From 170cb2bcbf0def99262f35368a0e474861300306 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 9 Oct 2012 10:40:56 -0400 Subject: Add initial support for a privilege that denies write access to the config. NOTE: This only prevents writing to config.xml - it does NOT prevent other changes/execution that do not involve writing to config.xml (e.g. applying settings, exec, killing states, etc) --- etc/inc/config.lib.inc | 5 +++++ etc/inc/priv/user.priv.inc | 4 ++++ 2 files changed, 9 insertions(+) (limited to 'etc') diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 54a9134..ddefde0 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -494,6 +494,11 @@ function write_config($desc="Unknown", $backup = true) { log_error("WARNING! Configuration written on bootup. This can cause stray openvpn and load balancing items in config.xml"); */ + if (!empty($_SESSION['Username'])) { + $user = getUserEntry($_SESSION['Username']); + if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) + return false; + } $username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username']; if (!empty($_SERVER['REMOTE_ADDR'])) $username .= '@' . $_SERVER['REMOTE_ADDR']; diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc index affa218..7c943cd 100644 --- a/etc/inc/priv/user.priv.inc +++ b/etc/inc/priv/user.priv.inc @@ -26,6 +26,10 @@ $priv_list['page-dashboard-widgets']['descr'] = "Allow direct access to all Dash $priv_list['page-dashboard-widgets']['match'] = array(); $priv_list['page-dashboard-widgets']['match'][] = "*.widget.php*"; +$priv_list['user-config-readonly'] = array(); +$priv_list['user-config-readonly']['name'] = "User - Config - Deny Config Write"; +$priv_list['user-config-readonly']['descr'] = "If present, ignores requests from this user to write config.xml."; + $priv_list['user-shell-access'] = array(); $priv_list['user-shell-access']['name'] = "User - System - Shell account access"; $priv_list['user-shell-access']['descr'] = "Indicates whether the user is able to login for ". -- cgit v1.1