From 014d8e5fccfc03aa6ab48eb53fb7cce3c0f82a77 Mon Sep 17 00:00:00 2001 From: librelad Date: Sun, 24 May 2026 15:21:53 +0100 Subject: [PATCH] refactor(de-sudo): funnel genuine system commands through runSystem MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Foundation for a scoped sudoers: route every genuine system-admin command (systemctl/ufw/ufw-docker/nft/apt/apt-get/pacman/sysctl/useradd/usermod/ service/wg/wg-quick/cscli/loginctl) through runSystem instead of raw sudo across 28 active scripts. runSystem is 'sudo "$@"' so this is byte-identical in every mode (safe on live installs) — it just collects all real-root use at one chokepoint that will define the eventual /etc/sudoers.d allowlist. Also: revert a crowdsec advice message the sweep wrongly rewrote (the admin types sudo, not runSystem), and give crontab_check_processor.sh the same startup bootstrap as the task processor — it runs standalone via cron and already used runFileOp/runFileWrite (undefined there), so it was silently broken; now it sources the helpers + docker-type config. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- .../crowdsec/crowdsec_alerts_list.sh | 2 +- .../crowdsec/crowdsec_console_disable.sh | 4 +- .../crowdsec/crowdsec_console_enroll.sh | 4 +- .../crowdsec/crowdsec_decisions_list.sh | 2 +- .../crowdsec/crowdsec_hub_update.sh | 6 +-- .../containers/crowdsec/crowdsec_metrics.sh | 2 +- .../containers/crowdsec/crowdsec_status.sh | 6 +-- .../app/containers/crowdsec/crowdsec_unban.sh | 2 +- scripts/backup/engine/borg_install.sh | 4 +- .../checks/requirements/check_install_type.sh | 4 +- .../requirements/check_webui_systemd.sh | 2 +- scripts/crontab/crontab_install.sh | 4 +- .../crontab/task/crontab_check_processor.sh | 20 ++++++++ .../install/rooted/rooted_docker_check.sh | 6 +-- .../install/rootless/rootless_docker.sh | 16 +++---- .../docker/install/rootless/rootless_user.sh | 2 +- scripts/docker/service/start_docker.sh | 8 ++-- scripts/docker/service/stop_docker.sh | 4 +- scripts/install/install_crowdsec.sh | 48 +++++++++---------- scripts/install/install_ufw.sh | 16 +++---- scripts/install/install_ufwd.sh | 4 +- .../install/manager/install_user_manager.sh | 4 +- .../install/manager/uninstall_user_manager.sh | 2 +- scripts/os/install/arch.sh | 6 +-- scripts/os/install/ubuntu.sh | 2 +- scripts/webui/webui_install_systemd.sh | 2 +- scripts/wireguard/client/revoke_client.sh | 2 +- scripts/wireguard/install_standalone.sh | 30 ++++++------ scripts/wireguard/uninstall_standalone.sh | 8 ++-- 29 files changed, 121 insertions(+), 101 deletions(-) diff --git a/scripts/app/containers/crowdsec/crowdsec_alerts_list.sh b/scripts/app/containers/crowdsec/crowdsec_alerts_list.sh index 9abfef7..2c09c7a 100644 --- a/scripts/app/containers/crowdsec/crowdsec_alerts_list.sh +++ b/scripts/app/containers/crowdsec/crowdsec_alerts_list.sh @@ -1,5 +1,5 @@ #!/bin/bash appCrowdSecAlertsList() { - sudo cscli alerts list + runSystem cscli alerts list } diff --git a/scripts/app/containers/crowdsec/crowdsec_console_disable.sh b/scripts/app/containers/crowdsec/crowdsec_console_disable.sh index ab2f094..09b7630 100644 --- a/scripts/app/containers/crowdsec/crowdsec_console_disable.sh +++ b/scripts/app/containers/crowdsec/crowdsec_console_disable.sh @@ -1,7 +1,7 @@ #!/bin/bash appCrowdSecConsoleDisable() { - sudo cscli console disable -e all + runSystem cscli console disable -e all checkSuccess "Console enrollment removed — no signals will leave this host" - sudo systemctl reload crowdsec + runSystem systemctl reload crowdsec } diff --git a/scripts/app/containers/crowdsec/crowdsec_console_enroll.sh b/scripts/app/containers/crowdsec/crowdsec_console_enroll.sh index b627c37..af141e9 100644 --- a/scripts/app/containers/crowdsec/crowdsec_console_enroll.sh +++ b/scripts/app/containers/crowdsec/crowdsec_console_enroll.sh @@ -8,7 +8,7 @@ appCrowdSecConsoleEnroll() { isNotice "Get a token at https://app.crowdsec.net (free account). Enrolling shares attacker IPs + scenario names with CrowdSec SAS." return 1 fi - sudo cscli console enroll "$token" + runSystem cscli console enroll "$token" checkSuccess "Enrolled with CrowdSec Console — community blocklists will start syncing" - sudo systemctl reload crowdsec + runSystem systemctl reload crowdsec } diff --git a/scripts/app/containers/crowdsec/crowdsec_decisions_list.sh b/scripts/app/containers/crowdsec/crowdsec_decisions_list.sh index 3544515..0beb150 100644 --- a/scripts/app/containers/crowdsec/crowdsec_decisions_list.sh +++ b/scripts/app/containers/crowdsec/crowdsec_decisions_list.sh @@ -1,5 +1,5 @@ #!/bin/bash appCrowdSecDecisionsList() { - sudo cscli decisions list + runSystem cscli decisions list } diff --git a/scripts/app/containers/crowdsec/crowdsec_hub_update.sh b/scripts/app/containers/crowdsec/crowdsec_hub_update.sh index c19c2a6..272d917 100644 --- a/scripts/app/containers/crowdsec/crowdsec_hub_update.sh +++ b/scripts/app/containers/crowdsec/crowdsec_hub_update.sh @@ -1,10 +1,10 @@ #!/bin/bash appCrowdSecHubUpdate() { - sudo cscli hub update + runSystem cscli hub update checkSuccess "Hub index refreshed" - sudo cscli hub upgrade + runSystem cscli hub upgrade checkSuccess "Installed collections upgraded" - sudo systemctl reload crowdsec + runSystem systemctl reload crowdsec checkSuccess "Reloaded CrowdSec to apply changes" } diff --git a/scripts/app/containers/crowdsec/crowdsec_metrics.sh b/scripts/app/containers/crowdsec/crowdsec_metrics.sh index 2aec110..dfdb897 100644 --- a/scripts/app/containers/crowdsec/crowdsec_metrics.sh +++ b/scripts/app/containers/crowdsec/crowdsec_metrics.sh @@ -1,5 +1,5 @@ #!/bin/bash appCrowdSecMetrics() { - sudo cscli metrics + runSystem cscli metrics } diff --git a/scripts/app/containers/crowdsec/crowdsec_status.sh b/scripts/app/containers/crowdsec/crowdsec_status.sh index d546971..9923f80 100644 --- a/scripts/app/containers/crowdsec/crowdsec_status.sh +++ b/scripts/app/containers/crowdsec/crowdsec_status.sh @@ -8,9 +8,9 @@ appCrowdSecStatus() { systemctl status crowdsec-firewall-bouncer --no-pager --lines=5 2>&1 | head -15 echo echo "=== installed collections ===" - sudo cscli collections list -o human 2>&1 | head -30 + runSystem cscli collections list -o human 2>&1 | head -30 echo echo "=== machines + bouncers ===" - sudo cscli machines list 2>&1 - sudo cscli bouncers list 2>&1 + runSystem cscli machines list 2>&1 + runSystem cscli bouncers list 2>&1 } diff --git a/scripts/app/containers/crowdsec/crowdsec_unban.sh b/scripts/app/containers/crowdsec/crowdsec_unban.sh index ec06803..e23d73f 100644 --- a/scripts/app/containers/crowdsec/crowdsec_unban.sh +++ b/scripts/app/containers/crowdsec/crowdsec_unban.sh @@ -7,6 +7,6 @@ appCrowdSecUnban() { isNotice "No IP provided — pass ip=
via the Tools modal." return 1 fi - sudo cscli decisions delete --ip "$ip" + runSystem cscli decisions delete --ip "$ip" checkSuccess "Removed decisions for $ip" } diff --git a/scripts/backup/engine/borg_install.sh b/scripts/backup/engine/borg_install.sh index ed45a16..35c8a1e 100644 --- a/scripts/backup/engine/borg_install.sh +++ b/scripts/backup/engine/borg_install.sh @@ -11,11 +11,11 @@ borgInstall() isHeader "Installing BorgBackup" if command -v apt-get >/dev/null 2>&1; then - sudo apt-get install -y borgbackup && return 0 + runSystem apt-get install -y borgbackup && return 0 elif command -v dnf >/dev/null 2>&1; then sudo dnf install -y borgbackup && return 0 elif command -v pacman >/dev/null 2>&1; then - sudo pacman -S --noconfirm borg && return 0 + runSystem pacman -S --noconfirm borg && return 0 fi isError "Could not install BorgBackup — no supported package manager found." diff --git a/scripts/checks/requirements/check_install_type.sh b/scripts/checks/requirements/check_install_type.sh index 3f88ce5..b1b900b 100755 --- a/scripts/checks/requirements/check_install_type.sh +++ b/scripts/checks/requirements/check_install_type.sh @@ -21,14 +21,14 @@ checkInstallTypeRequirement() { if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then ISCOMP=$( (docker compose -v ) 2>&1 ) - ISUFW=$( (sudo ufw status ) 2>&1 ) + ISUFW=$( (runSystem ufw status ) 2>&1 ) ISUFWD=$( (sudo ufw-docker) 2>&1 ) resolveDockerInstallUser if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then # Used for checking if rooted docket is active - ISACT=$( (sudo systemctl is-active docker ) 2>&1 ) + ISACT=$( (runSystem systemctl is-active docker ) 2>&1 ) elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then # Used for checking the rootless user local ISUSER=$( (sudo id -u "$CFG_DOCKER_INSTALL_USER")) diff --git a/scripts/checks/requirements/check_webui_systemd.sh b/scripts/checks/requirements/check_webui_systemd.sh index ceb59e6..fed3cc7 100755 --- a/scripts/checks/requirements/check_webui_systemd.sh +++ b/scripts/checks/requirements/check_webui_systemd.sh @@ -4,7 +4,7 @@ checkWebUISystemdRequirement() { if [[ $CFG_REQUIREMENT_WEBUI_SERVICE == "true" ]]; then ### Check if systemd service is running - if sudo systemctl is-active --quiet libreportal.service; then + if runSystem systemctl is-active --quiet libreportal.service; then isSuccessful "LibrePortal task processor service is running." else isNotice "LibrePortal task processor service is not running." diff --git a/scripts/crontab/crontab_install.sh b/scripts/crontab/crontab_install.sh index d0dfa30..d4669c2 100755 --- a/scripts/crontab/crontab_install.sh +++ b/scripts/crontab/crontab_install.sh @@ -10,9 +10,9 @@ installCrontab() ISCRON=$( (sudo -u $sudo_user_name crontab -l) 2>&1 ) if [[ "$ISCRON" == *"command not found"* ]]; then isNotice "Crontab is not installed, setting up now." - local result=$(sudo apt update) + local result=$(runSystem apt update) checkSuccess "Updating apt for post installation" - local result=$(sudo apt install cron -y) + local result=$(runSystem apt install cron -y) isSuccessful "Installing crontab application" local result=$(sudo -u $sudo_user_name crontab -l) isSuccessful "Enabling crontab on the system" diff --git a/scripts/crontab/task/crontab_check_processor.sh b/scripts/crontab/task/crontab_check_processor.sh index 3b767b2..503deba 100755 --- a/scripts/crontab/task/crontab_check_processor.sh +++ b/scripts/crontab/task/crontab_check_processor.sh @@ -10,6 +10,26 @@ script_check_processor_flag="$1" # Only run when executed directly, not when sourced if [[ "$script_check_processor_flag" == "start_script" ]]; then +# --- Load the privilege helpers + docker-type config ------------------------- +# cron runs this standalone, so the de-sudo helpers (runFileOp/runFileWrite/ +# runSystem) and the config they key off are NOT otherwise in scope — without +# them every privileged op is "command not found". Same bootstrap as +# crontab_task_processor.sh. These files are pure function/var defs, safe to +# source. +LP_SCRIPTS="${install_scripts_dir:-/docker/install/scripts/}" +LP_DOCKER_CFG="/docker/configs/general/general_docker_install" +[[ -f "$LP_DOCKER_CFG" ]] && \ + eval "$(grep -E '^CFG_DOCKER_INSTALL_(TYPE|USER)=' "$LP_DOCKER_CFG" | sed 's/[[:space:]]*#.*//')" +: "${sudo_user_name:=libreportal}" +: "${containers_dir:=/docker/containers/}" +: "${docker_dir:=/docker}" +for _lp_f in docker/command/run_privileged.sh \ + docker/command/docker_run_install.sh \ + checks/requirements/check_install_type.sh; do + [[ -f "${LP_SCRIPTS}${_lp_f}" ]] && source "${LP_SCRIPTS}${_lp_f}" +done +command -v resolveDockerInstallUser >/dev/null 2>&1 && resolveDockerInstallUser + # ======================================== # HEALTH CHECK CONFIGURATION # ======================================== diff --git a/scripts/docker/install/rooted/rooted_docker_check.sh b/scripts/docker/install/rooted/rooted_docker_check.sh index 91f0698..071b2cc 100755 --- a/scripts/docker/install/rooted/rooted_docker_check.sh +++ b/scripts/docker/install/rooted/rooted_docker_check.sh @@ -6,11 +6,11 @@ installDockerRootedCheck() #### Test if Docker Service is Running ### ########################################## if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then - ISACT=$( (sudo systemctl is-active docker ) 2>&1 ) + ISACT=$( (runSystem systemctl is-active docker ) 2>&1 ) if [[ "$ISACT" != "active" ]]; then isNotice "Checking Docker service status. Waiting if not found." while [[ "$ISACT" != "active" ]] && [[ $X -le 10 ]]; do - sudo systemctl start docker | sudo tee -a "$logs_dir/$docker_log_file" 2>&1 + runSystem systemctl start docker | sudo tee -a "$logs_dir/$docker_log_file" 2>&1 sleep 10s & pid=$! # Process Id of the previous running command spin='-\|/' @@ -22,7 +22,7 @@ installDockerRootedCheck() sleep .1 done printf "\r" - ISACT=`sudo systemctl is-active docker` + ISACT=`runSystem systemctl is-active docker` let X=X+1 echo "$X" done diff --git a/scripts/docker/install/rootless/rootless_docker.sh b/scripts/docker/install/rootless/rootless_docker.sh index 48c4a32..04176d9 100755 --- a/scripts/docker/install/rootless/rootless_docker.sh +++ b/scripts/docker/install/rootless/rootless_docker.sh @@ -16,10 +16,10 @@ installDockerRootless() local docker_install_user_id=$(id -u "$CFG_DOCKER_INSTALL_USER") local docker_install_bashrc="/home/$CFG_DOCKER_INSTALL_USER/.bashrc" - local result=$(sudo apt-get install -y apt-transport-https ca-certificates curl gnupg software-properties-common uidmap dbus-user-session fuse-overlayfs passt) + local result=$(runSystem apt-get install -y apt-transport-https ca-certificates curl gnupg software-properties-common uidmap dbus-user-session fuse-overlayfs passt) checkSuccess "Installing necessary packages" - local result=$(sudo systemctl disable --now docker.service docker.socket) + local result=$(runSystem systemctl disable --now docker.service docker.socket) checkSuccess "Disabling Docker service & Socket" ((menu_number++)) @@ -30,7 +30,7 @@ installDockerRootless() # slirp4netns update and install if ! command -v slirp4netns &> /dev/null; then isNotice "slirp4netns is not installed. Installing..." - local result=$(sudo apt-get install -y slirp4netns) + local result=$(runSystem apt-get install -y slirp4netns) checkSuccess "Installing slirp4netns" else isNotice "slirp4netns is already installed" @@ -39,9 +39,9 @@ installDockerRootless() if [[ "$installed_version" != "$latest_version" ]]; then isNotice "slirp4netns version $installed_version is outdated." isNotice "Installing version $latest_version..." - local result=$(sudo apt-get update) + local result=$(runSystem apt-get update) checkSuccess "Updating apt packages" - local result=$(sudo apt-get install -y slirp4netns) + local result=$(runSystem apt-get install -y slirp4netns) checkSuccess "Installing slirp4netns" else isSuccessful "slirp4netns version $installed_version is up to date" @@ -58,7 +58,7 @@ installDockerRootless() else local result=$(echo "kernel.unprivileged_userns_clone=1" | sudo tee -a $sysctl > /dev/null) checkSuccess "Adding kernel.unprivileged_userns_clone=1 to $sysctl..." - local result=$(sudo sysctl --system) + local result=$(runSystem sysctl --system) checkSuccess "Running sudo -u $sudo_user_name sysctl --system..." fi fi @@ -97,7 +97,7 @@ installDockerRootless() echo "---- $menu_number. Setting up Rootless Docker." echo "" - local result=$(sudo loginctl enable-linger $CFG_DOCKER_INSTALL_USER) + local result=$(runSystem loginctl enable-linger $CFG_DOCKER_INSTALL_USER) checkSuccess "Adding automatic start (linger)" # Rootless Install @@ -216,7 +216,7 @@ net.core.bpf_jit_harden=2 EOL checkSuccess "Writing kernel LPE-surface hardening to $hardening_conf" - local result=$(sudo sysctl --system) + local result=$(runSystem sysctl --system) checkSuccess "Applying changes to sysctl" menu_number=0 diff --git a/scripts/docker/install/rootless/rootless_user.sh b/scripts/docker/install/rootless/rootless_user.sh index b5b4de8..7f46a32 100755 --- a/scripts/docker/install/rootless/rootless_user.sh +++ b/scripts/docker/install/rootless/rootless_user.sh @@ -12,7 +12,7 @@ installDockerRootlessUser() # -m makes its home; with SUB_UID/GID configured in login.defs, # useradd also assigns its subordinate uid/gid ranges (needed for # rootless). Run unmasked so checkSuccess sees real failures. - sudo useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER" + runSystem useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER" checkSuccess "Creating $CFG_DOCKER_INSTALL_USER User." updateDockerInstallPassword; fi diff --git a/scripts/docker/service/start_docker.sh b/scripts/docker/service/start_docker.sh index 3862983..25efc32 100755 --- a/scripts/docker/service/start_docker.sh +++ b/scripts/docker/service/start_docker.sh @@ -3,16 +3,16 @@ dockerServiceStart() { if [[ $CFG_DOCKER_INSTALL_TYPE == "rooted" ]]; then - local result=$(sudo systemctl start docker) + local result=$(runSystem systemctl start docker) checkSuccess "Starting Docker Service" - local result=$(sudo systemctl enable docker) + local result=$(runSystem systemctl enable docker) checkSuccess "Enabling Docker Service" - local result=$(sudo usermod -aG docker $sudo_user_name) + local result=$(runSystem usermod -aG docker $sudo_user_name) checkSuccess "Adding user to 'docker' group" - local result=$(sudo systemctl restart docker) + local result=$(runSystem systemctl restart docker) checkSuccess "Restarting Docker service after group addition." elif [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then installDockerRootless; diff --git a/scripts/docker/service/stop_docker.sh b/scripts/docker/service/stop_docker.sh index 3ee2b7f..22f6fc2 100755 --- a/scripts/docker/service/stop_docker.sh +++ b/scripts/docker/service/stop_docker.sh @@ -8,10 +8,10 @@ dockerServiceStop() if [[ "$docker_rooted_found" == "true" ]]; then isNotice "Stopping rooted Docker service...this may take a moment..." - local result=$(sudo systemctl stop docker) + local result=$(runSystem systemctl stop docker) checkSuccess "Stopping Rooted Docker Service" - local result=$(sudo systemctl disable docker) + local result=$(runSystem systemctl disable docker) checkSuccess "Disabling Rooted Docker Service" fi fi diff --git a/scripts/install/install_crowdsec.sh b/scripts/install/install_crowdsec.sh index 2a7f586..c95b1a0 100644 --- a/scripts/install/install_crowdsec.sh +++ b/scripts/install/install_crowdsec.sh @@ -75,10 +75,10 @@ installCrowdsecHost() echo "---- $menu_number. Enabling CrowdSec services." echo "" - local result=$(sudo systemctl enable --now crowdsec) + local result=$(runSystem systemctl enable --now crowdsec) checkSuccess "Enabling CrowdSec agent" - local result=$(sudo systemctl enable --now crowdsec-firewall-bouncer) + local result=$(runSystem systemctl enable --now crowdsec-firewall-bouncer) checkSuccess "Enabling CrowdSec firewall bouncer" ((menu_number++)) @@ -86,13 +86,13 @@ installCrowdsecHost() echo "---- $menu_number. Installing baseline collections." echo "" - local result=$(sudo cscli collections install crowdsecurity/linux) + local result=$(runSystem cscli collections install crowdsecurity/linux) checkSuccess "Installing crowdsecurity/linux collection" - local result=$(sudo cscli collections install crowdsecurity/sshd) + local result=$(runSystem cscli collections install crowdsecurity/sshd) checkSuccess "Installing crowdsecurity/sshd collection" - local result=$(sudo systemctl reload crowdsec) + local result=$(runSystem systemctl reload crowdsec) checkSuccess "Reloading CrowdSec to pick up collections" ((menu_number++)) @@ -106,14 +106,14 @@ installCrowdsecHost() # unregistering. Idempotent on either branch. local community_blocklist="${CFG_CROWDSEC_COMMUNITY_BLOCKLIST:-true}" if [[ "$community_blocklist" == "true" ]]; then - if sudo cscli capi status 2>&1 | grep -qi 'You can successfully'; then + if runSystem cscli capi status 2>&1 | grep -qi 'You can successfully'; then isNotice "Community blocklist already registered." else - local result=$(sudo cscli capi register 2>&1) + local result=$(runSystem cscli capi register 2>&1) checkSuccess "Registered with CrowdSec Central API (community blocklist)" fi else - local result=$(sudo cscli capi unregister 2>&1) + local result=$(runSystem cscli capi unregister 2>&1) checkSuccess "Unregistered from CrowdSec Central API (community blocklist disabled)" fi @@ -129,19 +129,19 @@ installCrowdsecHost() local console_enroll="${CFG_CROWDSEC_CONSOLE_ENROLL:-false}" local console_token="${CFG_CROWDSEC_CONSOLE_TOKEN:-}" local enrolled=false - sudo cscli console status 2>&1 | grep -qi 'enrolled' && enrolled=true + runSystem cscli console status 2>&1 | grep -qi 'enrolled' && enrolled=true if [[ "$console_enroll" == "true" ]]; then if [[ -z "$console_token" ]]; then isNotice "Console enrollment ON but CFG_CROWDSEC_CONSOLE_TOKEN is empty — paste your token from app.crowdsec.net to complete." elif [[ "$enrolled" == true ]]; then isNotice "Already enrolled with the SaaS console — skipping." else - local result=$(sudo cscli console enroll "$console_token" 2>&1) + local result=$(runSystem cscli console enroll "$console_token" 2>&1) checkSuccess "Enrolled with app.crowdsec.net SaaS console" fi else if [[ "$enrolled" == true ]]; then - local result=$(sudo cscli console disenroll 2>&1) + local result=$(runSystem cscli console disenroll 2>&1) checkSuccess "Disenrolled from app.crowdsec.net SaaS console" else isNotice "SaaS console enrollment disabled — skipping." @@ -161,7 +161,7 @@ installCrowdsecHost() if [[ -f "$lapi_cfg" ]] && ! sudo grep -qE 'listen_uri:[[:space:]]*0\.0\.0\.0:8080' "$lapi_cfg"; then sudo sed -i 's|listen_uri:.*|listen_uri: 0.0.0.0:8080|' "$lapi_cfg" checkSuccess "LAPI bound to 0.0.0.0:8080" - sudo systemctl restart crowdsec + runSystem systemctl restart crowdsec checkSuccess "CrowdSec restarted" else isNotice "LAPI already bound to 0.0.0.0:8080 — skipping." @@ -189,7 +189,7 @@ installCrowdsecHost() s|listen_port:.*|listen_port: ${prom_port}| }" "$cs_cfg" checkSuccess "CrowdSec metrics endpoint bound to ${prom_listen}" - sudo systemctl restart crowdsec + runSystem systemctl restart crowdsec checkSuccess "CrowdSec restarted" else isNotice "CrowdSec metrics already bound to ${prom_addr} — skipping." @@ -197,7 +197,7 @@ installCrowdsecHost() elif [[ -f "$cs_cfg" ]] && sudo grep -qE 'listen_addr:[[:space:]]*0\.0\.0\.0' "$cs_cfg"; then sudo sed -i "/^prometheus:/,/^[^[:space:]#]/ s|listen_addr:.*|listen_addr: 127.0.0.1|" "$cs_cfg" checkSuccess "CrowdSec metrics endpoint rebound to 127.0.0.1 (monitoring off)" - sudo systemctl restart crowdsec + runSystem systemctl restart crowdsec checkSuccess "CrowdSec restarted" else isNotice "Monitoring off — CrowdSec metrics endpoint left at its default." @@ -217,9 +217,9 @@ installCrowdsecHost() local key_file="/etc/crowdsec/traefik_bouncer.key" local cfg_file="/docker/configs/security/security_crowdsec" - if ! sudo cscli bouncers list -o raw 2>/dev/null | grep -q '^traefik-bouncer'; then + if ! runSystem cscli bouncers list -o raw 2>/dev/null | grep -q '^traefik-bouncer'; then local bouncer_key - bouncer_key=$(sudo cscli bouncers add traefik-bouncer -o raw 2>&1 | tail -1) + bouncer_key=$(runSystem cscli bouncers add traefik-bouncer -o raw 2>&1 | tail -1) if [[ -n "$bouncer_key" && "$bouncer_key" != *"error"* ]]; then echo "$bouncer_key" | sudo tee "$key_file" >/dev/null sudo chown libreportal:libreportal "$key_file" @@ -250,16 +250,16 @@ installCrowdsecHost() # The firewall bouncer needs a moment to install its nftables table # after enable. Poll up to ~10s before deciding it's missing. local _wait=0 - until sudo nft list tables 2>/dev/null | grep -qiE 'crowdsec' || [[ $_wait -ge 10 ]]; do + until runSystem nft list tables 2>/dev/null | grep -qiE 'crowdsec' || [[ $_wait -ge 10 ]]; do sleep 1; _wait=$((_wait+1)) done - if ! sudo nft list tables 2>/dev/null | grep -qiE 'crowdsec'; then + if ! runSystem nft list tables 2>/dev/null | grep -qiE 'crowdsec'; then isNotice "CrowdSec nftables table not yet present after ${_wait}s. Bouncer may still be starting; re-run the verification Tools action in a minute if rules don't appear." else local cs_prio ufw_prio - cs_prio=$(sudo nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}') - ufw_prio=$(sudo nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}') + cs_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/table .* crowdsec/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}') + ufw_prio=$(runSystem nft list ruleset 2>/dev/null | awk '/chain ufw[a-z0-9-]*input/{flag=1} flag && /priority/{match($0,/priority [-0-9]+/); print substr($0,RSTART+9,RLENGTH-9); exit}') if [[ -z "$ufw_prio" ]]; then isSuccessful "UFW not in nftables — no ordering needed (CrowdSec prio: ${cs_prio:-?})." @@ -291,10 +291,10 @@ installCrowdsecHost() echo "---- $menu_number. Re-enabling CrowdSec services." echo "" - local result=$(sudo systemctl enable --now crowdsec) + local result=$(runSystem systemctl enable --now crowdsec) checkSuccess "Enabling CrowdSec agent" - local result=$(sudo systemctl enable --now crowdsec-firewall-bouncer) + local result=$(runSystem systemctl enable --now crowdsec-firewall-bouncer) checkSuccess "Enabling CrowdSec firewall bouncer" isSuccessful "CrowdSec services re-enabled." @@ -312,10 +312,10 @@ installCrowdsecHost() echo "---- $menu_number. Stopping and disabling CrowdSec services." echo "" - local result=$(sudo systemctl disable --now crowdsec-firewall-bouncer 2>&1) + local result=$(runSystem systemctl disable --now crowdsec-firewall-bouncer 2>&1) checkSuccess "Disabling CrowdSec firewall bouncer" - local result=$(sudo systemctl disable --now crowdsec 2>&1) + local result=$(runSystem systemctl disable --now crowdsec 2>&1) checkSuccess "Disabling CrowdSec agent" isSuccessful "CrowdSec disabled. Package remains installed — set CFG_CROWDSEC_ENABLED=true to re-enable, or uninstall via the Tools tab." diff --git a/scripts/install/install_ufw.sh b/scripts/install/install_ufw.sh index ed3c697..b8ec9de 100755 --- a/scripts/install/install_ufw.sh +++ b/scripts/install/install_ufw.sh @@ -3,7 +3,7 @@ installUFW() { if [[ "$CFG_REQUIREMENT_UFW" == "true" ]]; then - ISUFW=$( (sudo ufw status ) 2>&1 ) + ISUFW=$( (runSystem ufw status ) 2>&1 ) if [[ "$ISUFW" == *"command not found"* ]]; then isHeader "Install UFW Firewall" @@ -12,7 +12,7 @@ installUFW() echo "---- $menu_number. Installing using linux package installer" echo "" - local result=$(yes | sudo apt-get install ufw ) + local result=$(yes | runSystem apt-get install ufw ) checkSuccess "Installing UFW package" # ((menu_number++)) @@ -27,9 +27,9 @@ installUFW() # ssh_port=${ssh_port:-22} # Default to 22 if not found # fi - # local result=$(sudo ufw allow $ssh_port) + # local result=$(runSystem ufw allow $ssh_port) # checkSuccess "Enabling Port $ssh_port through the firewall" - # local result=$(sudo ufw allow ssh) + # local result=$(runSystem ufw allow ssh) # checkSuccess "Enabling SSH through the firewall" # while true; do @@ -42,13 +42,13 @@ installUFW() # done # if [[ "$UFWSSH" == [nN] ]]; then - # local result=$(sudo ufw deny $ssh_port) + # local result=$(runSystem ufw deny $ssh_port) # checkSuccess "Blocking Port $ssh_port through the firewall" - # local result=$(sudo ufw deny ssh) + # local result=$(runSystem ufw deny ssh) # checkSuccess "Blocking SSH through the firewall" # fi - local result=$(sudo ufw --force enable) + local result=$(runSystem ufw --force enable) checkSuccess "Enabling UFW Firewall" ((menu_number++)) @@ -56,7 +56,7 @@ installUFW() echo "---- $menu_number. Changing logging options" echo "" - local result=$(yes | sudo ufw logging $CFG_UFW_LOGGING) + local result=$(yes | runSystem ufw logging $CFG_UFW_LOGGING) checkSuccess "Disabling UFW Firewall Logging" isSuccessful "UFW Firewall has been installed, you can use ufw status to see the status" diff --git a/scripts/install/install_ufwd.sh b/scripts/install/install_ufwd.sh index 8f5651c..facf2be 100755 --- a/scripts/install/install_ufwd.sh +++ b/scripts/install/install_ufwd.sh @@ -23,10 +23,10 @@ installUFWDocker() local result=$(sudo chmod +x $ufwpath) checkSuccess "Setting permissions for install files" - local result=$(sudo ufw-docker install > /dev/null 2>&1) + local result=$(runSystem ufw-docker install > /dev/null 2>&1) checkSuccess "Installing UFW Docker" - local result=$(sudo systemctl restart ufw) + local result=$(runSystem systemctl restart ufw) checkSuccess "Restarting UFW Firewall service" isSuccessful "UFW-Docker has been installed, you can use ufw-docker to see the available commands" diff --git a/scripts/install/manager/install_user_manager.sh b/scripts/install/manager/install_user_manager.sh index e1ee862..e3ee53e 100755 --- a/scripts/install/manager/install_user_manager.sh +++ b/scripts/install/manager/install_user_manager.sh @@ -10,7 +10,7 @@ installDockerManagerUser() isNotice "User '$CFG_DOCKER_MANAGER_USER' does not exist, starting creation..." # Create the User Account - local result=$(sudo useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER") + local result=$(runSystem useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER") checkSuccess "Adding user via useradd command" local result=$(echo "$CFG_DOCKER_MANAGER_USER:$CFG_DOCKER_MANAGER_PASS" | sudo chpasswd) @@ -66,7 +66,7 @@ EOL") checkSuccess "Updating SSH Server Configuration for the Manager User." # Reload SSH Service - local result=$(sudo service ssh reload) + local result=$(runSystem service ssh reload) checkSuccess "Reloading SSH Service" fi diff --git a/scripts/install/manager/uninstall_user_manager.sh b/scripts/install/manager/uninstall_user_manager.sh index 22dd50f..eefcfea 100755 --- a/scripts/install/manager/uninstall_user_manager.sh +++ b/scripts/install/manager/uninstall_user_manager.sh @@ -14,7 +14,7 @@ uninstallDockerManagerUser() checkSuccess "Removing the Docker Manager User from $sshd_config." # Restart SSH Service - local result=$(sudo service ssh restart) + local result=$(runSystem service ssh restart) checkSuccess "Restarting SSH Service" fi fi diff --git a/scripts/os/install/arch.sh b/scripts/os/install/arch.sh index d60a445..eb2a2a8 100755 --- a/scripts/os/install/arch.sh +++ b/scripts/os/install/arch.sh @@ -7,7 +7,7 @@ installArch() if [[ "$UPDARCH" == [yY] ]]; then isNotice "Installing System Updates... this may take a while...be patient." - (sudo pacman -Syu --noconfirm) > $logs_dir/$docker_log_file 2>&1 & + (runSystem pacman -Syu --noconfirm) > $logs_dir/$docker_log_file 2>&1 & ## Show a spinner for activity progress pid=$! # Process Id of the previous running command spin='-\|/' @@ -25,12 +25,12 @@ installArch() isNotice "Installing Prerequisite Packages..." - sudo pacman -Sy git curl wget --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1 + runSystem pacman -Sy git curl wget --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1 if [[ "$ISACT" != "active" ]]; then isNotice "Installing Docker-CE (Community Edition)..." - sudo pacman -Sy docker --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1 + runSystem pacman -Sy docker --noconfirm | sudo tee -a "$logs_dir/$docker_log_file" 2>&1 echo "- docker-ce version is now:" DOCKERV=$(docker -v) diff --git a/scripts/os/install/ubuntu.sh b/scripts/os/install/ubuntu.sh index 3a86322..8a9338d 100755 --- a/scripts/os/install/ubuntu.sh +++ b/scripts/os/install/ubuntu.sh @@ -14,7 +14,7 @@ installDebianUbuntu() local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt update -qq 2>&1 && DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt install sudo -yqq 2>&1 && apt-get autoclean 2>&1) checkSuccess "Updating System Operating system." - local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo apt update -qq 2>&1) + local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 runSystem apt update -qq 2>&1) checkSuccess "Running application update" local result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo $installed_apps -yqq 2>&1) diff --git a/scripts/webui/webui_install_systemd.sh b/scripts/webui/webui_install_systemd.sh index 3f1a86e..c40df9c 100755 --- a/scripts/webui/webui_install_systemd.sh +++ b/scripts/webui/webui_install_systemd.sh @@ -78,7 +78,7 @@ EOF else # Unit already correct — ensure it's enabled + running, without a restart. runSystem systemctl enable libreportal.service >/dev/null 2>&1 - sudo systemctl is-active --quiet libreportal.service || runSystem systemctl start libreportal.service + runSystem systemctl is-active --quiet libreportal.service || runSystem systemctl start libreportal.service isSuccessful "LibrePortal task processor service already up to date." fi diff --git a/scripts/wireguard/client/revoke_client.sh b/scripts/wireguard/client/revoke_client.sh index 894cd07..c19155e 100755 --- a/scripts/wireguard/client/revoke_client.sh +++ b/scripts/wireguard/client/revoke_client.sh @@ -26,6 +26,6 @@ wireguardRevokeClient() result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf") checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME" - result=$(sudo wg syncconf "${CFG_WG_SERVER_NIC}" <(sudo wg-quick strip "${CFG_WG_SERVER_NIC}")) + result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}")) checkSuccess "Restart wireguard to apply changes" } diff --git a/scripts/wireguard/install_standalone.sh b/scripts/wireguard/install_standalone.sh index 5ab3a34..208e15e 100755 --- a/scripts/wireguard/install_standalone.sh +++ b/scripts/wireguard/install_standalone.sh @@ -33,7 +33,7 @@ installStandaloneWireGuard() # Install WireGuard tools and module if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then - sudo apt-get install -y wireguard iptables resolvconf qrencode + runSystem apt-get install -y wireguard iptables resolvconf qrencode # Update DNS after installing resolvconf updateDNS "" standalonewireguard; @@ -95,12 +95,12 @@ PostDown = iptables -t nat -D POSTROUTING -o ${server_nic} -j MASQUERADE" | sudo local result=$(echo '# WIREGUARD END' | sudo tee -a "$sysctl" > /dev/null) checkSuccess "Adding wireguard header to sysctl" - result=$(sudo systemctl start "wg-quick@${CFG_WG_SERVER_NIC}") + result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}") checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service." - result=$(sudo systemctl enable "wg-quick@${CFG_WG_SERVER_NIC}") + result=$(runSystem systemctl enable "wg-quick@${CFG_WG_SERVER_NIC}") checkSuccess "Enabled wg-quick@${CFG_WG_SERVER_NIC} service." - result=$(sudo sysctl --system) + result=$(runSystem sysctl --system) checkSuccess "Reloaded sysctl" portUse wireguardstandalone $CFG_WG_SERVER_PORT install; @@ -168,9 +168,9 @@ wireguardNewClient() fi # Generate key pair for the client - local WIREGUARD_CLIENT_PRIV_KEY=$(sudo wg genkey) - local WIREGUARD_CLIENT_PUB_KEY=$(echo "${WIREGUARD_CLIENT_PRIV_KEY}" | sudo wg pubkey) - local WIREGUARD_CLIENT_PRE_SHARED_KEY=$(sudo wg genpsk) + local WIREGUARD_CLIENT_PRIV_KEY=$(runSystem wg genkey) + local WIREGUARD_CLIENT_PUB_KEY=$(echo "${WIREGUARD_CLIENT_PRIV_KEY}" | runSystem wg pubkey) + local WIREGUARD_CLIENT_PRE_SHARED_KEY=$(runSystem wg genpsk) local WIREGUARD_ENDPOINT="${public_ip_v4}:${CFG_WG_SERVER_PORT}" # Create client file @@ -195,12 +195,12 @@ PublicKey = ${WIREGUARD_CLIENT_PUB_KEY} PresharedKey = ${WIREGUARD_CLIENT_PRE_SHARED_KEY} AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | sudo tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null - #result=$(sudo wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf) + #result=$(runSystem wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf) #checkSuccess "Syncing config file for $CFG_WG_SERVER_NIC" - #result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}") + #result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}") #checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service." - #result=$(sudo systemctl start "wg-quick@${CFG_WG_SERVER_NIC}") + #result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}") #checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service." # Generate QR code if qrencode is installed @@ -248,7 +248,7 @@ wireguardRevokeClient() result=$(sudo rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf") checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME" - result=$(sudo wg syncconf "${CFG_WG_SERVER_NIC}" <(sudo wg-quick strip "${CFG_WG_SERVER_NIC}")) + result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}")) checkSuccess "Restart wireguard to apply changes" } @@ -274,14 +274,14 @@ wireguardUninstall() if [[ $WIREGUARD_REMOVE == [yY] ]]; then if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then - result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}") + result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}") checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service." - result=$(sudo systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}") + result=$(runSystem systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}") checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service." if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then - result=$(sudo apt-get remove -y wireguard wireguard-tools qrencode) + result=$(runSystem apt-get remove -y wireguard wireguard-tools qrencode) checkSuccess "Removed wireguard wireguard-tools qrencode" fi @@ -290,7 +290,7 @@ wireguardUninstall() result=$(sudo rm -f /etc/sysctl.d/wg.conf) checkSuccess "Delete /etc/sysctl.d/wg.conf file." - result=$(sudo sysctl --system) + result=$(runSystem sysctl --system) checkSuccess "Reloaded sysctl" portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install; diff --git a/scripts/wireguard/uninstall_standalone.sh b/scripts/wireguard/uninstall_standalone.sh index 5c3f969..1f41227 100755 --- a/scripts/wireguard/uninstall_standalone.sh +++ b/scripts/wireguard/uninstall_standalone.sh @@ -11,14 +11,14 @@ wireguardUninstall() if [[ $WIREGUARD_REMOVE == [yY] ]]; then if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then - result=$(sudo systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}") + result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}") checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service." - result=$(sudo systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}") + result=$(runSystem systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}") checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service." if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then - result=$(sudo apt-get remove -y wireguard wireguard-tools qrencode) + result=$(runSystem apt-get remove -y wireguard wireguard-tools qrencode) checkSuccess "Removed wireguard wireguard-tools qrencode" fi @@ -27,7 +27,7 @@ wireguardUninstall() result=$(sudo rm -f /etc/sysctl.d/wg.conf) checkSuccess "Delete /etc/sysctl.d/wg.conf file." - result=$(sudo sysctl --system) + result=$(runSystem sysctl --system) checkSuccess "Reloaded sysctl" portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;