From 1f538d4a7771bc1012c862ee324c5290a7c02c46 Mon Sep 17 00:00:00 2001 From: billz Date: Fri, 20 Mar 2020 09:55:49 +0000 Subject: [PATCH] Externalized sudoers, - superfluous code from patch_system_files --- installers/common.sh | 70 +++----------------------------------------- 1 file changed, 4 insertions(+), 66 deletions(-) diff --git a/installers/common.sh b/installers/common.sh index e1a490bf..134a264f 100755 --- a/installers/common.sh +++ b/installers/common.sh @@ -324,76 +324,14 @@ function enable_raspap_daemon() { sudo systemctl enable raspap.service || install_error "Failed to enable raspap.service" } -# Add a single entry to the sudoers file -function sudo_add() { - sudo bash -c "echo \"$raspap_user ALL=(ALL) NOPASSWD:$1\" | tee -a $raspap_sudoers" \ - || install_error "Unable to patch /etc/sudoers" -} - -# Adds www-data user to the sudoers file with restrictions on what the user can execute +# Add sudoers file to /etc/sudoers.d/ and set file permissions function patch_system_files() { - # Set commands array - cmds=( - "/sbin/ifdown" - "/sbin/ifup" - "/bin/cat /etc/wpa_supplicant/wpa_supplicant.conf" - "/bin/cat /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf" - "/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant.conf" - "/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf" - "/sbin/wpa_cli -i wlan[0-9] scan_results" - "/sbin/wpa_cli -i wlan[0-9] scan" - "/sbin/wpa_cli -i wlan[0-9] reconfigure" - "/sbin/wpa_cli -i wlan[0-9] select_network" - "/bin/cp /tmp/hostapddata /etc/hostapd/hostapd.conf" - "/bin/systemctl start hostapd.service" - "/bin/systemctl stop hostapd.service" - "/bin/systemctl start dnsmasq.service" - "/bin/systemctl stop dnsmasq.service" - "/bin/systemctl start openvpn-client@client" - "/bin/systemctl enable openvpn-client@client" - "/bin/systemctl stop openvpn-client@client" - "/bin/systemctl disable openvpn-client@client" - "/bin/cp /tmp/ovpnclient.ovpn /etc/openvpn/client/client.conf" - "/bin/cp /tmp/authdata /etc/openvpn/client/login.conf" - "/bin/cp /tmp/dnsmasqdata ${raspap_dnsmasq}" - "/bin/cp /tmp/dhcpddata /etc/dhcpcd.conf" - "/sbin/shutdown -h now" - "/sbin/reboot" - "/sbin/ip link set wlan[0-9] down" - "/sbin/ip link set wlan[0-9] up" - "/sbin/ip -s a f label wlan[0-9]" - "/bin/cp /etc/raspap/networking/dhcpcd.conf /etc/dhcpcd.conf" - "/etc/raspap/hostapd/enablelog.sh" - "/etc/raspap/hostapd/disablelog.sh" - "/etc/raspap/hostapd/servicestart.sh" - "/etc/raspap/lighttpd/configport.sh" - "/etc/raspap/openvpn/configauth.sh" - "/bin/chmod o+r /tmp/hostapd.log" - "/bin/chmod o+r /tmp/dnsmasq.log" - ) - # Create sudoers if not present if [ ! -f $raspap_sudoers ]; then - install_log "Creating ${raspap_sudoers}" - sudo touch $raspap_sudoers - fi - - # Check if sudoers needs patching - if [ $(sudo grep -c $raspap_user $raspap_sudoers) -ne ${#cmds[@]} ]; then - # Sudoers file has incorrect number of commands. Wiping them out. - install_log "Cleaning system sudoers file" - sudo sed -i "/$raspap_user/d" $raspap_sudoers - install_log "Patching system sudoers file" - - # patch /etc/sudoers.d/090_raspap file - for cmd in "${cmds[@]}" - do - sudo_add $cmd - IFS=$'\n' - done - else - install_log "Sudoers file already patched" + install_log "Adding raspap.sudoers to ${raspap_sudoers}" + sudo cp "$webroot_dir/installers/raspap.sudoers" $raspap_sudoers || install_error "Unable to apply raspap.sudoers to $raspap_sudoers" + sudo chmod 0440 $raspap_sudoers || install_error "Unable to change file permissions for $raspap_sudoers" fi # Add symlink to prevent wpa_cli cmds from breaking with multiple wlan interfaces