security stuff

diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end
index 0204ce50025bd3312267c7bed58c2382c17413a2..57b71159f62352228b8f53f28fb0b3ae89e138f8 100755 (executable)
--- a/fai/config/distro-install-common/end
+++ b/fai/config/distro-install-common/end
@@ -80,10 +80,31 @@ echo "fs.inotify.max_user_watches = 50000" >> $f
 # applies it. it would be also be applied after a reboot
 $ROOTCMD sysctl --system
 
+cat >$target/etc/sudoers.d/ianksudoers <<'EOF'
+Defaults timestamp_timeout=1440
+# used in bashrc
+Defaults  env_keep += SUDOD
+# always_set_home
+# makes ubuntu be like debian
+# https://unix.stackexchange.com/a/91572
+Defaults always_set_home
+# umask: default setting is to have  minimum umask of 0022
+# This lets us have user-specific umasks which are more permissive.
+# I did this for transmission and set it's umask gecos on install,
+# see there for more info.
+Defaults !umask
+# i use sudo in cronjobs, it spams the logs rather uselessly
+# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands
+Defaults:root,iank !log_allowed, !pam_session
+# for just the root user, set some env vars
+Defaults>root env_file=/etc/rootsudoenv
+EOF
+
+# remove old config line. can be removed eventually.
 f=$target/etc/sudoers
 line='iank  ALL=(ALL)  NOPASSWD: ALL'
-if [[ ! -e $f ]] || ! grep -xF "$line" $f; then
-  echo "$line" >> $f
+if grep -qxF "$line" $f; then
+  sed -i "/^$line/d" $f
 fi
 
 

diff --git a/fai/config/scripts/GRUB_PC/11-iank b/fai/config/scripts/GRUB_PC/11-iank
index 4ef74c38278b2e02c4aba688b242b1490af30cf0..5e74374c4f60446dee6a66627299032c738d9504 100755 (executable)
--- a/fai/config/scripts/GRUB_PC/11-iank
+++ b/fai/config/scripts/GRUB_PC/11-iank
@@ -350,9 +350,9 @@ f=/etc/ssh/sshd_config
 grep -xFq "$line" $f || tee -a $f <<<"$line"
 
 
-# default debian groups (jessie through buster) + adm, sudo, root
-for g in cdrom floppy audio dip video plugdev netdev adm sudo; do
-  if getent gropu $g >/dev/null; then
+# default debian groups (jessie through buster) + adm, sudo, root, admin
+for g in cdrom floppy audio dip video plugdev netdev adm sudo admin; do
+  if getent group $g >/dev/null; then
     usermod -aG $g iank
   fi
 done

diff --git a/wrt-setup b/wrt-setup
index db7f5c92ac4e7d94e23268148a0064e6bcd71d0b..01c270515ab868c416fd4647e0a6e6c157ed15f0 100755 (executable)
--- a/wrt-setup
+++ b/wrt-setup
@@ -19,6 +19,8 @@
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
 x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*}
 
 usage() {
@@ -74,7 +76,7 @@ scp /a/work/libremanage/libremanage /a/bin/fai/wrt-init /a/bin/fai/wrt-setup-loc
 
 #/a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk \
 
-sudo scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_rsa_host_key \
+scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_rsa_host_key \
      /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} $h:
 scp ../openwrtkeyring/usign/* $h:/etc/opkg/keys