Two more runtime root file-primitive subsystems moved behind self-
validating root-owned helpers so the scoped sudoers needn't grant blanket
sudo sed/tee/cp on /etc (which is root-equivalent — sudo arg wildcards
match across '/', so even path-scoped entries are bypassable):
- scripts/system/libreportal-dns: {clear|add <ip>} — edits /etc/resolv.conf
only, validates the IP argument
- scripts/system/libreportal-ssh-access: authorized_keys + sshd
PasswordAuthentication management, with the lockout guards moved INTO the
helper (the trust boundary) so a compromised manager can't bypass them
- run_privileged: _runRootHelper dispatcher + runResolv / runSshAccess
(runOwnership now uses it too)
- init.sh: initRootHelpers installs all three helpers root:root 0755 with
the manager name baked in
- setup_dns -> runResolv (+ ping de-sudo'd, works unprivileged); host_access
+ webui_ssh_access -> runSshAccess
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
147 lines
6.5 KiB
Bash
Executable File
147 lines
6.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
updateDNS()
|
|
{
|
|
local app_name="$1"
|
|
local flag="$2"
|
|
|
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
|
dnsRemoveNameservers()
|
|
{
|
|
result=$(runResolv clear)
|
|
checkSuccess "Removing all instances of Nameserver from Resolv.conf"
|
|
}
|
|
|
|
if [[ "$flag" == "standalonewireguard" ]]; then
|
|
dnsRemoveNameservers;
|
|
runResolv add "$CFG_DNS_SERVER_1"
|
|
runResolv add "$CFG_DNS_SERVER_2"
|
|
else
|
|
# Check if AdGuard is installed
|
|
local status=$(dockerCheckAppInstalled "adguard" "docker")
|
|
if [ "$status" == "installed" ]; then
|
|
setupDNSIP adguard;
|
|
local adguard_ip="$dns_ip_setup"
|
|
# Testing Docker IP Address
|
|
result=$(ping -c 1 $adguard_ip)
|
|
if [ $? -eq 0 ]; then
|
|
isSuccessful "Ping to $adguard_ip was successful."
|
|
else
|
|
isNotice "Ping to $adguard_ip failed."
|
|
isNotice "Defaulting to DNS 1 Server $CFG_DNS_SERVER_1."
|
|
local adguard_ip="$CFG_DNS_SERVER_1"
|
|
# Fallback to Quad9 if DNS has issues
|
|
result=$(ping -c 1 $adguard_ip)
|
|
if [ $? -eq 0 ]; then
|
|
isSuccessful "Ping to $adguard_ip was successful."
|
|
else
|
|
isNotice "Ping to $adguard_ip failed."
|
|
isNotice "Defaulting to DNS Server 1"
|
|
local adguard_ip="$CFG_DNS_SERVER_1"
|
|
fi
|
|
fi
|
|
else
|
|
local adguard_ip="$CFG_DNS_SERVER_1"
|
|
# Fallback to Quad9 if DNS has issues
|
|
result=$(ping -c 1 $adguard_ip)
|
|
if [ $? -eq 0 ]; then
|
|
isSuccessful "Ping to $adguard_ip was successful."
|
|
else
|
|
isNotice "Ping to $adguard_ip failed."
|
|
isNotice "Defaulting to DNS Server 1"
|
|
local adguard_ip="$CFG_DNS_SERVER_1"
|
|
fi
|
|
fi
|
|
|
|
# Check if Pi-hole is installed
|
|
local status=$(dockerCheckAppInstalled "pihole" "docker")
|
|
if [ "$status" == "installed" ]; then
|
|
setupDNSIP pihole;
|
|
local pihole_ip="$dns_ip_setup"
|
|
# Testing Docker IP Address
|
|
result=$(ping -c 1 $pihole_ip)
|
|
if [ $? -eq 0 ]; then
|
|
isSuccessful "Ping to $pihole_ip was successful."
|
|
else
|
|
isNotice "Ping to $pihole_ip failed."
|
|
isNotice "Defaulting to DNS 2 Server $CFG_DNS_SERVER_2."
|
|
local pihole_ip="$CFG_DNS_SERVER_2"
|
|
# Fallback to Quad9 if DNS has issues
|
|
result=$(ping -c 1 $pihole_ip)
|
|
if [ $? -eq 0 ]; then
|
|
isSuccessful "Ping to $pihole_ip was successful."
|
|
else
|
|
isNotice "Ping to $pihole_ip failed."
|
|
isNotice "Defaulting to DNS Server 2"
|
|
local pihole_ip="$CFG_DNS_SERVER_2"
|
|
fi
|
|
fi
|
|
else
|
|
local pihole_ip="$CFG_DNS_SERVER_2"
|
|
if [ $? -eq 0 ]; then
|
|
isSuccessful "Ping to $pihole_ip was successful."
|
|
else
|
|
isNotice "Ping to $pihole_ip failed."
|
|
isNotice "Defaulting to DNS Server 2"
|
|
local pihole_ip="$CFG_DNS_SERVER_2"
|
|
fi
|
|
fi
|
|
|
|
# Add the custom DNS servers to /etc/resolv.conf
|
|
if [[ "$adguard_ip" == *10.100.0* ]]; then
|
|
# Wireguard update
|
|
local status=$(dockerCheckAppInstalled "wireguard" "docker")
|
|
if [ "$status" == "installed" ]; then
|
|
initializeAppVariables wireguard;
|
|
if [[ $compose_setup == "default" ]]; then
|
|
local compose_file="docker-compose.yml"
|
|
elif [[ $compose_setup == "app" ]]; then
|
|
local compose_file="docker-compose.$app_name.yml"
|
|
fi
|
|
result=$(runFileOp sed -i "s/\(WG_DEFAULT_DNS=\).*/\1$adguard_ip/" $containers_dir$app_name/$compose_file)
|
|
checkSuccess "Updated Wireguard default DNS to $adguard_ip"
|
|
fi
|
|
dnsRemoveNameservers;
|
|
runResolv add "$adguard_ip"
|
|
runResolv add "$pihole_ip"
|
|
elif [[ "$pihole_ip" == *10.100.0* ]]; then
|
|
# Wireguard update
|
|
local status=$(dockerCheckAppInstalled "wireguard" "docker")
|
|
if [ "$status" == "installed" ]; then
|
|
initializeAppVariables $app_name;
|
|
if [[ $compose_setup == "default" ]]; then
|
|
local compose_file="docker-compose.yml"
|
|
elif [[ $compose_setup == "app" ]]; then
|
|
local compose_file="docker-compose.$app_name.yml"
|
|
fi
|
|
result=$(runFileOp sed -i "s/\(WG_DEFAULT_DNS=\).*/\1$pihole_ip/" $containers_dir$app_name/$compose_file)
|
|
checkSuccess "Updated Wireguard default DNS to $pihole_ip"
|
|
fi
|
|
dnsRemoveNameservers;
|
|
runResolv add "$pihole_ip"
|
|
runResolv add "$adguard_ip"
|
|
else
|
|
# Wireguard update
|
|
local status=$(dockerCheckAppInstalled "wireguard" "docker")
|
|
if [ "$status" == "installed" ]; then
|
|
initializeAppVariables wireguard;
|
|
if [[ $compose_setup == "default" ]]; then
|
|
local compose_file="docker-compose.yml"
|
|
elif [[ $compose_setup == "app" ]]; then
|
|
local compose_file="docker-compose.$app_name.yml"
|
|
fi
|
|
result=$(runFileOp sed -i "s/\(WG_DEFAULT_DNS=\).*/\1$adguard_ip/" $containers_dir$app_name/$compose_file)
|
|
checkSuccess "Updated Wireguard default DNS to $adguard_ip"
|
|
fi
|
|
dnsRemoveNameservers;
|
|
runResolv add "$adguard_ip"
|
|
runResolv add "$pihole_ip"
|
|
fi
|
|
if [ "$flag" == "install" ]; then
|
|
initializeAppVariables $app_name;
|
|
fi
|
|
isSuccessful "Resolv.conf has been updated with the latest DNS settings."
|
|
fi
|
|
fi
|
|
}
|