librelad 014d8e5fcc refactor(de-sudo): funnel genuine system commands through runSystem
Foundation for a scoped sudoers: route every genuine system-admin command
(systemctl/ufw/ufw-docker/nft/apt/apt-get/pacman/sysctl/useradd/usermod/
service/wg/wg-quick/cscli/loginctl) through runSystem instead of raw sudo
across 28 active scripts. runSystem is 'sudo "$@"' so this is byte-identical
in every mode (safe on live installs) — it just collects all real-root use at
one chokepoint that will define the eventual /etc/sudoers.d allowlist.

Also: revert a crowdsec advice message the sweep wrongly rewrote (the admin
types sudo, not runSystem), and give crontab_check_processor.sh the same
startup bootstrap as the task processor — it runs standalone via cron and
already used runFileOp/runFileWrite (undefined there), so it was silently
broken; now it sources the helpers + docker-type config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 15:21:53 +01:00

21 lines
956 B
Bash
Executable File

#!/bin/bash
installDockerRootlessUser()
{
if [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
if id "$CFG_DOCKER_INSTALL_USER" &>/dev/null; then
isSuccessful "User $CFG_DOCKER_INSTALL_USER already exists."
else
# Create the rootless docker user. The login name (last arg) was
# missing, so useradd failed silently — masked by local result=$(...)
# — and the user never existed, breaking the whole rootless setup.
# -m makes its home; with SUB_UID/GID configured in login.defs,
# useradd also assigns its subordinate uid/gid ranges (needed for
# rootless). Run unmasked so checkSuccess sees real failures.
runSystem useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
checkSuccess "Creating $CFG_DOCKER_INSTALL_USER User."
updateDockerInstallPassword;
fi
fi
}