fix(os): skip apt OS-update step when running as the de-sudo manager
installDebianUbuntu ran apt (bare on line 14, via sudo on 17/20) during the startPreInstall pass. Under the hardened de-sudo model the runtime is the manager (libreportal, non-root) and the LP_SYSTEM sudoers allowlist scopes systemctl/ufw/sysctl/loginctl/service but NOT apt — so every apt call failed (exit 100, 'Updating System Operating system.'). Detect privilege once: run apt directly when root (the install-time path, which also bootstraps sudo on a bare box), and skip cleanly with a notice when we're the unprivileged manager. OS/security updates are a host / install-time concern there, deliberately kept out of the manager's reach. Also routes the trailing sysctl mkdir/touch through the same prefix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
e959468173
commit
e88d46ffeb
@ -3,6 +3,24 @@
|
||||
installDebianUbuntu()
|
||||
{
|
||||
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
||||
# OS package management needs real root. A root install runs apt directly
|
||||
# (and bootstraps sudo itself on a bare box); the hardened de-sudo manager
|
||||
# is deliberately NOT granted `sudo apt` — the LP_SYSTEM sudoers allowlist
|
||||
# scopes systemctl/ufw/sysctl/loginctl/service, never apt. So at manager
|
||||
# runtime skip cleanly instead of logging apt permission failures (exit
|
||||
# 100) on every preinstall pass; OS/security updates are a host /
|
||||
# install-time concern there. `priv` is the privilege prefix: empty when
|
||||
# we're already root, "sudo" only where sudo-apt is actually permitted.
|
||||
local priv=""
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
if sudo -n apt-get --version >/dev/null 2>&1; then
|
||||
priv="sudo"
|
||||
else
|
||||
isNotice "OS package updates need root and aren't permitted for the manager — skipping (handled at install time / by the host)."
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
if checkIfOSUpdateShouldRun; then
|
||||
installed_apps="apt install curl dialog pv wget git zip htop sqlite3 pv sshpass rsync acl apache2-utils inotify-tools jq p7zip*"
|
||||
|
||||
@ -11,18 +29,18 @@ installDebianUbuntu()
|
||||
export DEBIAN_FRONTEND="noninteractive"
|
||||
fi
|
||||
|
||||
local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt update -qq 2>&1 && DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt install sudo -yqq 2>&1 && apt-get autoclean 2>&1)
|
||||
local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 $priv apt update -qq 2>&1 && DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 $priv apt install sudo -yqq 2>&1 && $priv apt-get autoclean 2>&1)
|
||||
checkSuccess "Updating System Operating system."
|
||||
|
||||
local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 runSystem apt update -qq 2>&1)
|
||||
local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 $priv apt update -qq 2>&1)
|
||||
checkSuccess "Running application update"
|
||||
|
||||
local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 sudo $installed_apps -yqq 2>&1)
|
||||
local result; result=$(DEBIAN_FRONTEND=noninteractive APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 $priv $installed_apps -yqq 2>&1)
|
||||
checkSuccess "Installing system applications"
|
||||
else
|
||||
isNotice "System Updates already ran within the last ${CFG_UPDATER_CHECK} minutes, skipping..."
|
||||
fi
|
||||
sudo mkdir -p "$(dirname "$sysctl")"
|
||||
sudo touch $sysctl
|
||||
$priv mkdir -p "$(dirname "$sysctl")"
|
||||
$priv touch $sysctl
|
||||
fi
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user