LibrePortal/scripts/install/manager/install_user_manager.sh
librelad 014d8e5fcc refactor(de-sudo): funnel genuine system commands through runSystem
Foundation for a scoped sudoers: route every genuine system-admin command
(systemctl/ufw/ufw-docker/nft/apt/apt-get/pacman/sysctl/useradd/usermod/
service/wg/wg-quick/cscli/loginctl) through runSystem instead of raw sudo
across 28 active scripts. runSystem is 'sudo "$@"' so this is byte-identical
in every mode (safe on live installs) — it just collects all real-root use at
one chokepoint that will define the eventual /etc/sudoers.d allowlist.

Also: revert a crowdsec advice message the sweep wrongly rewrote (the admin
types sudo, not runSystem), and give crontab_check_processor.sh the same
startup bootstrap as the task processor — it runs standalone via cron and
already used runFileOp/runFileWrite (undefined there), so it was silently
broken; now it sources the helpers + docker-type config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 15:21:53 +01:00

77 lines
3.6 KiB
Bash
Executable File

#!/bin/bash
installDockerManagerUser()
{
if [[ "$CFG_DOCKER_MANAGER_ENABLED" == "true" ]]; then
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
if ! userExists "$CFG_DOCKER_MANAGER_USER"; then
isHeader "Installing $CFG_DOCKER_MANAGER_USER"
isNotice "User '$CFG_DOCKER_MANAGER_USER' does not exist, starting creation..."
# Create the User Account
local result=$(runSystem useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER")
checkSuccess "Adding user via useradd command"
local result=$(echo "$CFG_DOCKER_MANAGER_USER:$CFG_DOCKER_MANAGER_PASS" | sudo chpasswd)
checkSuccess "Setting up login password"
local result=$(sudo -u "$CFG_DOCKER_MANAGER_USER" mkdir -p /home/$CFG_DOCKER_MANAGER_USER/.ssh/)
checkSuccess "Creating /home/$CFG_DOCKER_MANAGER_USER/.ssh folder"
local result=$(sudo -u "$CFG_DOCKER_MANAGER_USER" ssh-keygen -t ed25519 -b 4096 -f "/home/$CFG_DOCKER_MANAGER_USER/.ssh/ssh_key_${CFG_INSTALL_NAME}_${CFG_DOCKER_MANAGER_USER}" -N "passphrase")
checkSuccess "Setting up SSH-Keygen in /home/$CFG_DOCKER_MANAGER_USER/.ssh"
# SSH configuration directory
config_file="/home/$CFG_DOCKER_MANAGER_USER/.ssh/config"
# Check if the config file already exists
if [ -f "$config_file" ]; then
isNotice "The config file already exists. Updating the existing file..."
else
local result=$(createTouch "$config_file" $docker_install_user)
checkSuccess "Creating config file"
local result=$(sudo chmod 600 "$config_file")
checkSuccess "Changing permissions to config file"
fi
# Add the ServerAliveInterval option to the config file
if sudo grep -q "ServerAliveInterval" "$config_file"; then
isNotice "ServerAliveInterval is already configured in the config file."
else
local result=$(echo -e "Host *\n ServerAliveInterval 60" | sudo tee -a "$config_file" >/dev/null)
checkSuccess "Adding ServerAliveInterval to the config file."
fi
local result=$(source ~/.bashrc)
checkSuccess "Reloading .bashrc"
# Marker-guard the append (matching the rootless .bashrc pattern)
# so a re-run or a user delete+recreate can't duplicate the block.
if sudo grep -q "### LibrePortal Manager User Start" "$sshd_config"; then
isNotice "Manager-user SSH server config already present — skipping."
else
local result=$(sudo bash -c "cat >> $sshd_config <<EOL
### LibrePortal Manager User Start
Match User $CFG_DOCKER_MANAGER_USER
ChrootDirectory /home/$CFG_DOCKER_MANAGER_USER/
ForceCommand internal-sftp -d /home/$CFG_DOCKER_MANAGER_USER/
X11Forwarding no
AllowTcpForwarding no
PubkeyAuthentication yes
PasswordAuthentication yes
### LibrePortal Manager User End
EOL")
checkSuccess "Updating SSH Server Configuration for the Manager User."
# Reload SSH Service
local result=$(runSystem service ssh reload)
checkSuccess "Reloading SSH Service"
fi
isSuccessful "User '$CFG_DOCKER_MANAGER_USER' with restricted SFTP access to '/home/$CFG_DOCKER_MANAGER_USER' has been set up."
fi
fi
fi
}