security(init): manage manager-user sudo via validated sudoers.d drop-in
init.sh appended 'libreportal ALL=(ALL) NOPASSWD: ALL' straight to /etc/sudoers — a malformed line there locks out sudo entirely. Move it to a validated /etc/sudoers.d/libreportal drop-in (visudo -cf before install, 0440 root:root). The grant is still broad; this is the single managed file we tighten to a scoped command allowlist once the runtime no longer needs broad root. Only runs at install, so existing boxes are untouched. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
812e09c044
commit
6a2ba02647
21
init.sh
21
init.sh
@ -690,16 +690,21 @@ initUsers()
|
|||||||
sudo systemctl restart docker
|
sudo systemctl restart docker
|
||||||
isSuccessful "User $sudo_user_name created successfully."
|
isSuccessful "User $sudo_user_name created successfully."
|
||||||
fi
|
fi
|
||||||
local sudoers_file="/etc/sudoers"
|
# Manager-user sudo lives in a validated /etc/sudoers.d drop-in, not appended
|
||||||
local sudo_entry="$sudo_user_name ALL=(ALL) NOPASSWD: ALL"
|
# to /etc/sudoers — a malformed line in the main file locks out sudo entirely.
|
||||||
if ! grep -q "$sudo_entry" $sudoers_file; then
|
# The grant is broad for now; this single drop-in is what gets tightened to a
|
||||||
echo "" | sudo tee -a "$sudoers_file" > /dev/null
|
# scoped command allowlist once the runtime no longer needs broad root.
|
||||||
echo "$sudo_entry" | sudo tee -a "$sudoers_file" > /dev/null
|
local sudoers_dropin="/etc/sudoers.d/${sudo_user_name}"
|
||||||
sudo visudo -c > /dev/null
|
local sudoers_tmp
|
||||||
isSuccessful "Added passwordless sudo entry for user $sudo_user_name."
|
sudoers_tmp=$(mktemp)
|
||||||
|
printf '%s ALL=(ALL) NOPASSWD: ALL\n' "$sudo_user_name" > "$sudoers_tmp"
|
||||||
|
if sudo visudo -cf "$sudoers_tmp" >/dev/null 2>&1; then
|
||||||
|
sudo install -m 0440 -o root -g root "$sudoers_tmp" "$sudoers_dropin"
|
||||||
|
isSuccessful "Configured passwordless sudo for $sudo_user_name (/etc/sudoers.d/${sudo_user_name})."
|
||||||
else
|
else
|
||||||
isSuccessful "Passwordless sudo entry already setup."
|
isError "Refusing to install an invalid sudoers drop-in for $sudo_user_name."
|
||||||
fi
|
fi
|
||||||
|
rm -f "$sudoers_tmp"
|
||||||
}
|
}
|
||||||
|
|
||||||
initFolders()
|
initFolders()
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user