Private/AddMySudoPwd.ps1
|
<#
.SYNOPSIS Edits /etc/sudoers to remove configuration that allows the current user to run 'sudo pwsh' without needing to enter a sudo password. .DESCRIPTION See SYNOPSIS .EXAMPLE # Launch pwsh and... AddMySudoPwd #> function AddMySudoPwd { [CmdletBinding()] Param() #region >> Prep if ($PSVersionTable.Platform -ne "Unix") { Write-Error "This function is meant for use on Linux! Halting!" $global:FunctionResult = "1" return } # 'Get-SudoStatus' cannnot be run as root... if (GetElevation) { $GetElevationAsString = ${Function:GetElevation}.Ast.Extent.Text $GetMySudoStatusAsString = ${Function:GetMySudoStatus}.Ast.Extent.Text $FinalScript = $GetElevationAsString + "`n" + $GetMySudoStatusAsString + "`n" + "GetMySudoStatus" $PwshScriptBytes = [System.Text.Encoding]::Unicode.GetBytes($FinalScript) $EncodedCommand = [Convert]::ToBase64String($PwshScriptBytes) $GetSudoStatusResult = su $env:SUDO_USER -c "pwsh -EncodedCommand $EncodedCommand" | ConvertFrom-Json } else { $GetSudoStatusResult = GetMySudoStatus | ConvertFrom-Json } if (!$GetSudoStatusResult.HasSudoPrivileges) { Write-Error "The user does not appear to have sudo privileges on $env:HOSTNAME! Halting!" $global:FunctionResult = "1" return } if ($GetSudoStatusResult.PasswordPrompt) { Write-Host "The account '$(whoami)' is already configured to prompt for a sudo password! No changes made." -ForegroundColor Green return } $DomainName = $GetSudoStatusResult.DomainInfo.DomainName $DomainNameShort = $GetSudoStatusResult.DomainInfo.DomainNameShort $UserNameShort = $GetSudoStatusResult.DomainInfo.UserNameShort #endregion >> Prep #region >> Main $PwshLocation = $(Get-Command pwsh).Source $SudoConfPath = "/etc/sudoers.d/pwsh-nosudo.conf" if ($DomainNameShort) { $RegexDefinition = "`$UserStringRegex = [regex]::Escape(`"%$DomainNameShort\\$UserNameShort ALL=(ALL) NOPASSWD: SUDO_PWSH`")" } else { $RegexDefinition = "`$UserStringRegex = [regex]::Escape(`"$UserNameShort ALL=(ALL) NOPASSWD: SUDO_PWSH`")" } $EditSudoersdFilePrep = @( $RegexDefinition 'try {' " `$SudoConfPath = '$SudoConfPath'" ' if (!$(Test-Path $SudoConfPath)) {' ' "sudoConfNotFound"' ' return' ' }' ' [System.Collections.ArrayList][array]$PwshSudoConfContent = @(Get-Content $SudoConfPath)' ' if ($PwshSudoConfContent.Count -gt 0) {' ' $MatchingLine = $PwshSudoConfContent -match $UserStringRegex' ' if ($MatchingLine) {' ' $null = $PwshSudoConfContent.Remove($MatchingLine)' ' Set-Content -Path $SudoConfPath -Force -Value $PwshSudoConfContent' ' "Success"' ' }' ' else {' ' "NoChanges"' ' }' ' }' ' else {' ' "NoChanges"' ' }' '}' 'catch {' ' Write-Error $_' ' $global:FunctionResult = "1"' ' return' '}' ) $EditSudoersdFile = $EditSudoersdFilePrep -join "`n" $Bytes = [System.Text.Encoding]::Unicode.GetBytes($EditSudoersdFile) $EncodedCommand = [Convert]::ToBase64String($Bytes) $Result = sudo pwsh -EncodedCommand $EncodedCommand if (!$Result) { Write-Error "There was an issue checking/updating writing '/etc/sudoers.d/pwsh-nosudo.conf'! Please review. Halting!" $global:FunctionResult = "1" return } $Result <# # cat /etc/sudoers | grep -Eic 'Cmnd_Alias SUDO_PWSH = /bin/pwsh' > /dev/null && echo present || echo absent [System.Collections.Generic.List[PSObject]]$UpdateSudoersScriptPrep = @() if ($DomainNameShort) { $RemoveUserString = "cat /etc/sudoers | grep -Eic '\%$DomainNameShort..$UserNameShort ALL=\(ALL\) NOPASSWD: SUDO_PWSH' > " + "/dev/null && sed -i '/$DomainNameShort..$UserNameShort ALL.*SUDO_PWSH/d' /etc/sudoers || echo 'NotFound'" } else { $RemoveUserString = "cat /etc/sudoers | grep -Eic '$UserNameShort ALL=\(ALL\) NOPASSWD: SUDO_PWSH' > " + "/dev/null && sed -i '/$UserNameShort ALL.*SUDO_PWSH/d' /etc/sudoers || echo 'NotFound'" } $UpdateSudoersScriptPrep.Add($RemoveUserString) $UpdateSudoersScript = $UpdateSudoersScriptPrep -join '; ' $null = sudo bash -c "$UpdateSudoersScript" if ($LASTEXITCODE -ne 0) { Write-Error "There was an issue updating /etc/sudoers! Please review. Halting!" $global:FunctionResult = "1" return } "Success" #> #endregion >> Main } |