Merge pull request #2195 from webmin/dev/xterm-acls-allow-not-enforce-sudo

Fix to allow disabling the enforcement of sudo-capable logins
2026-02-03 14:13:29 +00:00 · 2024-06-12 15:47:08 -07:00
parent 35aee74311 e35efd0f00
commit e92a35b3ed
4 changed files with 9 additions and 1 deletions
--- a/xterm/acl_security.pl
+++ b/xterm/acl_security.pl
@@ -10,6 +10,10 @@ my ($o) = @_;
 print &ui_table_row($text{'acl_user'},
 	&ui_opt_textbox("user", $o->{'user'} eq '*' ? undef : $o->{'user'},
 			20, $text{'acl_sameuser'}));
+
+print &ui_table_row($text{'acl_sudoenforce'},
+	&ui_yesno_radio("sudoenforce",
+		$o->{'sudoenforce'} == 1 ? 1 : 0));
 }

 sub acl_security_save
@@ -17,4 +21,5 @@ sub acl_security_save
 my ($o) = @_;

 $o->{'user'} = $in{'user_def'} ? '*' : $in{'user'};
+$o->{'sudoenforce'} = $in{'sudoenforce'} ? 1 : 0;
 }
--- a/xterm/defaultacl
+++ b/xterm/defaultacl
@@ -1 +1,2 @@
 user=root
+sudoenforce=1
--- a/xterm/index.cgi
+++ b/xterm/index.cgi
@@ -175,7 +175,8 @@ my $user = $access{'user'};
 if ($user eq "*") {
 	$user = $remote_user;
 	}
-elsif ($user eq "root" && $remote_user ne $user && !$in{'user'}) {
+elsif ($user eq "root" && $remote_user ne $user && !$in{'user'} &&
+       $access{'sudoenforce'} ne '0') {
 	# If possible, start with a sudo-capable user
 	my @uinfo = getpwnam($remote_user);
 	if (@uinfo && $uinfo[7]) {
--- a/xterm/lang/en
+++ b/xterm/lang/en
@@ -9,3 +9,4 @@ index_eproxy=The Terminal module cannot be used when accessing Webmin via anothe

 acl_user=Run shell as Unix user
 acl_sameuser=Same as Webmin login
+acl_sudoenforce=Enforce <em>sudo</em>-only privileges