diff --git a/manage_sudo.sh b/manage_sudo.sh index 6cc845d..4fb08a7 100644 --- a/manage_sudo.sh +++ b/manage_sudo.sh @@ -42,7 +42,7 @@ # or LOCAL_CONFIG_FILE instead # define the version (YYYY-MM-DD) -typeset -r SCRIPT_VERSION="2025-04-27" +typeset -r SCRIPT_VERSION="2025-07-28" # name of the global configuration file (script) typeset -r GLOBAL_CONFIG_FILE="manage_sudo.conf" # name of the local configuration file (script) @@ -72,10 +72,14 @@ typeset VISUDO_BIN="" typeset MAX_BACKGROUND_PROCS="" # miscelleaneous typeset PATH=${PATH}:/usr/bin:/usr/local/bin +# shellcheck disable=SC2155 typeset SCRIPT_NAME=$(basename "$0") +# shellcheck disable=SC2155 typeset SCRIPT_DIR=$(dirname "$0") typeset LOG_FILE="" +# shellcheck disable=SC2155 typeset OS_NAME="$(uname -s)" +# shellcheck disable=SC2155 typeset HOST_NAME="$(hostname)" typeset FRAGS_FILE="" typeset FRAGS_DIR="" @@ -531,6 +535,7 @@ return 0 function die { (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" +# shellcheck disable=SC2155 typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')" typeset LOG_LINE="" typeset LOG_SIGIL="" @@ -757,7 +762,7 @@ then fi log "copying SUDO controls on ${SERVER} in slave mode, this may take a while ..." -# shellcheck disable=SC2029 +# shellcheck disable=SC2029,SC2086 ( RC=0; ssh -A ${SSH_ARGS} "${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --copy ${DISTRIBUTE_OPTS}"; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" @@ -770,6 +775,7 @@ return ${RC} } # ----------------------------------------------------------------------------- +# shellcheck disable=SC2317 function do_cleanup { (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" @@ -826,20 +832,20 @@ log "fixing SUDO controls on ${SERVER} ..." if [[ -z "${SUDO_UPDATE_USER}" ]] then # own user w/ sudo - # shellcheck disable=SC2029 + # shellcheck disable=SC2029,SC2086 ( RC=0; ssh ${SSH_ARGS} "${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --fix-local --fix-dir=${SERVER_DIR} --fix-user=${SERVER_USER} ${FIX_OPTS}"; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" elif [[ "${SUDO_UPDATE_USER}" != "root" ]] then # other user w/ sudo - # shellcheck disable=SC2029 + # shellcheck disable=SC2029,SC2086 ( RC=0; ssh ${SSH_ARGS} "${SUDO_UPDATE_USER}@${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --fix-local --fix-dir=${SERVER_DIR} --fix-user=${SERVER_USER} ${FIX_OPTS}"; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" else # root user w/o sudo - # shellcheck disable=SC2029 + # shellcheck disable=SC2029,SC2086 ( RC=0; ssh ${SSH_ARGS} "root@${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --fix-local --fix-dir=${SERVER_DIR} --fix-user=root ${FIX_OPTS}"; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" @@ -885,7 +891,7 @@ then fi log "fixing SUDO controls on ${SERVER} in slave mode, this may take a while ..." -# shellcheck disable=SC2029 +# shellcheck disable=SC2029,SC2086 ( RC=0; ssh -A ${SSH_ARGS} "${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --fix-remote --fix-dir=${SERVER_DIR} --fix-user=${SERVER_USER} ${FIX_OPTS}"; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" @@ -901,6 +907,7 @@ return ${RC} function get_linux_name { (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" +# shellcheck disable=SC2155 typeset LSB_NAME="$(lsb_release -is 2>/dev/null | cut -f2 -d':' 2>/dev/null)" print "${LSB_NAME}" @@ -952,6 +959,7 @@ return 0 function log { (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" +# shellcheck disable=SC2155 typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')" typeset LOG_LINE="" typeset LOG_SIGIL="" @@ -1010,6 +1018,7 @@ return 0 function logc { (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" +# shellcheck disable=SC2155 typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')" typeset LOG_STDIN="" typeset LOG_LINE="" @@ -1301,6 +1310,7 @@ cd "${TRANSFER_DIR}" || return 1 # transfer, (possibly) chmod the file to/on the target server (keep STDERR) if (( DO_SFTP_CHMOD > 1 )) then + # shellcheck disable=SC2086 sftp ${SFTP_ARGS} "${SUDO_TRANSFER_USER}@${TRANSFER_HOST}" >/dev/null </dev/null <&1)" if (( $(ssh-add -l 2>/dev/null | wc -l 2>/dev/null) == 0 )) then @@ -1430,21 +1442,21 @@ log "setting SUDO controls on ${SERVER} ..." if [[ -z "${SUDO_UPDATE_USER}" ]] then # own user w/ sudo - # shellcheck disable=SC2029 + # shellcheck disable=SC2029,SC2086 ( RC=0; ssh ${SSH_ARGS} "${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}"; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" elif [[ "${SUDO_UPDATE_USER}" != "root" ]] then # other user w/ sudo - # shellcheck disable=SC2029 + # shellcheck disable=SC2029,SC2086 ( RC=0; ssh ${SSH_ARGS} "${SUDO_UPDATE_USER}@${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}"; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" else # root user w/o sudo - # shellcheck disable=SC2029 - ( RC=0; ssh ${SSH_ARGS} "root@${SERVER} ${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}"; + # shellcheck disable=SC2029,SC2086 + ( RC=0; ssh ${SSH_ARGS} "root@${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}"; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" fi @@ -1481,7 +1493,7 @@ then fi log "applying SUDO controls on ${SERVER} in slave mode, this may take a while ..." -# shellcheck disable=SC2029 +# shellcheck disable=SC2029,SC2086 ( RC=0; ssh -A ${SSH_ARGS} "${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --apply ${UPDATE_OPTS}"; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" @@ -1542,6 +1554,7 @@ return ${WAIT_ERRORS} function warn { (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" +# shellcheck disable=SC2155 typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')" typeset LOG_LINE="" typeset LOG_SIGIL="" @@ -1970,6 +1983,7 @@ case ${ARG_ACTION} in ;; 4) # apply SUDO controls locally (root user) log "ACTION: apply SUDO controls locally" + # shellcheck disable=SC2086 ( RC=0; "${LOCAL_DIR}/update_sudo.pl" ${SUDO_UPDATE_OPTS}; print "$?" > "${TMP_RC_FILE}"; exit ) 2>&1 | logc "" @@ -2015,7 +2029,7 @@ case ${ARG_ACTION} in if [[ -d "${FIX_DIR}/holding" ]] then chmod 2775 "${FIX_DIR}/holding" 2>/dev/null && \ - chown ${SUDO_FIX_USER}:${SUDO_OWNER_GROUP} "${FIX_DIR}/holding" 2>/dev/null + chown "${SUDO_FIX_USER}":"${SUDO_OWNER_GROUP}" "${FIX_DIR}/holding" 2>/dev/null fi if [[ -d "${FIX_DIR}/sudoers.d" ]] then @@ -2037,7 +2051,7 @@ case ${ARG_ACTION} in if [[ -f "${FIX_DIR}/holding/${FILE}" ]] then chmod 660 "${FIX_DIR}/holding/${FILE}" 2>/dev/null && \ - chown ${SUDO_FIX_USER}:${SUDO_OWNER_GROUP} "${FIX_DIR}/holding/${FILE}" 2>/dev/null + chown "${SUDO_FIX_USER}":"${SUDO_OWNER_GROUP}" "${FIX_DIR}/holding/${FILE}" 2>/dev/null fi done for FILE in manage_sudo.sh update_sudo.pl @@ -2045,14 +2059,14 @@ case ${ARG_ACTION} in if [[ -f "${FIX_DIR}/holding/${FILE}" ]] then chmod 770 "${FIX_DIR}/holding/${FILE}" 2>/dev/null && \ - chown ${SUDO_FIX_USER}:${SUDO_OWNER_GROUP} "${FIX_DIR}/holding/${FILE}" 2>/dev/null + chown "${SUDO_FIX_USER}":"${SUDO_OWNER_GROUP}" "${FIX_DIR}/holding/${FILE}" 2>/dev/null fi done # log file if [[ -f "${LOG_FILE}" ]] then chmod 664 "${LOG_FILE}" 2>/dev/null && \ - chown ${SUDO_FIX_USER}:${SUDO_OWNER_GROUP} "${LOG_FILE}" 2>/dev/null + chown "${SUDO_FIX_USER}":"${SUDO_OWNER_GROUP}" "${LOG_FILE}" 2>/dev/null fi # check for SELinux labels case ${OS_NAME} in @@ -2096,6 +2110,7 @@ case ${ARG_ACTION} in # derive SUDO controls repo from $REMOTE_DIR: # /etc/sudo_controls/holding -> /etc/sudo_controls + # shellcheck disable=SC2086 FIX_DIR="$(print ${REMOTE_DIR%/*})" [[ -z "${FIX_DIR}" ]] && \ die "could not determine SUDO controls repo path from \$REMOTE_DIR?" @@ -2148,6 +2163,7 @@ case ${ARG_ACTION} in fi done # final wait for background processes to be finished completely + # shellcheck disable=SC2086 wait_for_children ${PIDS} || \ warn "$? background jobs (possibly) failed to complete correctly" # stop SSH agent if needed @@ -2211,6 +2227,7 @@ case ${ARG_ACTION} in # shellcheck disable=SC2086 log "processing targets: $(print ${CLIENTS} | tr -s '\n' ' ' 2>/dev/null)" fi + # shellcheck disable=SC2086 print "${CLIENTS}" | ${SSH_KEYSCAN_BIN} ${SSH_KEYSCAN_ARGS} -f - 2>/dev/null fi log "finished gathering SSH host keys"