From 3b9e0a1f33b2e0b102e2fd5fde9c2bcc2143c957 Mon Sep 17 00:00:00 2001
From: Artur Gurgul <artur@gurgul.pro>
Date: Mon, 11 Aug 2025 10:30:52 +0200
Subject: [PATCH] Fixed version by ChatGPT

---
 bin/admin/single-user | 73 ++++++++++++++++++++++++++-----------------
 1 file changed, 44 insertions(+), 29 deletions(-)
 mode change 100644 => 100755 bin/admin/single-user

diff --git a/bin/admin/single-user b/bin/admin/single-user
old mode 100644
new mode 100755
index 4b647ff..85018fc
--- a/bin/admin/single-user
+++ b/bin/admin/single-user
@@ -4,62 +4,77 @@
 ## for remote access
 
 
-# Parameters
+#!/bin/bash
+set -euo pipefail
+
+# Settings
 USERNAME="user"
 
-# Sanity check
 if [ "$(id -u)" -ne 0 ]; then
-    echo "Please run this script as root."
-    exit 1
+  echo "Please run this script as root." >&2
+  exit 1
 fi
 
-if ! id "$USERNAME" &>/dev/null; then
-    echo "User '$USERNAME' does not exist."
-    exit 1
-fi
+id "$USERNAME" &>/dev/null || { echo "User '$USERNAME' does not exist." >&2; exit 1; }
 
-echo "Setting up passwordless sudo for physical access for user: $USERNAME"
+echo "Configuring passwordless sudo ONLY on local TTYs for $USERNAME"
 echo
 
-# 1. Configure sudoers: allow passwordless sudo
-echo "Configuring sudoers for $USERNAME..."
-echo "Defaults:$USERNAME !authenticate" >> /etc/sudoers.d/00-$USERNAME-nopasswd
-chmod 440 /etc/sudoers.d/00-$USERNAME-nopasswd
+SUDOERS_FILE="/etc/sudoers.d/90-$USERNAME-sudo"
+if [ ! -f "$SUDOERS_FILE" ]; then
+  echo "$USERNAME ALL=(ALL:ALL) ALL" > "$SUDOERS_FILE"
+  chmod 0440 "$SUDOERS_FILE"
+  visudo -cf "$SUDOERS_FILE" >/dev/null || { echo "sudoers validation failed"; exit 1; }
+fi
 
-# 2. Modify PAM for sudo to allow password only on non-physical ttys
-echo "Configuring PAM for sudo tty check..."
+# PAM: allow passwordless sudo on physical ttys, require password otherwise.
 PAM_FILE="/etc/pam.d/sudo"
 BACKUP_FILE="/etc/pam.d/sudo.bak"
 
-if ! grep -q "pam_succeed_if.so tty" "$PAM_FILE"; then
-    echo "Creating backup of $PAM_FILE to $BACKUP_FILE"
-    cp "$PAM_FILE" "$BACKUP_FILE"
+if ! grep -q "BEGIN local TTY passwordless" "$PAM_FILE"; then
+  echo "Backing up $PAM_FILE to $BACKUP_FILE"
+  cp "$PAM_FILE" "$BACKUP_FILE"
 
-    sed -i '1iauth [success=1 default=ignore] pam_succeed_if.so tty =~ /dev/tty[0-9]*' "$PAM_FILE"
-    echo "PAM modified to restrict passwordless sudo to physical TTYs."
+  # Insert at the top of the file:
+  # - If TTY matches /dev/ttyN (real VT), immediately permit auth (no password).
+  # - Otherwise fall through to the normal rules (which will ask for a password).
+  #
+  # Notes:
+  # - pam_succeed_if.so is in the libpam-modules package on Debian/Ubuntu (ensure installed).
+  # - The 'success=done' short-circuits the auth stack on real TTYs.
+  tmp="$(mktemp)"
+  cat > "$tmp" <<'PAMHEAD'
+# --- BEGIN local TTY passwordless ---
+# Passwordless sudo on real virtual consoles only:
+# /dev/tty1, /dev/tty2, ... (NOT /dev/pts/* used by SSH)
+auth [success=done default=ignore] pam_succeed_if.so tty =~ ^/dev/tty[0-9]+$
+# --- END local TTY passwordless ---
+PAMHEAD
+  cat "$PAM_FILE" >> "$tmp"
+  mv "$tmp" "$PAM_FILE"
+  echo "PAM updated. On SSH (/dev/pts/*) a password will be required."
 else
-    echo "PAM sudo already appears configured."
+  echo "PAM sudo already has local TTY rule."
 fi
 
-# 3. Enable autologin on tty1
+# 3) Autologin on tty1 (physical console)
 echo "Configuring systemd autologin on tty1 for $USERNAME..."
 mkdir -p /etc/systemd/system/getty@tty1.service.d
 AUTOLOGIN_CONF="/etc/systemd/system/getty@tty1.service.d/override.conf"
+AGETTY_BIN="$(command -v agetty || true)"
+: "${AGETTY_BIN:=/sbin/agetty}"
 
 cat > "$AUTOLOGIN_CONF" <<EOF
 [Service]
 ExecStart=
-ExecStart=-/sbin/agetty --autologin $USERNAME --noclear %I \$TERM
+ExecStart=-$AGETTY_BIN --autologin $USERNAME --noclear %I \$TERM
 EOF
 
-# Reload systemd and apply change
-echo "Reloading systemd and restarting tty1..."
-systemctl daemon-reexec
 systemctl daemon-reload
 systemctl restart getty@tty1
 
 echo
-echo "All done."
-echo "User '$USERNAME' will now auto-login on tty1 and can use sudo without a password if physically present."
-echo "Remote users (SSH) will still need to enter a password for sudo."
 
+echo "• $USERNAME will auto-login on tty1."
+echo "• On real TTYs (/dev/ttyN), sudo won't prompt for a password."
+echo "• Over SSH (/dev/pts/*), sudo will require the user's password."