mirror/CumulusNetworks-ifupdown2
1
0
Fork 0
mirror of https://github.com/CumulusNetworks/ifupdown2.git synced 2024-05-06 15:54:50 +00:00
Code Activity
Files
a3d36dd86d6888a0b61b506a534c24ea4867a18f
CumulusNetworks-ifupdown2/man.rst/ifquery.8.rst
Sam Tannous 1e6d7bd76c add param in ifupdown2.conf to prevent fupdown2 users from specify interface config file on the CLI 
Ticket: CM-7066
Reviewed By: scotte,roopa,olson
Testing Done: Unit testing and regression testing

This patch does two things:

1. It moves the interfaces config file name to the ifupdown2.conf file in /etc/network/ifupdown2.
This should allow administrators to specify a config file location different from the default and allow
subsets of users to use it without giving them access to specifying their own with the -i option in ifup/ifdown.

2. It also adds a new config setting called "disable_cli_interfacesfile" used to prevent users
from specifying their own interfaces file. This defaults to "1" (even if it is not configured).

Note: this new default takes away users ability to specify an interfaces file.

This should close the vulnerability where users could specify their own interfaces file
and add arbitrary user commands.

This leaves the shell=True option in the user commands add-on module since the ifup/ifdown/ifreload/ifquery
commands already require root access to run and the interfaces config file also requires root access to modify.
2015-08-20 22:59:44 -04:00

157 lines
4.8 KiB
ReStructuredText
Raw Blame History

=======
ifquery
=======
-------------------------------------
query network interface configuration
-------------------------------------
:Author: Roopa Prabhu <roopa@cumulusnetworks.com>
:Date: 2014-02-05
:Copyright: Copyright 2014 Cumulus Networks, Inc. All rights reserved.
:Version: 0.1
:Manual section: 8
SYNOPSIS
========
**ifquery [-v] [--allow CLASS] [--with-depends] -a|IFACE...**
**ifquery [-v] [-r|--running] [--allow CLASS] [--with-depends] -a|IFACE...**
**ifquery [-v] [-c|--check] [--allow CLASS] [--with-depends] -a|IFACE...**
**ifquery [-v] [-p|--print-dependency {list,dot}] [--allow CLASS] [--with-depends] -a|IFACE...**
**ifquery [-v] -s|--syntax-help**
DESCRIPTION
===========
**ifquery** can be used to parse interface configuration file, query
running state or check running state of the interface with configuration
in **/etc/network/interfaces** file.
**ifquery** always works on the current **interfaces(5)** file
**/etc/network/interfaces** unless an alternate interfaces file is
defined in ifupdown2.conf or provided with the **-i** option.
Note: the -i option is disabled by default in ifupdown2.conf.
OPTIONS
=======
positional arguments:
**IFACE** interface list separated by spaces. **IFACE** list and **'-a'** argument are mutually exclusive.
optional arguments:
-h, --help show this help message and exit
-a, --all process all interfaces marked "auto"
-v, --verbose verbose
-d, --debug output debug info
--allow CLASS ignore non-"allow-CLASS" interfaces
-w, --with-depends run with all dependent interfaces. This option
is redundant when -a is specified. When '-a' is
specified, interfaces are always executed in
dependency order.
-X EXCLUDEPATS, --exclude EXCLUDEPATS
Exclude interfaces from the list of interfaces to
operate on. Can be specified multiple times
If the excluded interface has dependent interfaces,
(e.g. a bridge or a bond with multiple enslaved interfaces)
then each dependent interface must be specified in order
to be excluded.
-i INTERFACESFILE, --interfaces INTERFACESFILE
Use interfaces file instead of default
defined in ifupdown2.conf (default /etc/network/interfaces)
-t {native,json}, --interfaces-format {native,json}
interfaces file format
-r, --running print raw interfaces file entries
-c, --check check interface file contents against running state
of an interface. Returns exit code 0 on success and
1 on error
-x, --raw print raw config file entries
-o {native,json}, --format {native,json}
interface display format
-p, --print-dependency {list,dot}
print iface dependency in list or dot format
-s, --syntax-help print supported interface config syntax. Scans all
addon modules and dumps supported syntax from them
if provided by the module.
EXAMPLES
========
# dump all or some interfaces config file entries
# (pretty prints user provided entries)
**ifquery -a**
**ifquery br0**
# Same as above but dump with dependencies
**ifquery br0 --with-depends**
# Check running state with the config in /etc/network/interfaces
**ifquery --check br0**
**ifquery --check --with-depends br0**
**ifquery --check -a**
# dump running state of all interfaces in /etc/network/interfaces format
**ifquery --running br0**
**ifquery --running --with-depends br0**
**ifquery --running -a**
# print dependency info in list format
**ifquery --print-dependency=list -a**
**ifquery --print-dependency=list br2000**
# print dependency info in dot format
**ifquery --print-dependency=dot -a**
**ifquery --print-dependency=dot br2000**
# Create an image (png) from the dot format
**ifquery --print-dependency=dot -a > interfaces.dot**
**dot -Tpng interfaces.dot > interfaces.png**
(The above command only works on a system with dot installed)
KNOWN_ISSUES
============
**ifquery --check** is currently experimental
**ifquery --check** cannot validate usercommands given under pre-up, post-up etc
There is currently no support to check/validate ethtool iface attributes
SEE ALSO
========
ifup(8),
ifdown(8),
ifreload(8),
interfaces(5),
ifupdown-addons-interfaces(5)
View Git Blame Copy Permalink