mirror of
https://github.com/kuhyx/scripts.git
synced 2026-07-04 16:03:12 +02:00
feat: setup passwordless sudo
This commit is contained in:
parent
9cf28e1fd7
commit
fe6d2eb39c
323
scripts/setup_passwordless_system.sh
Executable file
323
scripts/setup_passwordless_system.sh
Executable file
@ -0,0 +1,323 @@
|
||||
#!/bin/bash
|
||||
# Script to set up passwordless sudo and automatic login
|
||||
# Configures lightdm for auto-login and sudo for passwordless access
|
||||
# Handles sudo privileges automatically
|
||||
|
||||
set -e # Exit on any error
|
||||
|
||||
# Function to check and request sudo privileges
|
||||
check_sudo() {
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
echo "This script requires sudo privileges to modify system configurations."
|
||||
echo "Requesting sudo access..."
|
||||
exec sudo "$0" "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
# Check for sudo privileges first
|
||||
check_sudo "$@"
|
||||
|
||||
echo "Passwordless System Setup"
|
||||
echo "========================"
|
||||
echo "Current Date: $(date)"
|
||||
echo "User: $USER"
|
||||
echo "Original user: ${SUDO_USER:-$USER}"
|
||||
|
||||
# Verify we have a valid user
|
||||
if [[ -z "${SUDO_USER}" ]]; then
|
||||
echo "Error: Could not determine the original user. Please run this script with sudo."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TARGET_USER="${SUDO_USER}"
|
||||
echo "Target user for configuration: $TARGET_USER"
|
||||
|
||||
# Function to backup files
|
||||
backup_file() {
|
||||
local file="$1"
|
||||
if [[ -f "$file" ]]; then
|
||||
local backup="${file}.backup.$(date +%Y%m%d_%H%M%S)"
|
||||
cp "$file" "$backup"
|
||||
echo "✓ Backed up $file to $backup"
|
||||
fi
|
||||
}
|
||||
|
||||
# Function to configure passwordless sudo
|
||||
configure_passwordless_sudo() {
|
||||
echo ""
|
||||
echo "1. Configuring Passwordless Sudo..."
|
||||
echo "=================================="
|
||||
|
||||
local sudoers_file="/etc/sudoers.d/99-passwordless-${TARGET_USER}"
|
||||
|
||||
# Create sudoers configuration for passwordless access
|
||||
cat > "$sudoers_file" << EOF
|
||||
# Passwordless sudo configuration for user: ${TARGET_USER}
|
||||
# Created by setup_passwordless_system.sh on $(date)
|
||||
# WARNING: This allows the user to run any command without password
|
||||
|
||||
# Allow user to run all commands without password
|
||||
${TARGET_USER} ALL=(ALL) NOPASSWD: ALL
|
||||
|
||||
# Ensure user can run sudo without TTY (useful for scripts)
|
||||
Defaults:${TARGET_USER} !requiretty
|
||||
|
||||
# Keep environment variables for user convenience
|
||||
Defaults:${TARGET_USER} env_keep += "HOME PATH DISPLAY XAUTHORITY"
|
||||
EOF
|
||||
|
||||
# Set proper permissions for sudoers file
|
||||
chmod 440 "$sudoers_file"
|
||||
|
||||
# Verify the sudoers file syntax
|
||||
if visudo -c -f "$sudoers_file"; then
|
||||
echo "✓ Passwordless sudo configured for user: $TARGET_USER"
|
||||
echo "✓ Sudoers file created: $sudoers_file"
|
||||
else
|
||||
echo "✗ Error: Invalid sudoers syntax. Removing file for safety."
|
||||
rm -f "$sudoers_file"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Function to configure lightdm auto-login
|
||||
configure_lightdm_autologin() {
|
||||
echo ""
|
||||
echo "2. Configuring LightDM Auto-Login..."
|
||||
echo "==================================="
|
||||
|
||||
local lightdm_conf="/etc/lightdm/lightdm.conf"
|
||||
local lightdm_conf_dir="/etc/lightdm/lightdm.conf.d"
|
||||
local custom_conf="$lightdm_conf_dir/50-autologin.conf"
|
||||
|
||||
# Create lightdm config directory if it doesn't exist
|
||||
mkdir -p "$lightdm_conf_dir"
|
||||
|
||||
# Backup existing lightdm configuration
|
||||
backup_file "$lightdm_conf"
|
||||
|
||||
# Check if lightdm is installed
|
||||
if ! command -v lightdm &> /dev/null; then
|
||||
echo "Warning: LightDM not found. Installing lightdm..."
|
||||
pacman -S --noconfirm lightdm lightdm-gtk-greeter
|
||||
fi
|
||||
|
||||
# Create auto-login configuration
|
||||
cat > "$custom_conf" << EOF
|
||||
# LightDM Auto-Login Configuration
|
||||
# Created by setup_passwordless_system.sh on $(date)
|
||||
|
||||
[Seat:*]
|
||||
# Enable auto-login
|
||||
autologin-user=${TARGET_USER}
|
||||
autologin-user-timeout=0
|
||||
autologin-session=i3
|
||||
|
||||
# Disable user switching and guest account
|
||||
allow-user-switching=false
|
||||
allow-guest=false
|
||||
|
||||
# Set session defaults
|
||||
user-session=i3
|
||||
greeter-session=lightdm-gtk-greeter
|
||||
|
||||
# Disable screen lock timeout during login
|
||||
autologin-in-background=true
|
||||
EOF
|
||||
|
||||
echo "✓ LightDM auto-login configured for user: $TARGET_USER"
|
||||
echo "✓ Configuration file created: $custom_conf"
|
||||
|
||||
# Enable lightdm service
|
||||
systemctl enable lightdm.service
|
||||
echo "✓ LightDM service enabled"
|
||||
}
|
||||
|
||||
# Function to configure i3 session
|
||||
configure_i3_session() {
|
||||
echo ""
|
||||
echo "3. Configuring i3 Session..."
|
||||
echo "==========================="
|
||||
|
||||
local xsessions_dir="/usr/share/xsessions"
|
||||
local i3_desktop="$xsessions_dir/i3.desktop"
|
||||
|
||||
# Create xsessions directory if it doesn't exist
|
||||
mkdir -p "$xsessions_dir"
|
||||
|
||||
# Check if i3.desktop exists, create if not
|
||||
if [[ ! -f "$i3_desktop" ]]; then
|
||||
cat > "$i3_desktop" << EOF
|
||||
[Desktop Entry]
|
||||
Name=i3
|
||||
Comment=improved dynamic tiling window manager
|
||||
Exec=i3
|
||||
TryExec=i3
|
||||
Type=Application
|
||||
X-LightDM-DesktopName=i3
|
||||
DesktopNames=i3
|
||||
Keywords=tiling;wm;windowmanager;window;manager;
|
||||
EOF
|
||||
echo "✓ Created i3 desktop session file: $i3_desktop"
|
||||
else
|
||||
echo "✓ i3 desktop session file already exists"
|
||||
fi
|
||||
|
||||
# Ensure user has i3 config directory
|
||||
local user_home="/home/${TARGET_USER}"
|
||||
local i3_config_dir="$user_home/.config/i3"
|
||||
|
||||
if [[ ! -d "$i3_config_dir" ]]; then
|
||||
sudo -u "$TARGET_USER" mkdir -p "$i3_config_dir"
|
||||
echo "✓ Created i3 config directory for user: $TARGET_USER"
|
||||
fi
|
||||
}
|
||||
|
||||
# Function to configure additional auto-login settings
|
||||
configure_additional_settings() {
|
||||
echo ""
|
||||
echo "4. Configuring Additional Settings..."
|
||||
echo "===================================="
|
||||
|
||||
# Add user to autologin group if it exists
|
||||
if getent group autologin &> /dev/null; then
|
||||
usermod -a -G autologin "$TARGET_USER"
|
||||
echo "✓ Added $TARGET_USER to autologin group"
|
||||
else
|
||||
# Create autologin group
|
||||
groupadd -r autologin
|
||||
usermod -a -G autologin "$TARGET_USER"
|
||||
echo "✓ Created autologin group and added $TARGET_USER"
|
||||
fi
|
||||
|
||||
# Configure pam for auto-login (if needed)
|
||||
local pam_lightdm="/etc/pam.d/lightdm-autologin"
|
||||
if [[ ! -f "$pam_lightdm" ]]; then
|
||||
cat > "$pam_lightdm" << EOF
|
||||
#%PAM-1.0
|
||||
# LightDM auto-login PAM configuration
|
||||
# Created by setup_passwordless_system.sh on $(date)
|
||||
|
||||
auth required pam_unix.so nullok
|
||||
auth optional pam_permit.so
|
||||
auth optional pam_gnome_keyring.so
|
||||
account include system-local-login
|
||||
password include system-local-login
|
||||
session include system-local-login
|
||||
session optional pam_gnome_keyring.so auto_start
|
||||
EOF
|
||||
echo "✓ Created PAM configuration for auto-login"
|
||||
fi
|
||||
}
|
||||
|
||||
# Function to test configurations
|
||||
test_configurations() {
|
||||
echo ""
|
||||
echo "5. Testing Configurations..."
|
||||
echo "==========================="
|
||||
|
||||
# Test sudo configuration
|
||||
echo "Testing passwordless sudo..."
|
||||
if sudo -u "$TARGET_USER" sudo -n true 2>/dev/null; then
|
||||
echo "✓ Passwordless sudo test passed"
|
||||
else
|
||||
echo "! Passwordless sudo test failed (may require logout/login)"
|
||||
fi
|
||||
|
||||
# Test lightdm configuration
|
||||
echo "Testing LightDM configuration..."
|
||||
if lightdm --test-mode --debug 2>/dev/null | grep -q "seat"; then
|
||||
echo "✓ LightDM configuration test passed"
|
||||
else
|
||||
echo "! LightDM configuration test completed (check logs if issues occur)"
|
||||
fi
|
||||
|
||||
# Verify user is in autologin group
|
||||
if groups "$TARGET_USER" | grep -q autologin; then
|
||||
echo "✓ User is in autologin group"
|
||||
else
|
||||
echo "! User may not be in autologin group"
|
||||
fi
|
||||
}
|
||||
|
||||
# Function to show security warnings
|
||||
show_security_warnings() {
|
||||
echo ""
|
||||
echo "⚠️ SECURITY WARNINGS ⚠️"
|
||||
echo "========================"
|
||||
echo ""
|
||||
echo "The following security changes have been made:"
|
||||
echo ""
|
||||
echo "1. PASSWORDLESS SUDO:"
|
||||
echo " • User '$TARGET_USER' can now run ANY command as root without password"
|
||||
echo " • This includes system-critical operations and file modifications"
|
||||
echo " • Malicious software running as this user can gain full system access"
|
||||
echo ""
|
||||
echo "2. AUTO-LOGIN:"
|
||||
echo " • System automatically logs in user '$TARGET_USER' on boot"
|
||||
echo " • No password required to access the desktop environment"
|
||||
echo " • Physical access to the machine = full user access"
|
||||
echo ""
|
||||
echo "3. RECOMMENDATIONS:"
|
||||
echo " • Use full disk encryption to protect against physical access"
|
||||
echo " • Ensure the system is in a physically secure location"
|
||||
echo " • Consider using this only on personal/development machines"
|
||||
echo " • Regularly monitor system logs for unauthorized access"
|
||||
echo " • Keep the system updated and use a firewall"
|
||||
echo ""
|
||||
echo "4. TO DISABLE THESE SETTINGS:"
|
||||
echo " • Remove passwordless sudo: sudo rm /etc/sudoers.d/99-passwordless-${TARGET_USER}"
|
||||
echo " • Disable auto-login: sudo rm /etc/lightdm/lightdm.conf.d/50-autologin.conf"
|
||||
echo " • Restart LightDM: sudo systemctl restart lightdm"
|
||||
echo ""
|
||||
}
|
||||
|
||||
# Function to show final instructions
|
||||
show_final_instructions() {
|
||||
echo ""
|
||||
echo "=========================================="
|
||||
echo "Passwordless System Setup Complete"
|
||||
echo "=========================================="
|
||||
echo "Summary:"
|
||||
echo "✓ Passwordless sudo configured for user: $TARGET_USER"
|
||||
echo "✓ LightDM auto-login configured"
|
||||
echo "✓ i3 session configured"
|
||||
echo "✓ Additional auto-login settings applied"
|
||||
echo ""
|
||||
echo "Changes will take effect after:"
|
||||
echo "• Logout/login for sudo changes"
|
||||
echo "• System reboot for auto-login"
|
||||
echo ""
|
||||
echo "To verify after reboot:"
|
||||
echo " sudo whoami # Should not ask for password"
|
||||
echo " systemctl status lightdm # Should show auto-login active"
|
||||
echo ""
|
||||
echo "Configuration files created:"
|
||||
echo " /etc/sudoers.d/99-passwordless-${TARGET_USER}"
|
||||
echo " /etc/lightdm/lightdm.conf.d/50-autologin.conf"
|
||||
echo " /etc/pam.d/lightdm-autologin"
|
||||
echo ""
|
||||
echo "IMPORTANT: Reboot recommended to activate all changes!"
|
||||
}
|
||||
|
||||
# Main execution
|
||||
configure_passwordless_sudo
|
||||
configure_lightdm_autologin
|
||||
configure_i3_session
|
||||
configure_additional_settings
|
||||
test_configurations
|
||||
show_security_warnings
|
||||
show_final_instructions
|
||||
|
||||
echo ""
|
||||
echo "Would you like to reboot now to activate all changes?"
|
||||
read -p "Reboot system now? (y/N): " -n 1 -r
|
||||
echo
|
||||
|
||||
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
||||
echo "Rebooting system in 5 seconds..."
|
||||
sleep 5
|
||||
reboot
|
||||
else
|
||||
echo "Remember to reboot when convenient to activate all changes."
|
||||
fi
|
||||
Loading…
Reference in New Issue
Block a user