From e88d46ffeb9330f0e642a70c7d090f6e4e302c09 Mon Sep 17 00:00:00 2001 From: librelad Date: Tue, 2 Jun 2026 19:03:42 +0100 Subject: [PATCH] fix(os): skip apt OS-update step when running as the de-sudo manager MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit installDebianUbuntu ran apt (bare on line 14, via sudo on 17/20) during the startPreInstall pass. Under the hardened de-sudo model the runtime is the manager (libreportal, non-root) and the LP_SYSTEM sudoers allowlist scopes systemctl/ufw/sysctl/loginctl/service but NOT apt — so every apt call failed (exit 100, 'Updating System Operating system.'). Detect privilege once: run apt directly when root (the install-time path, which also bootstraps sudo on a bare box), and skip cleanly with a notice when we're the unprivileged manager. OS/security updates are a host / install-time concern there, deliberately kept out of the manager's reach. Also routes the trailing sysctl mkdir/touch through the same prefix. Co-Authored-By: Claude Opus 4.8 --- scripts/os/install/ubuntu.sh | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/scripts/os/install/ubuntu.sh b/scripts/os/install/ubuntu.sh index 5de8c05..7b24420 100755 --- a/scripts/os/install/ubuntu.sh +++ b/scripts/os/install/ubuntu.sh @@ -3,26 +3,44 @@ installDebianUbuntu() { if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then + # OS package management needs real root. A root install runs apt directly + # (and bootstraps sudo itself on a bare box); the hardened de-sudo manager + # is deliberately NOT granted `sudo apt` — the LP_SYSTEM sudoers allowlist + # scopes systemctl/ufw/sysctl/loginctl/service, never apt. So at manager + # runtime skip cleanly instead of logging apt permission failures (exit + # 100) on every preinstall pass; OS/security updates are a host / + # install-time concern there. `priv` is the privilege prefix: empty when + # we're already root, "sudo" only where sudo-apt is actually permitted. + local priv="" + if [[ $EUID -ne 0 ]]; then + if sudo -n apt-get --version >/dev/null 2>&1; then + priv="sudo" + else + isNotice "OS package updates need root and aren't permitted for the manager — skipping (handled at install time / by the host)." + return 0 + fi + fi + if checkIfOSUpdateShouldRun; then installed_apps="apt install curl dialog pv wget git zip htop sqlite3 pv sshpass rsync acl apache2-utils inotify-tools jq p7zip*" - + isNotice "Installing System Updates... this may take a while." if [[ "$OS_TYPE" == "Debian" ]]; then export DEBIAN_FRONTEND="noninteractive" fi - local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt update -qq 2>&1 && DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt install sudo -yqq 2>&1 && apt-get autoclean 2>&1) + local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 $priv apt update -qq 2>&1 && DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 $priv apt install sudo -yqq 2>&1 && $priv apt-get autoclean 2>&1) checkSuccess "Updating System Operating system." - local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 runSystem apt update -qq 2>&1) + local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 $priv apt update -qq 2>&1) checkSuccess "Running application update" - - local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo $installed_apps -yqq 2>&1) + + local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 $priv $installed_apps -yqq 2>&1) checkSuccess "Installing system applications" else isNotice "System Updates already ran within the last ${CFG_UPDATER_CHECK} minutes, skipping..." fi - sudo mkdir -p "$(dirname "$sysctl")" - sudo touch $sysctl + $priv mkdir -p "$(dirname "$sysctl")" + $priv touch $sysctl fi }