librelad d17e8814d0 feat(desudo): root-owned DNS + host-SSH-access helpers
Two more runtime root file-primitive subsystems moved behind self-
validating root-owned helpers so the scoped sudoers needn't grant blanket
sudo sed/tee/cp on /etc (which is root-equivalent — sudo arg wildcards
match across '/', so even path-scoped entries are bypassable):

- scripts/system/libreportal-dns: {clear|add <ip>} — edits /etc/resolv.conf
  only, validates the IP argument
- scripts/system/libreportal-ssh-access: authorized_keys + sshd
  PasswordAuthentication management, with the lockout guards moved INTO the
  helper (the trust boundary) so a compromised manager can't bypass them
- run_privileged: _runRootHelper dispatcher + runResolv / runSshAccess
  (runOwnership now uses it too)
- init.sh: initRootHelpers installs all three helpers root:root 0755 with
  the manager name baked in
- setup_dns -> runResolv (+ ping de-sudo'd, works unprivileged); host_access
  + webui_ssh_access -> runSshAccess

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 18:21:46 +01:00

147 lines
6.5 KiB
Bash
Executable File

#!/bin/bash
updateDNS()
{
local app_name="$1"
local flag="$2"
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
dnsRemoveNameservers()
{
result=$(runResolv clear)
checkSuccess "Removing all instances of Nameserver from Resolv.conf"
}
if [[ "$flag" == "standalonewireguard" ]]; then
dnsRemoveNameservers;
runResolv add "$CFG_DNS_SERVER_1"
runResolv add "$CFG_DNS_SERVER_2"
else
# Check if AdGuard is installed
local status=$(dockerCheckAppInstalled "adguard" "docker")
if [ "$status" == "installed" ]; then
setupDNSIP adguard;
local adguard_ip="$dns_ip_setup"
# Testing Docker IP Address
result=$(ping -c 1 $adguard_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $adguard_ip was successful."
else
isNotice "Ping to $adguard_ip failed."
isNotice "Defaulting to DNS 1 Server $CFG_DNS_SERVER_1."
local adguard_ip="$CFG_DNS_SERVER_1"
# Fallback to Quad9 if DNS has issues
result=$(ping -c 1 $adguard_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $adguard_ip was successful."
else
isNotice "Ping to $adguard_ip failed."
isNotice "Defaulting to DNS Server 1"
local adguard_ip="$CFG_DNS_SERVER_1"
fi
fi
else
local adguard_ip="$CFG_DNS_SERVER_1"
# Fallback to Quad9 if DNS has issues
result=$(ping -c 1 $adguard_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $adguard_ip was successful."
else
isNotice "Ping to $adguard_ip failed."
isNotice "Defaulting to DNS Server 1"
local adguard_ip="$CFG_DNS_SERVER_1"
fi
fi
# Check if Pi-hole is installed
local status=$(dockerCheckAppInstalled "pihole" "docker")
if [ "$status" == "installed" ]; then
setupDNSIP pihole;
local pihole_ip="$dns_ip_setup"
# Testing Docker IP Address
result=$(ping -c 1 $pihole_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $pihole_ip was successful."
else
isNotice "Ping to $pihole_ip failed."
isNotice "Defaulting to DNS 2 Server $CFG_DNS_SERVER_2."
local pihole_ip="$CFG_DNS_SERVER_2"
# Fallback to Quad9 if DNS has issues
result=$(ping -c 1 $pihole_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $pihole_ip was successful."
else
isNotice "Ping to $pihole_ip failed."
isNotice "Defaulting to DNS Server 2"
local pihole_ip="$CFG_DNS_SERVER_2"
fi
fi
else
local pihole_ip="$CFG_DNS_SERVER_2"
if [ $? -eq 0 ]; then
isSuccessful "Ping to $pihole_ip was successful."
else
isNotice "Ping to $pihole_ip failed."
isNotice "Defaulting to DNS Server 2"
local pihole_ip="$CFG_DNS_SERVER_2"
fi
fi
# Add the custom DNS servers to /etc/resolv.conf
if [[ "$adguard_ip" == *10.100.0* ]]; then
# Wireguard update
local status=$(dockerCheckAppInstalled "wireguard" "docker")
if [ "$status" == "installed" ]; then
initializeAppVariables wireguard;
if [[ $compose_setup == "default" ]]; then
local compose_file="docker-compose.yml"
elif [[ $compose_setup == "app" ]]; then
local compose_file="docker-compose.$app_name.yml"
fi
result=$(runFileOp sed -i "s/\(WG_DEFAULT_DNS=\).*/\1$adguard_ip/" $containers_dir$app_name/$compose_file)
checkSuccess "Updated Wireguard default DNS to $adguard_ip"
fi
dnsRemoveNameservers;
runResolv add "$adguard_ip"
runResolv add "$pihole_ip"
elif [[ "$pihole_ip" == *10.100.0* ]]; then
# Wireguard update
local status=$(dockerCheckAppInstalled "wireguard" "docker")
if [ "$status" == "installed" ]; then
initializeAppVariables $app_name;
if [[ $compose_setup == "default" ]]; then
local compose_file="docker-compose.yml"
elif [[ $compose_setup == "app" ]]; then
local compose_file="docker-compose.$app_name.yml"
fi
result=$(runFileOp sed -i "s/\(WG_DEFAULT_DNS=\).*/\1$pihole_ip/" $containers_dir$app_name/$compose_file)
checkSuccess "Updated Wireguard default DNS to $pihole_ip"
fi
dnsRemoveNameservers;
runResolv add "$pihole_ip"
runResolv add "$adguard_ip"
else
# Wireguard update
local status=$(dockerCheckAppInstalled "wireguard" "docker")
if [ "$status" == "installed" ]; then
initializeAppVariables wireguard;
if [[ $compose_setup == "default" ]]; then
local compose_file="docker-compose.yml"
elif [[ $compose_setup == "app" ]]; then
local compose_file="docker-compose.$app_name.yml"
fi
result=$(runFileOp sed -i "s/\(WG_DEFAULT_DNS=\).*/\1$adguard_ip/" $containers_dir$app_name/$compose_file)
checkSuccess "Updated Wireguard default DNS to $adguard_ip"
fi
dnsRemoveNameservers;
runResolv add "$adguard_ip"
runResolv add "$pihole_ip"
fi
if [ "$flag" == "install" ]; then
initializeAppVariables $app_name;
fi
isSuccessful "Resolv.conf has been updated with the latest DNS settings."
fi
fi
}