From 3e251b12903ea709b908d1cba30fe61cadbe2da3 Mon Sep 17 00:00:00 2001
From: Erik Fonnesbeck <efonnes@gmail.com>
Date: Mon, 12 Jul 2010 15:31:14 -0600
Subject: Add SSH tunneling privilege to list of available privileges.

---
 etc/inc/auth.inc           | 5 +++--
 etc/inc/priv/user.priv.inc | 7 +++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 33fc3ad..7da3057 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -287,12 +287,13 @@ function local_user_set(& $user) {
 
 	$lock_account = false;
 	/* configure shell type */
+	/* Cases here should be ordered by most privileged to least privileged. */
 	if (userHasPrivilege($user, "user-shell-access") || userHasPrivilege($user, "page-all")) {
 		$user_shell = "/bin/tcsh";
-	} elseif (userHasPrivilege($user, "user-ssh-tunnel")) {
-		$user_shell = "/usr/local/sbin/ssh_tunnel_shell";
 	} elseif (userHasPrivilege($user, "user-copy-files")) {
 		$user_shell = "/usr/local/bin/scponly";
+	} elseif (userHasPrivilege($user, "user-ssh-tunnel")) {
+		$user_shell = "/usr/local/sbin/ssh_tunnel_shell";
 	} else {
 		$user_shell = "/sbin/nologin";
 		$lock_account = true;
diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc
index d1ed5dc..779f2bb 100644
--- a/etc/inc/priv/user.priv.inc
+++ b/etc/inc/priv/user.priv.inc
@@ -14,6 +14,13 @@ $priv_list['user-copy-files']['descr'] = "Indicates whether the user is allowed
 										 "If you are going to use this privilege, you must install ".
 										 "scponly on the appliance (Hint: pkg_add -r scponly).";
 
+$priv_list['user-ssh-tunnel'] = array();
+$priv_list['user-ssh-tunnel']['name']  = "User - System - SSH tunneling";
+$priv_list['user-ssh-tunnel']['descr'] = "Indicates whether the user is able to login for ".
+										"tunneling via SSH when they have no shell access. ".
+										"Note: User - System - Copy files conflicts with ".
+										"this privilege.";
+
 $priv_list['user-l2tp-dialin'] = array();
 $priv_list['user-l2tp-dialin']['name'] = "User - VPN - L2TP Dialin";
 $priv_list['user-l2tp-dialin']['descr'] = "Indicates whether the user is allowed to dial in via L2TP";
-- 
cgit v1.1