Commit 9ccc52d0 authored by Franco Fichtner's avatar Franco Fichtner

system: add sudo configure option to permit admins access; closes #990

This is especially useful for "sudo su" in manually created admins
to gain access to the console menu without compromising the root
password.

(cherry picked from commit 273692e5)
(cherry picked from commit 96ffce7c)
(cherry picked from commit 686f6a92)
parent acbdbb27
......@@ -196,6 +196,7 @@
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>user-shell-access</priv>
<priv>page-all</priv>
</group>
<user>
......@@ -205,7 +206,6 @@
<groupname>admins</groupname>
<password>$6$$Y8Et6wWDdXO2tJZRabvSfQvG2Lc8bAS6D9COIsMXEJ2KjA27wqDuAyd/CdazBQc3H3xQX.JXMKxJeRz2OqTkl.</password>
<uid>0</uid>
<priv>user-shell-access</priv>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
......
......@@ -1910,6 +1910,14 @@ function system_console_configure()
{
global $config;
$sudo_conf = '/usr/local/etc/sudoers.d/opnsense';
if (!empty($config['system']['sudo_allow_wheel'])) {
file_put_contents($sudo_conf, "%wheel ALL=(ALL) ALL\n");
} else {
@unlink($sudo_conf);
}
$serialspeed = (!empty($config['system']['serialspeed']) && is_numeric($config['system']['serialspeed'])) ? $config['system']['serialspeed'] : '115200';
$serial_enabled = isset($config['system']['enableserial']);
......
......@@ -42,6 +42,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
$pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']);
$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
$pconfig['sudo_allow_wheel'] = isset($config['system']['sudo_allow_wheel']);
$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
$pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
$pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
......@@ -115,6 +116,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['system']['disableconsolemenu']);
}
if ($pconfig['sudo_allow_wheel'] == "yes") {
$config['system']['sudo_allow_wheel'] = true;
} elseif (isset($config['system']['sudo_allow_wheel'])) {
unset($config['system']['sudo_allow_wheel']);
}
if ($pconfig['noantilockout'] == "yes") {
$config['system']['webgui']['noantilockout'] = true;
} elseif (isset($config['system']['webgui']['noantilockout'])) {
......@@ -559,13 +566,17 @@ include("head.inc");
<th colspan="2"><?=gettext("Console Options"); ?></th>
</tr>
<tr>
<td><a id="help_for_disableconsolemenu" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Console menu") ?></td>
<td><i class="fa fa-info-circle text-muted"></i></a> <?= gettext("Console menu") ?></td>
<td width="78%">
<input name="disableconsolemenu" type="checkbox" value="yes" <?= empty($pconfig['disableconsolemenu']) ? '' : 'checked="checked"' ?> />
<strong><?=gettext("Password protect the console menu"); ?></strong>
<div class="hidden" for="help_for_disableconsolemenu">
<?=gettext("Changes to this option will take effect after a reboot."); ?>
</div>
</td>
</tr>
<tr>
<td><i class="fa fa-info-circle text-muted"></i> <?= gettext("Sudo usage") ?></td>
<td width="78%">
<input name="sudo_allow_wheel" type="checkbox" value="yes" <?= empty($pconfig['sudo_allow_wheel']) ? '' : 'checked="checked"' ?> />
<strong><?= gettext('Allow administrators to use the Sudo utility') ?></strong>
</td>
</tr>
<tr>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment