Support readonly vtysh for sudoers (sonic-net#7383)

Why I did it Support readonly version of the command vtysh How I did it Check if the command starting with "show", and verify only contains single command in script.
renukamanavalan · Apr 25, 2021 · 56bdd75 · 56bdd75
1 parent 1d81c38
commit 56bdd75
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 0 deletions.
diff --git a/dockers/docker-fpm-frr/base_image_files/rvtysh b/dockers/docker-fpm-frr/base_image_files/rvtysh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# The command rvtysh can be run as root priviledge by any user without password, only allow to execute readonly commands.
+
+# The options in the show command cannot contains any charactors to run multiple sub-commands potentially, such as "\n", "\r", "|", "&", "$" and ";".
+if printf -- "$*" | grep -qPz '[\n\r|&$;]'; then
+    echo "Not allow to run the command, please use the comand 'sudo vtysh' instead." 1>&2
+    exit 1
+fi
+
+# The sub commands must start with "show"
+LAST_PARA=
+for para in "$@"
+do
+    if [ "$LAST_PARA" == "-c" ] && [[ "$para" != show*  ]]; then
+        echo "Not allow to run the command '$para', please use the comand 'sudo vtysh' instead." 1>&2
+        exit 1
+    fi
+    LAST_PARA=$para
+done
+
+vtysh "$@"
diff --git a/dockers/docker-fpm-quagga/base_image_files/rvtysh b/dockers/docker-fpm-quagga/base_image_files/rvtysh
@@ -0,0 +1 @@
+../../docker-fpm-frr/base_image_files/rvtysh
diff --git a/files/image_config/sudoers/sudoers b/files/image_config/sudoers/sudoers
@@ -30,6 +30,7 @@ Cmnd_Alias      READ_ONLY_CMDS = /bin/cat /var/log/syslog*, \
                                  /usr/bin/lldpctl, \
                                  /usr/bin/sensors, \
                                  /usr/bin/tail -F /var/log/syslog, \
+                                 /usr/bin/rvtysh *, \
                                  /usr/bin/vtysh -c show *, \
                                  /usr/bin/vtysh -n [0-9] -c show *, \
                                  /usr/local/bin/decode-syseeprom, \

diff --git a/rules/docker-fpm-frr.mk b/rules/docker-fpm-frr.mk
@@ -27,6 +27,7 @@ $(DOCKER_FPM_FRR)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
 $(DOCKER_FPM_FRR)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
 
 $(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += vtysh:/usr/bin/vtysh
+$(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += rvtysh:/usr/bin/rvtysh
 $(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += TSA:/usr/bin/TSA
 $(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += TSB:/usr/bin/TSB
 $(DOCKER_FPM_FRR)_BASE_IMAGE_FILES += TSC:/usr/bin/TSC

diff --git a/rules/docker-fpm-quagga.mk b/rules/docker-fpm-quagga.mk
@@ -13,3 +13,4 @@ $(DOCKER_FPM_QUAGGA)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
 $(DOCKER_FPM_QUAGGA)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
 
 $(DOCKER_FPM_QUAGGA)_BASE_IMAGE_FILES += vtysh:/usr/bin/vtysh
+$(DOCKER_FPM_QUAGGA)_BASE_IMAGE_FILES += rvtysh:/usr/bin/rvtysh
Original file line number	Diff line number	Diff line change
Expand Up		@@ -13,3 +13,4 @@ $(DOCKER_FPM_QUAGGA)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
		$(DOCKER_FPM_QUAGGA)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)

		$(DOCKER_FPM_QUAGGA)_BASE_IMAGE_FILES += vtysh:/usr/bin/vtysh
		$(DOCKER_FPM_QUAGGA)_BASE_IMAGE_FILES += rvtysh:/usr/bin/rvtysh