diff options
author | jim-p <jimp@pfsense.org> | 2012-10-09 10:40:56 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2012-10-09 10:40:56 -0400 |
commit | 170cb2bcbf0def99262f35368a0e474861300306 (patch) | |
tree | c22415328d68ccdc759ee69297e643a35f23bd05 /etc | |
parent | 6f3d3a0781556890e3a6158e32374aed2229f2bd (diff) | |
download | pfsense-170cb2bcbf0def99262f35368a0e474861300306.zip pfsense-170cb2bcbf0def99262f35368a0e474861300306.tar.gz |
Add initial support for a privilege that denies write access to the config.
NOTE: This only prevents writing to config.xml - it does NOT prevent other changes/execution that do not involve writing to config.xml (e.g. applying settings, exec, killing states, etc)
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/config.lib.inc | 5 | ||||
-rw-r--r-- | etc/inc/priv/user.priv.inc | 4 |
2 files changed, 9 insertions, 0 deletions
diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 54a9134..ddefde0 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -494,6 +494,11 @@ function write_config($desc="Unknown", $backup = true) { log_error("WARNING! Configuration written on bootup. This can cause stray openvpn and load balancing items in config.xml"); */ + if (!empty($_SESSION['Username'])) { + $user = getUserEntry($_SESSION['Username']); + if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) + return false; + } $username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username']; if (!empty($_SERVER['REMOTE_ADDR'])) $username .= '@' . $_SERVER['REMOTE_ADDR']; diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc index affa218..7c943cd 100644 --- a/etc/inc/priv/user.priv.inc +++ b/etc/inc/priv/user.priv.inc @@ -26,6 +26,10 @@ $priv_list['page-dashboard-widgets']['descr'] = "Allow direct access to all Dash $priv_list['page-dashboard-widgets']['match'] = array(); $priv_list['page-dashboard-widgets']['match'][] = "*.widget.php*"; +$priv_list['user-config-readonly'] = array(); +$priv_list['user-config-readonly']['name'] = "User - Config - Deny Config Write"; +$priv_list['user-config-readonly']['descr'] = "If present, ignores requests from this user to write config.xml."; + $priv_list['user-shell-access'] = array(); $priv_list['user-shell-access']['name'] = "User - System - Shell account access"; $priv_list['user-shell-access']['descr'] = "Indicates whether the user is able to login for ". |