Foundation for a scoped sudoers: route every genuine system-admin command (systemctl/ufw/ufw-docker/nft/apt/apt-get/pacman/sysctl/useradd/usermod/ service/wg/wg-quick/cscli/loginctl) through runSystem instead of raw sudo across 28 active scripts. runSystem is 'sudo "$@"' so this is byte-identical in every mode (safe on live installs) — it just collects all real-root use at one chokepoint that will define the eventual /etc/sudoers.d allowlist. Also: revert a crowdsec advice message the sweep wrongly rewrote (the admin types sudo, not runSystem), and give crontab_check_processor.sh the same startup bootstrap as the task processor — it runs standalone via cron and already used runFileOp/runFileWrite (undefined there), so it was silently broken; now it sources the helpers + docker-type config. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
77 lines
3.6 KiB
Bash
Executable File
77 lines
3.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
installDockerManagerUser()
|
|
{
|
|
if [[ "$CFG_DOCKER_MANAGER_ENABLED" == "true" ]]; then
|
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
|
if ! userExists "$CFG_DOCKER_MANAGER_USER"; then
|
|
isHeader "Installing $CFG_DOCKER_MANAGER_USER"
|
|
|
|
isNotice "User '$CFG_DOCKER_MANAGER_USER' does not exist, starting creation..."
|
|
|
|
# Create the User Account
|
|
local result=$(runSystem useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER")
|
|
checkSuccess "Adding user via useradd command"
|
|
|
|
local result=$(echo "$CFG_DOCKER_MANAGER_USER:$CFG_DOCKER_MANAGER_PASS" | sudo chpasswd)
|
|
checkSuccess "Setting up login password"
|
|
|
|
local result=$(sudo -u "$CFG_DOCKER_MANAGER_USER" mkdir -p /home/$CFG_DOCKER_MANAGER_USER/.ssh/)
|
|
checkSuccess "Creating /home/$CFG_DOCKER_MANAGER_USER/.ssh folder"
|
|
|
|
local result=$(sudo -u "$CFG_DOCKER_MANAGER_USER" ssh-keygen -t ed25519 -b 4096 -f "/home/$CFG_DOCKER_MANAGER_USER/.ssh/ssh_key_${CFG_INSTALL_NAME}_${CFG_DOCKER_MANAGER_USER}" -N "passphrase")
|
|
checkSuccess "Setting up SSH-Keygen in /home/$CFG_DOCKER_MANAGER_USER/.ssh"
|
|
|
|
# SSH configuration directory
|
|
config_file="/home/$CFG_DOCKER_MANAGER_USER/.ssh/config"
|
|
|
|
# Check if the config file already exists
|
|
if [ -f "$config_file" ]; then
|
|
isNotice "The config file already exists. Updating the existing file..."
|
|
else
|
|
local result=$(createTouch "$config_file" $docker_install_user)
|
|
checkSuccess "Creating config file"
|
|
local result=$(sudo chmod 600 "$config_file")
|
|
checkSuccess "Changing permissions to config file"
|
|
fi
|
|
|
|
# Add the ServerAliveInterval option to the config file
|
|
if sudo grep -q "ServerAliveInterval" "$config_file"; then
|
|
isNotice "ServerAliveInterval is already configured in the config file."
|
|
else
|
|
local result=$(echo -e "Host *\n ServerAliveInterval 60" | sudo tee -a "$config_file" >/dev/null)
|
|
checkSuccess "Adding ServerAliveInterval to the config file."
|
|
fi
|
|
|
|
local result=$(source ~/.bashrc)
|
|
checkSuccess "Reloading .bashrc"
|
|
|
|
# Marker-guard the append (matching the rootless .bashrc pattern)
|
|
# so a re-run or a user delete+recreate can't duplicate the block.
|
|
if sudo grep -q "### LibrePortal Manager User Start" "$sshd_config"; then
|
|
isNotice "Manager-user SSH server config already present — skipping."
|
|
else
|
|
local result=$(sudo bash -c "cat >> $sshd_config <<EOL
|
|
|
|
### LibrePortal Manager User Start
|
|
Match User $CFG_DOCKER_MANAGER_USER
|
|
ChrootDirectory /home/$CFG_DOCKER_MANAGER_USER/
|
|
ForceCommand internal-sftp -d /home/$CFG_DOCKER_MANAGER_USER/
|
|
X11Forwarding no
|
|
AllowTcpForwarding no
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication yes
|
|
### LibrePortal Manager User End
|
|
EOL")
|
|
checkSuccess "Updating SSH Server Configuration for the Manager User."
|
|
|
|
# Reload SSH Service
|
|
local result=$(runSystem service ssh reload)
|
|
checkSuccess "Reloading SSH Service"
|
|
fi
|
|
|
|
isSuccessful "User '$CFG_DOCKER_MANAGER_USER' with restricted SFTP access to '/home/$CFG_DOCKER_MANAGER_USER' has been set up."
|
|
fi
|
|
fi
|
|
fi
|
|
} |