#!/bin/bash # moonraker-sudo (mnrkrsudo) # Provides a specified Group that is intended to elevate user privileges # to help moonraker with sudo actions, if in CustomPIOS Images with # Module "password-for-sudo". # # Partially used functions from Arcsine # # Copyright (C) 2020 Stephan Wendel # # This file may be distributed under the terms of the GNU GPLv3 license ### Exit on Errors set -e ### Configuration SUDOERS_DIR='/etc/sudoers.d' SUDOERS_FILE='020-sudo-for-moonraker' NEW_GROUP='mnrkrsudo' ### Functions verify_ready() { if [ "$EUID" -eq 0 ]; then echo "This script must not run as root" exit -1 fi } create_sudoers_file() { SCRIPT_TEMP_PATH=/tmp report_status "Creating ${SUDOERS_FILE} ..." sudo rm -f $SCRIPT_TEMP_PATH/$SUDOERS_FILE sudo sed "s/GROUPNAME/$NEW_GROUP/g" > $SCRIPT_TEMP_PATH/$SUDOERS_FILE << '#EOF' ### Elevate moonraker API rights ### Do NOT allow Command Parts only Full Commands ### for example ### ### /sbin/systemctl "reboot", /sbin/apt "update", ..... Defaults!/usr/bin/apt-get env_keep +="DEBIAN_FRONTEND" Cmnd_Alias REBOOT = /sbin/shutdown -r now, /bin/systemctl "reboot" Cmnd_Alias SHUTDOWN = /sbin/shutdown now, /sbin/shutdown -h now, /bin/systemctl "poweroff" Cmnd_Alias APT = /usr/bin/apt-get Cmnd_Alias SYSTEMCTL = /bin/systemctl %GROUPNAME ALL=(ALL) NOPASSWD: REBOOT, SHUTDOWN, APT, SYSTEMCTL #EOF report_status "\e[1;32m...done\e[0m" } update_env() { report_status "Export System Variable: DEBIAN_FRONTEND=noninteractive" sudo /bin/sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment' } verify_syntax() { if [ -n "$(whereis -b visudo | awk '{print $2}')" ]; then report_status "\e[1;33mVerifying Syntax of ${SUDOERS_FILE}\e[0m\n" if [ $(LANG=C sudo visudo -cf $SCRIPT_TEMP_PATH/$SUDOERS_FILE | grep -c "OK" ) -eq 1 ]; then VERIFY_STATUS=0 report_status "\e[1;32m$(LANG=C sudo visudo -cf $SCRIPT_TEMP_PATH/$SUDOERS_FILE)\e[0m" else report_status "\e[1;31mSyntax Error:\e[0m Check File: $SCRIPT_TEMP_PATH/$SUDOERS_FILE" exit 1 fi else VERIFY_STATUS=0 report_status "\e[1;31mCommand 'visudo' not found. Skip verifying sudoers file.\e[0m" fi } install_sudoers_file() { verify_syntax if [ $VERIFY_STATUS -eq 0 ]; then report_status "Copying $SCRIPT_TEMP_PATH/$SUDOERS_FILE to $SUDOERS_DIR/$SUDOERS_FILE" sudo chmod 0440 $SCRIPT_TEMP_PATH/$SUDOERS_FILE sudo cp --preserve=mode $SCRIPT_TEMP_PATH/$SUDOERS_FILE $SUDOERS_DIR/$SUDOERS_FILE else exit 1 fi } check_update_sudoers_file() { if [ -e "$SUDOERS_DIR/$SUDOERS_FILE" ]; then create_sudoers_file if [ -z $(sudo diff $SCRIPT_TEMP_PATH/$SUDOERS_FILE $SUDOERS_DIR/$SUDOERS_FILE) ] then report_status "No need to update $SUDOERS_DIR/$SUDOERS_FILE" else report_status "$SUDOERS_DIR/$SUDOERS_FILE needs to be updated." install_sudoers_file fi fi } add_new_group() { sudo addgroup --system $NEW_GROUP &> /dev/null report_status "\e[1;32m...done\e[0m" } add_user_to_group() { sudo usermod -aG $NEW_GROUP $USER &> /dev/null report_status "\e[1;32m...done\e[0m" } adduser_hint() { report_status "\e[1;31mYou have to REBOOT to take changes effect!\e[0m" } # Helper functions report_status() { echo -e "\n\n###### $1" } clean_temp() { sudo rm -f $SCRIPT_TEMP_PATH/$SUDOERS_FILE } ### Main verify_ready if [ -e "$SUDOERS_DIR/$SUDOERS_FILE" ] && [ $(sudo cat /etc/gshadow | grep -c "${NEW_GROUP}") -eq 1 ] && [ $(groups | grep -c "$NEW_GROUP") -eq 1 ]; then check_update_sudoers_file report_status "\e[1;32mEverything is setup, nothing to do...\e[0m\n" exit 0 else if [ -e "$SUDOERS_DIR/$SUDOERS_FILE" ]; then report_status "\e[1;32mFile exists:\e[0m ${SUDOERS_FILE}" check_update_sudoers_file else report_status "\e[1;31mFile not found:\e[0m ${SUDOERS_FILE}\n" create_sudoers_file install_sudoers_file fi if [ $(sudo cat /etc/gshadow | grep -c "${NEW_GROUP}") -eq 1 ]; then report_status "Group ${NEW_GROUP} already exists..." else report_status "Group ${NEW_GROUP} will be added..." add_new_group fi if [ $(groups | grep -c "$NEW_GROUP") -eq 1 ]; then report_status "User ${USER} is already in $NEW_GROUP..." else report_status "Adding User ${USER} to Group $NEW_GROUP..." add_user_to_group adduser_hint fi fi update_env clean_temp exit 0