Page MenuHomeVyOS Platform
Create Task
Maniphest T7745

Implement command permission checks for local operator users
Open, HighPublic
Actions

Description

Now that we have a new operational command runner, we can start enforcing command permissions.

A possible approach is:

  • If the user set to be an operator, all commands are allowed.
  • The user can also be assigned to an "operator group" that allows only selected commands.

We almost certainly do not want to implement command deny lists because there's no obvious way to resolve conflicts between groups where one group has a command in its allow list and another group has exact same command in its deny list.

Example:

vyos@vyos# show system login 
 operator-group JuniorOperators {
     command-policy {
         allow show
         allow clear
         allow reset
     }
 }
 user bofh {
     authentication {
       ...
     }
     operator {
         # No group — allowed to execute anything
     }
 }
 user pfy {
     authentication {
       ...
     }
     operator {
         group JuniorOperators
     }
 }

Extending this system to users who authenticate through RADIUS and other sources is a future work with its own open questions.

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects