Checking server user permissions to use sudo (#1442)

* Username if whoami returns an error Сommand to use home directory name if whoami returns error or is missing for prepare_host.sh. * Update check_user_in_sudo.sh Сommand to use home directory name if whoami returns error or is missing for check_user_in_sudo.sh. Checking server user permissions to use sudo using a package manager or using uname. Сhecking and redefining the system language. Checking requirements for sudo users or root in script. * Cases have been changed and added. Changed description of the “Server User Not In Sudo” case. Corrected the name and description of the "ServerPacketManagerError" case. Packet to Package. Adding a "SudoPackageIsNotPreinstalled" case. Adding a "ServerUserNotAllowedInSudoers" case. Adding a "ServerUserPasswordRequired" case. * Serves errors have been changed and added. Corrected the name of the "ServerPacketManagerError" error to "ServerPackageManagerError". Adding a "SudoPackageIsNotPreinstalled" error. Adding a "ServerUserNotAllowedInSudoers" error. Adding a "ServerUserPasswordRequired" error. * Return ServerPacketManagerError Return to the name "ServerPacketManagerError". * Added errors handling Added new errors' handling to serverController.cpp. Permission checks are also performed for the root user. * Update translations Updating translations for two existing server errors. * Myanmar translation update * Update for my_MM.ts * checking for not allowed Checking for "not allowed" in stdOut * Removed "not allowed" Removed check for "not allowed" in stdOut * Removed nested launch Removed nested launch via sudo * Returned nested launch Returned nested launch via sudo * All checks with sudo Both checks with sudo always run. * Moved removing timestamp sudo Removing the sudo timestamp is done every time. * Checking the user directory Checking the accessibility of the user's home directory * Polishing Изменение порядка обработки ошибок. * changing detection order change the order of detection of inconsistencies: 1. sudo not preinstalled. (if user != root) 2. user not in sudo or wheel group. (if user != root) 3. user's directory is not accessible. (for all) 4. user not allowed in sudoers. (for all) 5. user password required. (for all) * Packet to Package * chore: bump version (#1463) * fix for sh (#1462) Fix for servers where sh is used as default shell. * Username if whoami returns an error Сommand to use home directory name if whoami returns error or is missing for prepare_host.sh. * Update check_user_in_sudo.sh Сommand to use home directory name if whoami returns error or is missing for check_user_in_sudo.sh. Checking server user permissions to use sudo using a package manager or using uname. Сhecking and redefining the system language. Checking requirements for sudo users or root in script. * Cases have been changed and added. Changed description of the “Server User Not In Sudo” case. Corrected the name and description of the "ServerPacketManagerError" case. Packet to Package. Adding a "SudoPackageIsNotPreinstalled" case. Adding a "ServerUserNotAllowedInSudoers" case. Adding a "ServerUserPasswordRequired" case. * Serves errors have been changed and added. Corrected the name of the "ServerPacketManagerError" error to "ServerPackageManagerError". Adding a "SudoPackageIsNotPreinstalled" error. Adding a "ServerUserNotAllowedInSudoers" error. Adding a "ServerUserPasswordRequired" error. * Return ServerPacketManagerError Return to the name "ServerPacketManagerError". * Update translations Updating translations for two existing server errors. * Added errors handling Added new errors' handling to serverController.cpp. Permission checks are also performed for the root user. * Myanmar translation update * Update for my_MM.ts * checking for not allowed Checking for "not allowed" in stdOut * Removed "not allowed" Removed check for "not allowed" in stdOut * Removed nested launch Removed nested launch via sudo * Returned nested launch Returned nested launch via sudo * All checks with sudo Both checks with sudo always run. * Moved removing timestamp sudo Removing the sudo timestamp is done every time. * Checking the user directory Checking the accessibility of the user's home directory * Polishing Изменение порядка обработки ошибок. * changing detection order change the order of detection of inconsistencies: 1. sudo not preinstalled. (if user != root) 2. user not in sudo or wheel group. (if user != root) 3. user's directory is not accessible. (for all) 4. user not allowed in sudoers. (for all) 5. user password required. (for all) * Undoing unintended changes Undoing unintended changes. * Undoing unintended change Undoing unintended change. * not allowed to use sudo The user is not allowed to use sudo on this server. * Capital letters in the error Capital letters in the error description. --------- Co-authored-by: albexk <albexk@proton.me>
2025-03-14 17:39:58 +04:00 · 2025-03-14 17:39:58 +04:00 · b3ff120bcf
commit b3ff120bcf
parent 9dea98f020
14 changed files with 66 additions and 43 deletions
--- a/client/core/controllers/serverController.cpp
+++ b/client/core/controllers/serverController.cpp
@ -709,7 +709,7 @@ ErrorCode ServerController::isServerPortBusy(const ServerCredentials &credential
    QString transportProto = containerConfig.value(config_key::transport_proto).toString(defaultTransportProto);

    // TODO reimplement with netstat
-    QString script = QString("which lsof > /dev/null 2>&1 || true && sudo lsof -i -P -n 2>/dev/null | grep -E ':%1 ").arg(port);
+    QString script = QString("which lsof &>/dev/null || true && sudo lsof -i -P -n 2>/dev/null | grep -E ':%1 ").arg(port);
    for (auto &port : fixedPorts) {
        script = script.append("|:%1").arg(port);
    }
@ -757,10 +757,6 @@ ErrorCode ServerController::isServerPortBusy(const ServerCredentials &credential

 ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, DockerContainer container)
 {
-    if (credentials.userName == "root") {
-        return ErrorCode::NoError;
-    }
-
    QString stdOut;
    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
        stdOut += data + "\n";
@ -774,8 +770,16 @@ ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, D
    const QString scriptData = amnezia::scriptData(SharedScriptType::check_user_in_sudo);
    ErrorCode error = runScript(credentials, replaceVars(scriptData, genVarsForScript(credentials)), cbReadStdOut, cbReadStdErr);

-    if (!stdOut.contains("sudo"))
+    if (credentials.userName != "root" && stdOut.contains("sudo:") && !stdOut.contains("uname:") && stdOut.contains("not found"))
+        return ErrorCode::SudoPackageIsNotPreinstalled;
+    if (credentials.userName != "root" && !stdOut.contains("sudo") && !stdOut.contains("wheel"))
        return ErrorCode::ServerUserNotInSudo;
+    if (stdOut.contains("can't cd to") || stdOut.contains("Permission denied") || stdOut.contains("No such file or directory"))
+        return ErrorCode::ServerUserDirectoryNotAccessible;
+    if (stdOut.contains("sudoers") || stdOut.contains("is not allowed to run sudo on"))
+        return ErrorCode::ServerUserNotAllowedInSudoers;
+    if (stdOut.contains("password is required"))
+        return ErrorCode::ServerUserPasswordRequired;

    return error;
 }
--- a/client/core/defs.h
+++ b/client/core/defs.h
@ -54,6 +54,10 @@ namespace amnezia
        ServerCancelInstallation = 204,
        ServerUserNotInSudo = 205,
        ServerPacketManagerError = 206,
+        SudoPackageIsNotPreinstalled = 207,
+        ServerUserDirectoryNotAccessible = 208,
+        ServerUserNotAllowedInSudoers = 209,
+        ServerUserPasswordRequired = 210,

        // Ssh connection errors
        SshRequestDeniedError = 300,
--- a/client/core/errorstrings.cpp
+++ b/client/core/errorstrings.cpp
@ -20,8 +20,12 @@ QString errorString(ErrorCode code) {
    case(ErrorCode::ServerContainerMissingError): errorMessage = QObject::tr("Server error: Docker container missing"); break;
    case(ErrorCode::ServerDockerFailedError): errorMessage = QObject::tr("Server error: Docker failed"); break;
    case(ErrorCode::ServerCancelInstallation): errorMessage = QObject::tr("Installation canceled by user"); break;
-    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user does not have permission to use sudo"); break;
-    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Packet manager error"); break;
+    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user is not a member of the sudo group"); break;
+    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Package manager error"); break;
+    case(ErrorCode::SudoPackageIsNotPreinstalled): errorMessage = QObject::tr("The sudo package is not pre-installed"); break;
+    case(ErrorCode::ServerUserDirectoryNotAccessible): errorMessage = QObject::tr("The server user's home directory is not accessible"); break;
+    case(ErrorCode::ServerUserNotAllowedInSudoers): errorMessage = QObject::tr("Action not allowed in sudoers"); break;
+    case(ErrorCode::ServerUserPasswordRequired): errorMessage = QObject::tr("The user's password is required"); break;

    // Libssh errors
    case(ErrorCode::SshRequestDeniedError): errorMessage = QObject::tr("SSH request was denied"); break;