-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor passwordless sudo script to make it a bit more clear
- Loading branch information
Showing
1 changed file
with
50 additions
and
34 deletions.
There are no files selected for viewing
84 changes: 50 additions & 34 deletions
84
home/.chezmoiscripts/run_once_after_00-passwordless_sudo.sh.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,41 +1,57 @@ | ||
{{ if eq (env "dev") "true" -}} | ||
{{ template "common" . -}} | ||
{{ if eq (env "dev") "true" }} | ||
{{ template "common" . }} | ||
|
||
if [[ ! "$LOGNAME" =~ ^[a-zA-Z0-9][a-zA-Z0-9_-]*$ ]]; then | ||
echo "Error: LOGNAME contains invalid characters." | ||
exit 1 | ||
fi | ||
if ! sudo -nv > /dev/null 2>&1 ;then | ||
echo "Please provide your sudo password:" | ||
sudo -v | ||
fi | ||
# Keep-alive: update existing sudo time stamp until the script has finished | ||
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null & | ||
# Do we need to ask for sudo password or is it already passwordless? | ||
if ! sudo grep -q 'NOPASSWD: ALL' /etc/sudoers.d/$LOGNAME > /dev/null 2>&1 ;then | ||
echo "no sudoer file" | ||
validate_logname() { | ||
if [[ ! "$LOGNAME" =~ ^[a-zA-Z0-9][a-zA-Z0-9_-]*$ ]]; then | ||
echo "Error: LOGNAME contains invalid characters." | ||
exit 1 | ||
fi | ||
} | ||
|
||
prompt_for_sudo_if_needed() { | ||
if ! sudo -nv > /dev/null 2>&1; then | ||
echo "Please provide your sudo password:" | ||
sudo -v | ||
fi | ||
# Keep-alive: update existing sudo time stamp until the script has finished | ||
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null & | ||
} | ||
|
||
bot "Enabling passwordless sudo can reduce security. Are you sure you want to proceed?" | ||
setup_passwordless_sudo() { | ||
# Determine sudoers.d directory based on OS | ||
local sudoers_d_dir="{{ if eq .osid "darwin" }}/private/etc/sudoers.d{{ else }}/etc/sudoers.d{{ end }}" | ||
local includedir_line="{{ if eq .osid "darwin" }}#includedir /private/etc/sudoers.d{{ else }}@includedir /etc/sudoers.d{{ end }}" | ||
|
||
answer=$(prompt "Make sudo passwordless?") | ||
# Check if NOPASSWD entry already exists for the user | ||
if ! sudo grep -q "NOPASSWD: ALL" "$sudoers_d_dir/$LOGNAME" > /dev/null 2>&1; then | ||
echo "No sudoer file found for passwordless operation." | ||
bot "Enabling passwordless sudo can reduce security. Are you sure you want to proceed?" | ||
answer=$(prompt "Make sudo passwordless? [y/N]") | ||
|
||
if [[ $answer =~ ^[Yy]$ ]];then | ||
{{ if eq .osid "darwin" -}} | ||
if ! sudo grep -q "#includedir /private/etc/sudoers.d" /etc/sudoers; then | ||
echo '#includedir /private/etc/sudoers.d' | sudo tee -a /etc/sudoers > /dev/null | ||
fi | ||
[ ! -d "/private/etc/sudoers.d" ] && sudo mkdir /private/etc/sudoers.d | ||
TMPFILE=$(mktemp) | ||
echo -e "Defaults:$LOGNAME !requiretty\n$LOGNAME ALL=(ALL) NOPASSWD: ALL" > "$TMPFILE" | ||
sudo visudo -cf "$TMPFILE" && sudo mv "$TMPFILE" /private/etc/sudoers.d/$LOGNAME || { echo "Error in sudoers file"; rm "$TMPFILE"; exit 1; } | ||
echo "You can now run sudo commands without password!" | ||
{{ else -}} | ||
if ! sudo grep -q "@includedir /etc/sudoers.d" /etc/sudoers; then | ||
echo '@includedir /etc/sudoers.d' | sudo tee -a /etc/sudoers > /dev/null | ||
if [[ $answer =~ ^[Yy]$ ]]; then | ||
# Ensure sudoers.d is included and directory exists | ||
if ! sudo grep -q "$includedir_line" /etc/sudoers; then | ||
echo "$includedir_line" | sudo tee -a /etc/sudoers > /dev/null | ||
fi | ||
[[ ! -d "$sudoers_d_dir" ]] && sudo mkdir -p "$sudoers_d_dir" | ||
|
||
# Add NOPASSWD entry for the user | ||
local tmpfile=$(mktemp) | ||
echo "Defaults:$LOGNAME !requiretty\n$LOGNAME ALL=(ALL) NOPASSWD: ALL" > "$tmpfile" | ||
if sudo visudo -cf "$tmpfile" && sudo mv "$tmpfile" "$sudoers_d_dir/$LOGNAME"; then | ||
echo "You can now run sudo commands without a password!" | ||
else | ||
echo "Error in sudoers file" | ||
rm "$tmpfile" | ||
exit 1 | ||
fi | ||
fi | ||
echo -e "Defaults:$LOGNAME !requiretty\n$LOGNAME ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/$LOGNAME | ||
echo "You can now run sudo commands without password!" | ||
{{ end -}} | ||
else | ||
echo "Passwordless sudo already configured for $LOGNAME." | ||
fi | ||
fi | ||
{{ end -}} | ||
|
||
validate_logname | ||
prompt_for_sudo_if_needed | ||
setup_passwordless_sudo | ||
{{ end }} |