fix(installer): fix `sudo` check for users with password or without privileges

The previous check only worked if the user could run `sudo` without typing the
password, which is almost none (I checked in Google Cloud Shell so I failed to
notice this).

This new check works whether the user has no sudo privileges, or if it has,
whether they have to type in the password or not.

It should really be easier to check if the user doesn't have privilege without
having to make them type the password.
pull/10579/head
Marc Cornellà 2022-01-11 18:56:18 +01:00
parent b7a59e6d5c
commit a0a949de56
No known key found for this signature in database
GPG Key ID: 0314585E776A9C1B
1 changed files with 32 additions and 2 deletions

View File

@ -56,6 +56,28 @@ command_exists() {
command -v "$@" >/dev/null 2>&1
}
user_can_sudo() {
# The following command has 3 parts:
#
# 1. Run `sudo` with `-v`. Does the following:
# • with privilege: asks for a password immediately.
# • without privilege: exits with error code 1 and prints the message:
# Sorry, user <username> may not run sudo on <hostname>
#
# 2. Pass `-S` to `sudo` to tell it to get the password from stdin
# instead of from a tty, and pipe `true` to `sudo`, since it doesn't
# output anything. This will make sudo exit with error code 1 and print
# the message:
# sudo: no password was provided
#
# 3. Check for the words "may not run sudo" in the output to really tell
# whether the user has privileges or not. For that we have to make sure
# to run `sudo` in the default locale (with `LANG=`) so that the message
# stays consistent regardless of the user's locale.
#
true | LANG= sudo -v -S 2>&1 | grep -q "may not run sudo"
}
# The [ -t 1 ] check only works when the function is not called from
# a subshell (like in `$(...)` or `(...)`, so this hack redefines the
# function at the top level to always return false when stdout is not
@ -360,8 +382,16 @@ EOF
echo "Changing your shell to $zsh..."
# Check if user has sudo privileges and run `chsh` or `sudo chsh`
if LANG= sudo -l -U "$USER" 2>/dev/null | grep -q "is not allowed to run"; then
# Check if user has sudo privileges to run `chsh` with or without `sudo`
#
# This allows the call to succeed without password on systems where the
# user does not have a password but does have sudo privileges, like in
# Google Cloud Shell.
#
# On systems that don't have a user with passwordless sudo, the user will
# be prompted for the password either way, so this shouldn't cause any issues.
#
if user_can_sudo; then
chsh -s "$zsh" "$USER" # run chsh normally
else
sudo -k chsh -s "$zsh" "$USER" # -k forces the password prompt