mirror of
https://github.com/CumulusNetworks/ifupdown2.git
synced 2024-05-06 15:54:50 +00:00
1e6d7bd76c
Ticket: CM-7066 Reviewed By: scotte,roopa,olson Testing Done: Unit testing and regression testing This patch does two things: 1. It moves the interfaces config file name to the ifupdown2.conf file in /etc/network/ifupdown2. This should allow administrators to specify a config file location different from the default and allow subsets of users to use it without giving them access to specifying their own with the -i option in ifup/ifdown. 2. It also adds a new config setting called "disable_cli_interfacesfile" used to prevent users from specifying their own interfaces file. This defaults to "1" (even if it is not configured). Note: this new default takes away users ability to specify an interfaces file. This should close the vulnerability where users could specify their own interfaces file and add arbitrary user commands. This leaves the shell=True option in the user commands add-on module since the ifup/ifdown/ifreload/ifquery commands already require root access to run and the interfaces config file also requires root access to modify.
51 lines
1.5 KiB
Plaintext
51 lines
1.5 KiB
Plaintext
#
|
|
# ifupdown2 configuration file
|
|
#
|
|
# This file contains default settings for ifupdown
|
|
#
|
|
|
|
# default template engine (only mako is currently supported)
|
|
template_engine=mako
|
|
|
|
# default template lookup path during template rendering
|
|
template_lookuppath=/etc/network/ifupdown2/templates
|
|
|
|
# default network configuration filepath
|
|
default_interfaces_configfile=/etc/network/interfaces
|
|
# The -i interfacefile option is not allowed by default to
|
|
# reduce security issues (due to the pre- and post- commands)
|
|
disable_cli_interfacesfile=1
|
|
|
|
# Support /etc/network/if-*/ scripts
|
|
addon_scripts_support=0
|
|
|
|
# By default ifupdown2 only supports a single vlan filtering bridge
|
|
# on the system. Set this flag to 1 to support multiple vlan
|
|
# filtering bridges
|
|
multiple_vlan_aware_bridge_support=0
|
|
|
|
# ifquery check status strings.
|
|
# By default `ifquery --check` prints the check and
|
|
# cross marks against interface attributes.
|
|
# Use the below strings to modify the default behaviour.
|
|
#
|
|
ifquery_check_success_str=[pass]
|
|
ifquery_check_error_str=[fail]
|
|
ifquery_check_unknown_str=
|
|
#
|
|
|
|
# This attribute controls iface/vlan range expansions
|
|
# in ifquery default output.
|
|
ifquery_ifacename_expand_range=0
|
|
|
|
# Let link master (bridges, bonds) own the link state of slaves
|
|
link_master_slave=1
|
|
|
|
# Delay admin state change till the end
|
|
delay_admin_state_change=0
|
|
|
|
# ifreload by default downs: 'all interfaces for which config changed' +
|
|
# 'interfaces that were deleted'. With the below variable set to '0'
|
|
# ifreload will only down 'interfaces that were deleted'
|
|
ifreload_down_changed=0
|