kudos/sudo_controls
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix quoting errors + messages

Browse Source
This commit is contained in:
Patrick Van der Veken 2025-07-28 19:14:41 +02:00
parent 78d2d6aff1
commit 29322b6a48
1 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
manage_sudo.sh
View File

@ -42,7 +42,7 @@
# or LOCAL_CONFIG_FILE instead # or LOCAL_CONFIG_FILE instead
# define the version (YYYY-MM-DD) # define the version (YYYY-MM-DD)
typeset -r SCRIPT_VERSION="2025-04-27" typeset -r SCRIPT_VERSION="2025-07-28"
# name of the global configuration file (script) # name of the global configuration file (script)
typeset -r GLOBAL_CONFIG_FILE="manage_sudo.conf" typeset -r GLOBAL_CONFIG_FILE="manage_sudo.conf"
# name of the local configuration file (script) # name of the local configuration file (script)
@ -72,10 +72,14 @@ typeset VISUDO_BIN=""
typeset MAX_BACKGROUND_PROCS="" typeset MAX_BACKGROUND_PROCS=""
# miscelleaneous # miscelleaneous
typeset PATH=${PATH}:/usr/bin:/usr/local/bin typeset PATH=${PATH}:/usr/bin:/usr/local/bin
# shellcheck disable=SC2155
typeset SCRIPT_NAME=$(basename "$0") typeset SCRIPT_NAME=$(basename "$0")
# shellcheck disable=SC2155
typeset SCRIPT_DIR=$(dirname "$0") typeset SCRIPT_DIR=$(dirname "$0")
typeset LOG_FILE="" typeset LOG_FILE=""
# shellcheck disable=SC2155
typeset OS_NAME="$(uname -s)" typeset OS_NAME="$(uname -s)"
# shellcheck disable=SC2155
typeset HOST_NAME="$(hostname)" typeset HOST_NAME="$(hostname)"
typeset FRAGS_FILE="" typeset FRAGS_FILE=""
typeset FRAGS_DIR="" typeset FRAGS_DIR=""
@ -531,6 +535,7 @@ return 0
function die function die
{ {
(( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}"
# shellcheck disable=SC2155
typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')" typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')"
typeset LOG_LINE="" typeset LOG_LINE=""
typeset LOG_SIGIL="" typeset LOG_SIGIL=""
@ -757,7 +762,7 @@ then
fi fi
log "copying SUDO controls on ${SERVER} in slave mode, this may take a while ..." log "copying SUDO controls on ${SERVER} in slave mode, this may take a while ..."
# shellcheck disable=SC2029 # shellcheck disable=SC2029,SC2086
( RC=0; ssh -A ${SSH_ARGS} "${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --copy ${DISTRIBUTE_OPTS}"; ( RC=0; ssh -A ${SSH_ARGS} "${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --copy ${DISTRIBUTE_OPTS}";
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
@ -770,6 +775,7 @@ return ${RC}
} }
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# shellcheck disable=SC2317
function do_cleanup function do_cleanup
{ {
(( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}"
@ -826,20 +832,20 @@ log "fixing SUDO controls on ${SERVER} ..."
if [[ -z "${SUDO_UPDATE_USER}" ]] if [[ -z "${SUDO_UPDATE_USER}" ]]
then then
# own user w/ sudo # own user w/ sudo
# shellcheck disable=SC2029 # shellcheck disable=SC2029,SC2086
( RC=0; ssh ${SSH_ARGS} "${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --fix-local --fix-dir=${SERVER_DIR} --fix-user=${SERVER_USER} ${FIX_OPTS}"; ( RC=0; ssh ${SSH_ARGS} "${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --fix-local --fix-dir=${SERVER_DIR} --fix-user=${SERVER_USER} ${FIX_OPTS}";
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
elif [[ "${SUDO_UPDATE_USER}" != "root" ]] elif [[ "${SUDO_UPDATE_USER}" != "root" ]]
then then
# other user w/ sudo # other user w/ sudo
# shellcheck disable=SC2029 # shellcheck disable=SC2029,SC2086
( RC=0; ssh ${SSH_ARGS} "${SUDO_UPDATE_USER}@${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --fix-local --fix-dir=${SERVER_DIR} --fix-user=${SERVER_USER} ${FIX_OPTS}"; ( RC=0; ssh ${SSH_ARGS} "${SUDO_UPDATE_USER}@${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --fix-local --fix-dir=${SERVER_DIR} --fix-user=${SERVER_USER} ${FIX_OPTS}";
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
else else
# root user w/o sudo # root user w/o sudo
# shellcheck disable=SC2029 # shellcheck disable=SC2029,SC2086
( RC=0; ssh ${SSH_ARGS} "root@${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --fix-local --fix-dir=${SERVER_DIR} --fix-user=root ${FIX_OPTS}"; ( RC=0; ssh ${SSH_ARGS} "root@${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --fix-local --fix-dir=${SERVER_DIR} --fix-user=root ${FIX_OPTS}";
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
@ -885,7 +891,7 @@ then
fi fi
log "fixing SUDO controls on ${SERVER} in slave mode, this may take a while ..." log "fixing SUDO controls on ${SERVER} in slave mode, this may take a while ..."
# shellcheck disable=SC2029 # shellcheck disable=SC2029,SC2086
( RC=0; ssh -A ${SSH_ARGS} "${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --fix-remote --fix-dir=${SERVER_DIR} --fix-user=${SERVER_USER} ${FIX_OPTS}"; ( RC=0; ssh -A ${SSH_ARGS} "${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --fix-remote --fix-dir=${SERVER_DIR} --fix-user=${SERVER_USER} ${FIX_OPTS}";
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
@ -901,6 +907,7 @@ return ${RC}
function get_linux_name function get_linux_name
{ {
(( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}"
# shellcheck disable=SC2155
typeset LSB_NAME="$(lsb_release -is 2>/dev/null | cut -f2 -d':' 2>/dev/null)" typeset LSB_NAME="$(lsb_release -is 2>/dev/null | cut -f2 -d':' 2>/dev/null)"
print "${LSB_NAME}" print "${LSB_NAME}"
@ -952,6 +959,7 @@ return 0
function log function log
{ {
(( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}"
# shellcheck disable=SC2155
typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')" typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')"
typeset LOG_LINE="" typeset LOG_LINE=""
typeset LOG_SIGIL="" typeset LOG_SIGIL=""
@ -1010,6 +1018,7 @@ return 0
function logc function logc
{ {
(( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}"
# shellcheck disable=SC2155
typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')" typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')"
typeset LOG_STDIN="" typeset LOG_STDIN=""
typeset LOG_LINE="" typeset LOG_LINE=""
@ -1301,6 +1310,7 @@ cd "${TRANSFER_DIR}" || return 1
# transfer, (possibly) chmod the file to/on the target server (keep STDERR) # transfer, (possibly) chmod the file to/on the target server (keep STDERR)
if (( DO_SFTP_CHMOD > 1 )) if (( DO_SFTP_CHMOD > 1 ))
then then
# shellcheck disable=SC2086
sftp ${SFTP_ARGS} "${SUDO_TRANSFER_USER}@${TRANSFER_HOST}" >/dev/null <<EOT sftp ${SFTP_ARGS} "${SUDO_TRANSFER_USER}@${TRANSFER_HOST}" >/dev/null <<EOT
cd ${REMOTE_DIR} cd ${REMOTE_DIR}
put ${SOURCE_FILE} put ${SOURCE_FILE}
@ -1308,6 +1318,7 @@ chmod ${TRANSFER_PERMS} ${SOURCE_FILE}
EOT EOT
SFTP_RC=$? SFTP_RC=$?
else else
# shellcheck disable=SC2086
sftp ${SFTP_ARGS} "${SUDO_TRANSFER_USER}@${TRANSFER_HOST}" >/dev/null <<EOT sftp ${SFTP_ARGS} "${SUDO_TRANSFER_USER}@${TRANSFER_HOST}" >/dev/null <<EOT
cd ${REMOTE_DIR} cd ${REMOTE_DIR}
put ${SOURCE_FILE} put ${SOURCE_FILE}
@ -1349,6 +1360,7 @@ fi
# add the private key # add the private key
log "adding private key ${SSH_PRIVATE_KEY} to SSH agent on ${HOST_NAME} ..." log "adding private key ${SSH_PRIVATE_KEY} to SSH agent on ${HOST_NAME} ..."
# shellcheck disable=SC2086
log "$(ssh-add ${SSH_PRIVATE_KEY} 2>&1)" log "$(ssh-add ${SSH_PRIVATE_KEY} 2>&1)"
if (( $(ssh-add -l 2>/dev/null | wc -l 2>/dev/null) == 0 )) if (( $(ssh-add -l 2>/dev/null | wc -l 2>/dev/null) == 0 ))
then then
@ -1430,21 +1442,21 @@ log "setting SUDO controls on ${SERVER} ..."
if [[ -z "${SUDO_UPDATE_USER}" ]] if [[ -z "${SUDO_UPDATE_USER}" ]]
then then
# own user w/ sudo # own user w/ sudo
# shellcheck disable=SC2029 # shellcheck disable=SC2029,SC2086
( RC=0; ssh ${SSH_ARGS} "${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}"; ( RC=0; ssh ${SSH_ARGS} "${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}";
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
elif [[ "${SUDO_UPDATE_USER}" != "root" ]] elif [[ "${SUDO_UPDATE_USER}" != "root" ]]
then then
# other user w/ sudo # other user w/ sudo
# shellcheck disable=SC2029 # shellcheck disable=SC2029,SC2086
( RC=0; ssh ${SSH_ARGS} "${SUDO_UPDATE_USER}@${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}"; ( RC=0; ssh ${SSH_ARGS} "${SUDO_UPDATE_USER}@${SERVER}" "sudo -n ${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}";
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
else else
# root user w/o sudo # root user w/o sudo
# shellcheck disable=SC2029 # shellcheck disable=SC2029,SC2086
( RC=0; ssh ${SSH_ARGS} "root@${SERVER} ${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}"; ( RC=0; ssh ${SSH_ARGS} "root@${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --update ${UPDATE_OPTS}";
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
fi fi
@ -1481,7 +1493,7 @@ then
fi fi
log "applying SUDO controls on ${SERVER} in slave mode, this may take a while ..." log "applying SUDO controls on ${SERVER} in slave mode, this may take a while ..."
# shellcheck disable=SC2029 # shellcheck disable=SC2029,SC2086
( RC=0; ssh -A ${SSH_ARGS} "${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --apply ${UPDATE_OPTS}"; ( RC=0; ssh -A ${SSH_ARGS} "${SERVER}" "${REMOTE_DIR}/${SCRIPT_NAME} --apply ${UPDATE_OPTS}";
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
@ -1542,6 +1554,7 @@ return ${WAIT_ERRORS}
function warn function warn
{ {
(( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}" (( ARG_DEBUG > 0 )) && set "${DEBUG_OPTS}"
# shellcheck disable=SC2155
typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')" typeset NOW="$(date '+%d-%h-%Y %H:%M:%S')"
typeset LOG_LINE="" typeset LOG_LINE=""
typeset LOG_SIGIL="" typeset LOG_SIGIL=""
@ -1970,6 +1983,7 @@ case ${ARG_ACTION} in
;; ;;
4) # apply SUDO controls locally (root user) 4) # apply SUDO controls locally (root user)
log "ACTION: apply SUDO controls locally" log "ACTION: apply SUDO controls locally"
# shellcheck disable=SC2086
( RC=0; "${LOCAL_DIR}/update_sudo.pl" ${SUDO_UPDATE_OPTS}; ( RC=0; "${LOCAL_DIR}/update_sudo.pl" ${SUDO_UPDATE_OPTS};
print "$?" > "${TMP_RC_FILE}"; exit print "$?" > "${TMP_RC_FILE}"; exit
) 2>&1 | logc "" ) 2>&1 | logc ""
@ -2015,7 +2029,7 @@ case ${ARG_ACTION} in
if [[ -d "${FIX_DIR}/holding" ]] if [[ -d "${FIX_DIR}/holding" ]]
then then
chmod 2775 "${FIX_DIR}/holding" 2>/dev/null && \ chmod 2775 "${FIX_DIR}/holding" 2>/dev/null && \
chown ${SUDO_FIX_USER}:${SUDO_OWNER_GROUP} "${FIX_DIR}/holding" 2>/dev/null chown "${SUDO_FIX_USER}":"${SUDO_OWNER_GROUP}" "${FIX_DIR}/holding" 2>/dev/null
fi fi
if [[ -d "${FIX_DIR}/sudoers.d" ]] if [[ -d "${FIX_DIR}/sudoers.d" ]]
then then
@ -2037,7 +2051,7 @@ case ${ARG_ACTION} in
if [[ -f "${FIX_DIR}/holding/${FILE}" ]] if [[ -f "${FIX_DIR}/holding/${FILE}" ]]
then then
chmod 660 "${FIX_DIR}/holding/${FILE}" 2>/dev/null && \ chmod 660 "${FIX_DIR}/holding/${FILE}" 2>/dev/null && \
chown ${SUDO_FIX_USER}:${SUDO_OWNER_GROUP} "${FIX_DIR}/holding/${FILE}" 2>/dev/null chown "${SUDO_FIX_USER}":"${SUDO_OWNER_GROUP}" "${FIX_DIR}/holding/${FILE}" 2>/dev/null
fi fi
done done
for FILE in manage_sudo.sh update_sudo.pl for FILE in manage_sudo.sh update_sudo.pl
@ -2045,14 +2059,14 @@ case ${ARG_ACTION} in
if [[ -f "${FIX_DIR}/holding/${FILE}" ]] if [[ -f "${FIX_DIR}/holding/${FILE}" ]]
then then
chmod 770 "${FIX_DIR}/holding/${FILE}" 2>/dev/null && \ chmod 770 "${FIX_DIR}/holding/${FILE}" 2>/dev/null && \
chown ${SUDO_FIX_USER}:${SUDO_OWNER_GROUP} "${FIX_DIR}/holding/${FILE}" 2>/dev/null chown "${SUDO_FIX_USER}":"${SUDO_OWNER_GROUP}" "${FIX_DIR}/holding/${FILE}" 2>/dev/null
fi fi
done done
# log file # log file
if [[ -f "${LOG_FILE}" ]] if [[ -f "${LOG_FILE}" ]]
then then
chmod 664 "${LOG_FILE}" 2>/dev/null && \ chmod 664 "${LOG_FILE}" 2>/dev/null && \
chown ${SUDO_FIX_USER}:${SUDO_OWNER_GROUP} "${LOG_FILE}" 2>/dev/null chown "${SUDO_FIX_USER}":"${SUDO_OWNER_GROUP}" "${LOG_FILE}" 2>/dev/null
fi fi
# check for SELinux labels # check for SELinux labels
case ${OS_NAME} in case ${OS_NAME} in
@ -2096,6 +2110,7 @@ case ${ARG_ACTION} in
# derive SUDO controls repo from $REMOTE_DIR: # derive SUDO controls repo from $REMOTE_DIR:
# /etc/sudo_controls/holding -> /etc/sudo_controls # /etc/sudo_controls/holding -> /etc/sudo_controls
# shellcheck disable=SC2086
FIX_DIR="$(print ${REMOTE_DIR%/*})" FIX_DIR="$(print ${REMOTE_DIR%/*})"
[[ -z "${FIX_DIR}" ]] && \ [[ -z "${FIX_DIR}" ]] && \
die "could not determine SUDO controls repo path from \$REMOTE_DIR?" die "could not determine SUDO controls repo path from \$REMOTE_DIR?"
@ -2148,6 +2163,7 @@ case ${ARG_ACTION} in
fi fi
done done
# final wait for background processes to be finished completely # final wait for background processes to be finished completely
# shellcheck disable=SC2086
wait_for_children ${PIDS} || \ wait_for_children ${PIDS} || \
warn "$? background jobs (possibly) failed to complete correctly" warn "$? background jobs (possibly) failed to complete correctly"
# stop SSH agent if needed # stop SSH agent if needed
@ -2211,6 +2227,7 @@ case ${ARG_ACTION} in
# shellcheck disable=SC2086 # shellcheck disable=SC2086
log "processing targets: $(print ${CLIENTS} | tr -s '\n' ' ' 2>/dev/null)" log "processing targets: $(print ${CLIENTS} | tr -s '\n' ' ' 2>/dev/null)"
fi fi
# shellcheck disable=SC2086
print "${CLIENTS}" | ${SSH_KEYSCAN_BIN} ${SSH_KEYSCAN_ARGS} -f - 2>/dev/null print "${CLIENTS}" | ${SSH_KEYSCAN_BIN} ${SSH_KEYSCAN_ARGS} -f - 2>/dev/null
fi fi
log "finished gathering SSH host keys" log "finished gathering SSH host keys"