}:${frrgid} /etc/frr
 touch /etc/frr/vtysh.conf
 chgrp ${frrvtygid} /etc/frr/vtysh*
-chmod 440 /etc/sudoers.d/frr_sudoers
 chmod 644 /etc/frr/*
 
 ENVIRONMENTFILE=/etc/environment