git.proxmox.com Git - mirror_ifupdown2.git/commit

author	Sam Tannous <stannous@cumulusnetworks.com>
	Fri, 21 Aug 2015 02:59:44 +0000 (22:59 -0400)
committer	Sam Tannous <stannous@cumulusnetworks.com>
	Fri, 21 Aug 2015 02:59:44 +0000 (22:59 -0400)
commit	1e6d7bd76cca208764f259a5127ec3add8f9ab66
tree	8c095723b73d354e258282590e1b0a152f085b25	tree
parent	a2f424643a49cfcd86e6370c29e916e1fa4b4c0c	commit \| diff

add param in ifupdown2.conf to prevent fupdown2 users from specify interface config file on the CLI

Ticket: CM-7066
Reviewed By: scotte,roopa,olson
Testing Done: Unit testing and regression testing

This patch does two things:

1. It moves the interfaces config file name to the ifupdown2.conf file in /etc/network/ifupdown2.
This should allow administrators to specify a config file location different from the default and allow
subsets of users to use it without giving them access to specifying their own with the -i option in ifup/ifdown.

2. It also adds a new config setting called "disable_cli_interfacesfile" used to prevent users
from specifying their own interfaces file. This defaults to "1" (even if it is not configured).

Note: this new default takes away users ability to specify an interfaces file.

This should close the vulnerability where users could specify their own interfaces file
and add arbitrary user commands.

This leaves the shell=True option in the user commands add-on module since the ifup/ifdown/ifreload/ifquery
commands already require root access to run and the interfaces config file also requires root access to modify.

config/ifupdown2.conf		diff \| blob \| blame \| history
docs/source/userguide.rst		diff \| blob \| blame \| history
ifupdown/networkinterfaces.py		diff \| blob \| blame \| history
man.rst/ifquery.8.rst		diff \| blob \| blame \| history
man.rst/ifreload.8.rst		diff \| blob \| blame \| history
man.rst/ifup.8.rst		diff \| blob \| blame \| history
man.rst/interfaces.5.rst		diff \| blob \| blame \| history
sbin/ifupdown		diff \| blob \| blame \| history