Fixed version by ChatGPT

2025-08-11 10:30:52 +02:00 · 2025-08-11 10:30:52 +02:00 · 3b9e0a1f33
commit 3b9e0a1f33
parent c08110ae38
1 changed files with 44 additions and 29 deletions
--- a/bin/admin/single-user
+++ b/bin/admin/single-user
@ -4,62 +4,77 @@
 ## for remote access


-# Parameters
+#!/bin/bash
+set -euo pipefail
+
+# Settings
 USERNAME="user"

-# Sanity check
 if [ "$(id -u)" -ne 0 ]; then
-    echo "Please run this script as root."
-    exit 1
+  echo "Please run this script as root." >&2
+  exit 1
 fi

-if ! id "$USERNAME" &>/dev/null; then
-    echo "User '$USERNAME' does not exist."
-    exit 1
-fi
+id "$USERNAME" &>/dev/null || { echo "User '$USERNAME' does not exist." >&2; exit 1; }

-echo "Setting up passwordless sudo for physical access for user: $USERNAME"
+echo "Configuring passwordless sudo ONLY on local TTYs for $USERNAME"
 echo

-# 1. Configure sudoers: allow passwordless sudo
-echo "Configuring sudoers for $USERNAME..."
-echo "Defaults:$USERNAME !authenticate" >> /etc/sudoers.d/00-$USERNAME-nopasswd
-chmod 440 /etc/sudoers.d/00-$USERNAME-nopasswd
+SUDOERS_FILE="/etc/sudoers.d/90-$USERNAME-sudo"
+if [ ! -f "$SUDOERS_FILE" ]; then
+  echo "$USERNAME ALL=(ALL:ALL) ALL" > "$SUDOERS_FILE"
+  chmod 0440 "$SUDOERS_FILE"
+  visudo -cf "$SUDOERS_FILE" >/dev/null || { echo "sudoers validation failed"; exit 1; }
+fi

-# 2. Modify PAM for sudo to allow password only on non-physical ttys
-echo "Configuring PAM for sudo tty check..."
+# PAM: allow passwordless sudo on physical ttys, require password otherwise.
 PAM_FILE="/etc/pam.d/sudo"
 BACKUP_FILE="/etc/pam.d/sudo.bak"

-if ! grep -q "pam_succeed_if.so tty" "$PAM_FILE"; then
-    echo "Creating backup of $PAM_FILE to $BACKUP_FILE"
-    cp "$PAM_FILE" "$BACKUP_FILE"
+if ! grep -q "BEGIN local TTY passwordless" "$PAM_FILE"; then
+  echo "Backing up $PAM_FILE to $BACKUP_FILE"
+  cp "$PAM_FILE" "$BACKUP_FILE"

-    sed -i '1iauth [success=1 default=ignore] pam_succeed_if.so tty =~ /dev/tty[0-9]*' "$PAM_FILE"
-    echo "PAM modified to restrict passwordless sudo to physical TTYs."
+  # Insert at the top of the file:
+  # - If TTY matches /dev/ttyN (real VT), immediately permit auth (no password).
+  # - Otherwise fall through to the normal rules (which will ask for a password).
+  #
+  # Notes:
+  # - pam_succeed_if.so is in the libpam-modules package on Debian/Ubuntu (ensure installed).
+  # - The 'success=done' short-circuits the auth stack on real TTYs.
+  tmp="$(mktemp)"
+  cat > "$tmp" <<'PAMHEAD'
+# --- BEGIN local TTY passwordless ---
+# Passwordless sudo on real virtual consoles only:
+# /dev/tty1, /dev/tty2, ... (NOT /dev/pts/* used by SSH)
+auth [success=done default=ignore] pam_succeed_if.so tty =~ ^/dev/tty[0-9]+$
+# --- END local TTY passwordless ---
+PAMHEAD
+  cat "$PAM_FILE" >> "$tmp"
+  mv "$tmp" "$PAM_FILE"
+  echo "PAM updated. On SSH (/dev/pts/*) a password will be required."
 else
-    echo "PAM sudo already appears configured."
+  echo "PAM sudo already has local TTY rule."
 fi

-# 3. Enable autologin on tty1
+# 3) Autologin on tty1 (physical console)
 echo "Configuring systemd autologin on tty1 for $USERNAME..."
 mkdir -p /etc/systemd/system/getty@tty1.service.d
 AUTOLOGIN_CONF="/etc/systemd/system/getty@tty1.service.d/override.conf"
+AGETTY_BIN="$(command -v agetty || true)"
+: "${AGETTY_BIN:=/sbin/agetty}"

 cat > "$AUTOLOGIN_CONF" <<EOF
 [Service]
 ExecStart=
-ExecStart=-/sbin/agetty --autologin $USERNAME --noclear %I \$TERM
+ExecStart=-$AGETTY_BIN --autologin $USERNAME --noclear %I \$TERM
 EOF

-# Reload systemd and apply change
-echo "Reloading systemd and restarting tty1..."
-systemctl daemon-reexec
 systemctl daemon-reload
 systemctl restart getty@tty1

 echo
-echo "All done."
-echo "User '$USERNAME' will now auto-login on tty1 and can use sudo without a password if physically present."
-echo "Remote users (SSH) will still need to enter a password for sudo."

+echo "• $USERNAME will auto-login on tty1."
+echo "• On real TTYs (/dev/ttyN), sudo won't prompt for a password."
+echo "• Over SSH (/dev/pts/*), sudo will require the user's password."