Add SSH tunneling privilege to list of available privileges.

2 files changed, 10 insertions, 2 deletions

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 33fc3ad..7da3057 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -287,12 +287,13 @@ function local_user_set(& $user) {
 
 	$lock_account = false;
 	/* configure shell type */
+	/* Cases here should be ordered by most privileged to least privileged. */
 	if (userHasPrivilege($user, "user-shell-access") || userHasPrivilege($user, "page-all")) {
 		$user_shell = "/bin/tcsh";
-	} elseif (userHasPrivilege($user, "user-ssh-tunnel")) {
-		$user_shell = "/usr/local/sbin/ssh_tunnel_shell";
 	} elseif (userHasPrivilege($user, "user-copy-files")) {
 		$user_shell = "/usr/local/bin/scponly";
+	} elseif (userHasPrivilege($user, "user-ssh-tunnel")) {
+		$user_shell = "/usr/local/sbin/ssh_tunnel_shell";
 	} else {
 		$user_shell = "/sbin/nologin";
 		$lock_account = true;
diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc
index d1ed5dc..779f2bb 100644
--- a/etc/inc/priv/user.priv.inc
+++ b/etc/inc/priv/user.priv.inc
@@ -14,6 +14,13 @@ $priv_list['user-copy-files']['descr'] = "Indicates whether the user is allowed
 										 "If you are going to use this privilege, you must install ".
 										 "scponly on the appliance (Hint: pkg_add -r scponly).";
 
+$priv_list['user-ssh-tunnel'] = array();
+$priv_list['user-ssh-tunnel']['name']  = "User - System - SSH tunneling";
+$priv_list['user-ssh-tunnel']['descr'] = "Indicates whether the user is able to login for ".
+										"tunneling via SSH when they have no shell access. ".
+										"Note: User - System - Copy files conflicts with ".
+										"this privilege.";
+
 $priv_list['user-l2tp-dialin'] = array();
 $priv_list['user-l2tp-dialin']['name'] = "User - VPN - L2TP Dialin";
 $priv_list['user-l2tp-dialin']['descr'] = "Indicates whether the user is allowed to dial in via L2TP";