Merge pull request #946 from kernelkit/admin-vtysh-privs

confd: ensure admin users have full access to vtysh Signed-off-by: Joachim Wiberg <[email protected]>
kernelkit · Feb 22, 2025 · 5198794 · 5198794
2 parents d82b3e5 + 83797ca
commit 5198794
Showing 1 changed file with 24 additions and 8 deletions.
diff --git a/src/confd/src/ietf-system.c b/src/confd/src/ietf-system.c
@@ -45,6 +45,13 @@ static char   *os  = NULL;
 static char   *nm  = NULL;
 static char   *id  = NULL;
 
+/* TODO: add `#ifdef HAVE_FOO` around optional features. */
+static const char *admin_groups[] = {
+	"wheel",
+	"frrvty",
+	NULL
+};
+
 static struct { char *name, *shell; } shells[] = {
 	{ "infix-system:sh",    "/bin/sh"    },
 	{ "infix-system:bash",  "/bin/bash"  },
@@ -601,26 +608,29 @@ static int change_dns(sr_session_ctx_t *session, uint32_t sub_id, const char *mo
 
 static bool is_group_member(const char *user, const char *group)
 {
-	/* Check if user is already in group */
-	if (!systemf("grep %s /etc/group |grep -q %s", group, user))
+	if (!systemf("grep '^%s:' /etc/group |grep -q %s", group, user))
 		return true;
 
 	return false;
 }
 
 static void add_group(const char *user, const char *group)
 {
-	bool is_already = is_group_member(user, group);
-
-	if (is_already)
-		return; /* already group member */
+	if (is_group_member(user, group))
+		return;
 
 	if (systemf("adduser %s %s", user, group))
 		AUDIT("Failed giving user \"%s\" UNIX %s permissions.", user, group);
 	else
 		AUDIT("User \"%s\" added to UNIX \"%s\" group.", user, group);
 }
 
+static void add_groups(const char *user, const char **groups)
+{
+	for (size_t i = 0; groups[i]; i++)
+		add_group(user, groups[i]);
+}
+
 static void del_group(const char *user, const char *group)
 {
 	bool is_already = is_group_member(user, group);
@@ -634,6 +644,12 @@ static void del_group(const char *user, const char *group)
 		AUDIT("User \"%s\" removed from UNIX \"%s\" group.", user, group);
 }
 
+static void del_groups(const char *user, const char **groups)
+{
+	for (size_t i = 0; groups[i]; i++)
+		del_group(user, groups[i]);
+}
+
 /* Users with a valid shell are also allowed CLI access */
 static void adjust_access(const char *user, const char *shell)
 {
@@ -1446,9 +1462,9 @@ static int change_nacm(sr_session_ctx_t *session, uint32_t sub_id, const char *m
 			AUDIT("Failed adjusting shell for user \"%s\"", user);
 
 		if (is_admin)
-			add_group(user, "wheel");
+			add_groups(user, admin_groups);
 		else
-			del_group(user, "wheel");
+			del_groups(user, admin_groups);
 	}
 
 cleanup: