From 6a2ba0264702b8481f0e5a640606db9a6b6f87e0 Mon Sep 17 00:00:00 2001 From: librelad Date: Sat, 23 May 2026 20:26:43 +0100 Subject: [PATCH] security(init): manage manager-user sudo via validated sudoers.d drop-in MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit init.sh appended 'libreportal ALL=(ALL) NOPASSWD: ALL' straight to /etc/sudoers — a malformed line there locks out sudo entirely. Move it to a validated /etc/sudoers.d/libreportal drop-in (visudo -cf before install, 0440 root:root). The grant is still broad; this is the single managed file we tighten to a scoped command allowlist once the runtime no longer needs broad root. Only runs at install, so existing boxes are untouched. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- init.sh | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/init.sh b/init.sh index 193a604..7e59bc0 100755 --- a/init.sh +++ b/init.sh @@ -690,16 +690,21 @@ initUsers() sudo systemctl restart docker isSuccessful "User $sudo_user_name created successfully." fi - local sudoers_file="/etc/sudoers" - local sudo_entry="$sudo_user_name ALL=(ALL) NOPASSWD: ALL" - if ! grep -q "$sudo_entry" $sudoers_file; then - echo "" | sudo tee -a "$sudoers_file" > /dev/null - echo "$sudo_entry" | sudo tee -a "$sudoers_file" > /dev/null - sudo visudo -c > /dev/null - isSuccessful "Added passwordless sudo entry for user $sudo_user_name." + # Manager-user sudo lives in a validated /etc/sudoers.d drop-in, not appended + # to /etc/sudoers — a malformed line in the main file locks out sudo entirely. + # The grant is broad for now; this single drop-in is what gets tightened to a + # scoped command allowlist once the runtime no longer needs broad root. + local sudoers_dropin="/etc/sudoers.d/${sudo_user_name}" + local sudoers_tmp + sudoers_tmp=$(mktemp) + printf '%s ALL=(ALL) NOPASSWD: ALL\n' "$sudo_user_name" > "$sudoers_tmp" + if sudo visudo -cf "$sudoers_tmp" >/dev/null 2>&1; then + sudo install -m 0440 -o root -g root "$sudoers_tmp" "$sudoers_dropin" + isSuccessful "Configured passwordless sudo for $sudo_user_name (/etc/sudoers.d/${sudo_user_name})." else - isSuccessful "Passwordless sudo entry already setup." + isError "Refusing to install an invalid sudoers drop-in for $sudo_user_name." fi + rm -f "$sudoers_tmp" } initFolders()