Fixed version by ChatGPT

2025-08-11 10:30:52 +02:00 · 2025-08-11 10:30:52 +02:00 · 3b9e0a1f33
commit 3b9e0a1f33
parent c08110ae38
1 changed files with 44 additions and 29 deletions
--- a/bin/admin/single-user
+++ b/bin/admin/single-user
@ -4,62 +4,77 @@
 ## for remote access
-# Parameters
+#!/bin/bash
 set -euo pipefail
 # Settings
 USERNAME="user"
 # Sanity check
 if [ "$(id -u)" -ne 0 ]; then
-    echo "Please run this script as root."
+  echo "Please run this script as root." >&2
-    exit 1
+  exit 1
 fi
-if ! id "$USERNAME" &>/dev/null; then
+id "$USERNAME" &>/dev/null || { echo "User '$USERNAME' does not exist." >&2; exit 1; }
    echo "User '$USERNAME' does not exist."
    exit 1
 fi
-echo "Setting up passwordless sudo for physical access for user: $USERNAME"
+echo "Configuring passwordless sudo ONLY on local TTYs for $USERNAME"
 echo
-# 1. Configure sudoers: allow passwordless sudo
+SUDOERS_FILE="/etc/sudoers.d/90-$USERNAME-sudo"
-echo "Configuring sudoers for $USERNAME..."
+if [ ! -f "$SUDOERS_FILE" ]; then
-echo "Defaults:$USERNAME !authenticate" >> /etc/sudoers.d/00-$USERNAME-nopasswd
+  echo "$USERNAME ALL=(ALL:ALL) ALL" > "$SUDOERS_FILE"
-chmod 440 /etc/sudoers.d/00-$USERNAME-nopasswd
+  chmod 0440 "$SUDOERS_FILE"
  visudo -cf "$SUDOERS_FILE" >/dev/null || { echo "sudoers validation failed"; exit 1; }
 fi
-# 2. Modify PAM for sudo to allow password only on non-physical ttys
+# PAM: allow passwordless sudo on physical ttys, require password otherwise.
 echo "Configuring PAM for sudo tty check..."
 PAM_FILE="/etc/pam.d/sudo"
 BACKUP_FILE="/etc/pam.d/sudo.bak"
-if ! grep -q "pam_succeed_if.so tty" "$PAM_FILE"; then
+if ! grep -q "BEGIN local TTY passwordless" "$PAM_FILE"; then
-    echo "Creating backup of $PAM_FILE to $BACKUP_FILE"
+  echo "Backing up $PAM_FILE to $BACKUP_FILE"
-    cp "$PAM_FILE" "$BACKUP_FILE"
+  cp "$PAM_FILE" "$BACKUP_FILE"
-    sed -i '1iauth [success=1 default=ignore] pam_succeed_if.so tty =~ /dev/tty[0-9]*' "$PAM_FILE"
+  # Insert at the top of the file:
-    echo "PAM modified to restrict passwordless sudo to physical TTYs."
+  # - If TTY matches /dev/ttyN (real VT), immediately permit auth (no password).
  # - Otherwise fall through to the normal rules (which will ask for a password).
  #
  # Notes:
  # - pam_succeed_if.so is in the libpam-modules package on Debian/Ubuntu (ensure installed).
  # - The 'success=done' short-circuits the auth stack on real TTYs.
  tmp="$(mktemp)"
  cat > "$tmp" <<'PAMHEAD'
 # --- BEGIN local TTY passwordless ---
 # Passwordless sudo on real virtual consoles only:
 # /dev/tty1, /dev/tty2, ... (NOT /dev/pts/* used by SSH)
 auth [success=done default=ignore] pam_succeed_if.so tty =~ ^/dev/tty[0-9]+$
 # --- END local TTY passwordless ---
 PAMHEAD
  cat "$PAM_FILE" >> "$tmp"
  mv "$tmp" "$PAM_FILE"
  echo "PAM updated. On SSH (/dev/pts/*) a password will be required."
 else
-    echo "PAM sudo already appears configured."
+  echo "PAM sudo already has local TTY rule."
 fi
-# 3. Enable autologin on tty1
+# 3) Autologin on tty1 (physical console)
 echo "Configuring systemd autologin on tty1 for $USERNAME..."
 mkdir -p /etc/systemd/system/getty@tty1.service.d
 AUTOLOGIN_CONF="/etc/systemd/system/getty@tty1.service.d/override.conf"
 AGETTY_BIN="$(command -v agetty || true)"
 : "${AGETTY_BIN:=/sbin/agetty}"
 cat > "$AUTOLOGIN_CONF" <<EOF
 [Service]
 ExecStart=
-ExecStart=-/sbin/agetty --autologin $USERNAME --noclear %I \$TERM
+ExecStart=-$AGETTY_BIN --autologin $USERNAME --noclear %I \$TERM
 EOF
 # Reload systemd and apply change
 echo "Reloading systemd and restarting tty1..."
 systemctl daemon-reexec
 systemctl daemon-reload
 systemctl restart getty@tty1
 echo
 echo "All done."
 echo "User '$USERNAME' will now auto-login on tty1 and can use sudo without a password if physically present."
 echo "Remote users (SSH) will still need to enter a password for sudo."
 echo "• $USERNAME will auto-login on tty1."
 echo "• On real TTYs (/dev/ttyN), sudo won't prompt for a password."
 echo "• Over SSH (/dev/pts/*), sudo will require the user's password."