commit ced3092a89e7f01a034963804f6371f3da7a5007 parent df758a035669172183a2e0eb56d3ad92087c053a Author: Jan Pobrislo <ccx@webprojekty.cz> Date: Thu, 31 Dec 2020 04:11:51 +0100 Check if user is in "wheel" group before allowing root terminal for them. Diffstat:
| M | sbin/logincaps | | | 15 | ++++++++++++++- |
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/sbin/logincaps b/sbin/logincaps @@ -64,6 +64,15 @@ run_x() { } typeset -f -t run_x +check_wheel() { + local wheel_gid + wheel_gid=${${(s.:.)"$(getent group wheel)"}[3]} || return $? + [[ $wheel_gid == [1-9]* ]] || return 1 + WHEEL_GID=$wheel_gid s6-envuidgid ccx zsh -c 'echo ${${(s/,/)GIDLIST}[(I)$WHEEL_GID]}' + return $? +} +typeset -f -t check_wheel + cap_cmd() { if "$@"; then printf 'OK\n' @@ -86,7 +95,11 @@ terminal_spawn_common() { } terminal_spawn_password() { - terminal_spawn_common "/command/check-root-password.py /command/spawn-pty.py" '{ login -f root }' "$1" + if check_wheel; then + terminal_spawn_common "/command/check-root-password.py /command/spawn-pty.py" '{ login -f root }' "$1" + else + printf 'ERR: Not in the group "wheel" (ex:%d)\n' $? + fi } terminal_spawn() {