Compare commits

...

3 Commits

Author SHA1 Message Date
librelad
14efcc579b Merge claude/2 2026-05-23 20:31:52 +01:00
librelad
9104c1770e chore: regen source arrays to include files_ssh.sh
The SSH-access feature's files_ssh.sh array was never registered in
files_source.sh, leaving it unsourced and blocking the deploy auto-merge.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 20:31:52 +01:00
librelad
6a2ba02647 security(init): manage manager-user sudo via validated sudoers.d drop-in
init.sh appended 'libreportal ALL=(ALL) NOPASSWD: ALL' straight to /etc/sudoers
— a malformed line there locks out sudo entirely. Move it to a validated
/etc/sudoers.d/libreportal drop-in (visudo -cf before install, 0440 root:root).
The grant is still broad; this is the single managed file we tighten to a
scoped command allowlist once the runtime no longer needs broad root. Only runs
at install, so existing boxes are untouched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 20:26:43 +01:00
2 changed files with 14 additions and 8 deletions

21
init.sh
View File

@ -690,16 +690,21 @@ initUsers()
sudo systemctl restart docker sudo systemctl restart docker
isSuccessful "User $sudo_user_name created successfully." isSuccessful "User $sudo_user_name created successfully."
fi fi
local sudoers_file="/etc/sudoers" # Manager-user sudo lives in a validated /etc/sudoers.d drop-in, not appended
local sudo_entry="$sudo_user_name ALL=(ALL) NOPASSWD: ALL" # to /etc/sudoers — a malformed line in the main file locks out sudo entirely.
if ! grep -q "$sudo_entry" $sudoers_file; then # The grant is broad for now; this single drop-in is what gets tightened to a
echo "" | sudo tee -a "$sudoers_file" > /dev/null # scoped command allowlist once the runtime no longer needs broad root.
echo "$sudo_entry" | sudo tee -a "$sudoers_file" > /dev/null local sudoers_dropin="/etc/sudoers.d/${sudo_user_name}"
sudo visudo -c > /dev/null local sudoers_tmp
isSuccessful "Added passwordless sudo entry for user $sudo_user_name." sudoers_tmp=$(mktemp)
printf '%s ALL=(ALL) NOPASSWD: ALL\n' "$sudo_user_name" > "$sudoers_tmp"
if sudo visudo -cf "$sudoers_tmp" >/dev/null 2>&1; then
sudo install -m 0440 -o root -g root "$sudoers_tmp" "$sudoers_dropin"
isSuccessful "Configured passwordless sudo for $sudo_user_name (/etc/sudoers.d/${sudo_user_name})."
else else
isSuccessful "Passwordless sudo entry already setup." isError "Refusing to install an invalid sudoers drop-in for $sudo_user_name."
fi fi
rm -f "$sudoers_tmp"
} }
initFolders() initFolders()

View File

@ -24,6 +24,7 @@ source_scripts=(
"source/files/arrays/files_restore.sh" "source/files/arrays/files_restore.sh"
"source/files/arrays/files_setup.sh" "source/files/arrays/files_setup.sh"
"source/files/arrays/files_source.sh" "source/files/arrays/files_source.sh"
"source/files/arrays/files_ssh.sh"
"source/files/arrays/files_start.sh" "source/files/arrays/files_start.sh"
"source/files/arrays/files_update.sh" "source/files/arrays/files_update.sh"
"source/files/arrays/files_webui.sh" "source/files/arrays/files_webui.sh"