- NVIDIA CUDA extrepo refactor in `modules/gpu/nvidia.sh`: removed unnecessary `i386_active` lines, updated warning to reference `v590 (unified metapackage)`, simplified installation from 18+10 versioned packages → `nvidia-driver-pinning-590 nvidia-driver firmware-nvidia-gsp`, eliminated `apt-mark hold` since pinning packages now handle it. DKMS verification and `NVIDIA_DRIVER_MODE="cuda-repo"` preserved. - CUDA repo case fix in `modules/gaming.sh`: replaced silent bypass with detection of `nvidia-driver-libs:i386` v590 installation; if missing, prompts user confirmation before installing via active CUDA repo + pinning. - Palemoon internet module overhaul (`modules/extras/internet/internet.sh`): removed deprecated `_enable_palemoon_repo()`, created new `install_palemoon()` with AVX2→AVX→SSE2 CPU detection from `/proc/cpuinfo`, proper `extrepo enable` call, and package installation. - ProtonVPN module rewrite (`modules/extras/internet/internet.sh`): removed broken `_enable_protonvpn_repo()` that failed due to missing suite; created new `install_protonvpn()` using `stable` suite + `proton-vpn-gtk-app` package with proper validation. - Java/Minecraft rename across `modules/gaming.sh` and `modules/extras/java.sh`: renamed `_install_gaming_java()` → `install_minecraft_java()`, updated menu title from "Java Runtimes for Gaming" to "Java Runtimes for Minecraft", changed whiptail tag from `"java-jre"` to `"java"`. - RetroArch + 4 classic cores (`modules/gaming/tools.sh` and `.sh`): added RetroArch entry to gaming menu, new case handler in `gaming.sh`, updated installation command to include `libretro-mgba libretro-snes9x libretro-nestopia libretro-gambatte`, enhanced notice with emojis, core enumeration, DFSG warning, and wiki link. - OnlyOffice server status (`modules/extras/office/office.sh`): added fallback message for slow or down OnlyOffice servers to improve user experience during installation. - Full syntax validation: all modified files pass `bash -n` without errors; no residual references to old variables (`i386_active`, `590.48.01`) or functions remain. - Documentation about Debian and the script is added to supplement important information. - update README.md
7.8 KiB
Option 2: User Privileges & Feedback
1. What does this component do?
This component serves as a centralized utility suite designed to streamline administrative access, enhance usability during system maintenance, and correct common permission inconsistencies found in fresh Debian installations or environments where sudo usage has been mishandled. It acts as an automated "First-Time User" setup tool that bridges the gap between strict Linux security policies (where standard users cannot modify system files) and practical daily workflow needs (such as installing software without constant password prompts).
At a high level, it manages four critical aspects of user privilege:
- Elevated Permissions: Ensures the current user has membership in the
sudogroup. - Workflow Efficiency: Configures specific commands to run without authentication (NOPASSWD) for maintenance tasks.
- Data Integrity: Repairs ownership issues on the home directory caused by accidental root-level file creation.
- User Experience: Modifies terminal behavior during password entry to provide visual feedback.
2. What exactly does it do and why
The script executes a sub-menu loop that allows the user to toggle between four distinct configurations. Each option addresses a specific pain point in Linux administration:
-
Sudo Group Membership (Option 1):
- Action: Checks if the current username exists within the
/etc/groupfile under thesudogroup entry. If absent, it adds the user viausermod -aG sudo. - Why: By default, Debian creates a standard user without administrative rights to prevent accidental system damage. This ensures the user can execute privileged commands (
sudo) immediately after installation or recovery.
- Action: Checks if the current username exists within the
-
Passwordless Sudo (Option 2):
- Action: Creates an isolated configuration file in
/etc/sudoers.d/containingNOPASSWDrules for specific binaries (e.g.,/usr/bin/apt,/sbin/reboot). It enforces strict path matching to prevent privilege escalation risks. - Why: Frequent password prompts interrupt workflows during updates or system reboots. This allows automation and quick access for maintenance tasks without compromising security on other commands.
- Action: Creates an isolated configuration file in
-
Repair Home Directory Ownership (Option 3):
- Action: Scans the user's home directory (
/home/$USER) to verify if files are owned byroot(UID 0) instead of the user. If a mismatch is found, it recursively resets ownership viachown -R. - Why: Misconfigured file permissions often occur when users attempt to fix issues using root privileges directly in their home folders. This restores data integrity so applications can read/write their own configuration files without permission errors.
- Action: Scans the user's home directory (
-
Sudo Password Feedback (Option 4):
- Action: Toggles the
Defaults pwfeedbackdirective within a dedicated sudoers file. When enabled, typing a password displays asterisks (****) instead of being hidden. - Why: Linux terminals hide input by default to prevent shoulder surfing. This option improves usability for users who need visual confirmation that their keystrokes are registering correctly, reducing the risk of typos in complex passwords.
- Action: Toggles the
3. The Logical Decision Tree (Step-by-Step)
The execution flow is governed by sudo_config.sh, which acts as a state machine within the main menu loop. Below is the chronological logic for each option:
Entry Point:
- The script enters the
config_sudo()function and loops until the user selects "Back to main menu". - It presents a Whiptail menu with options 1–5.
Option 1: Sudo Group Membership (_check_sudo_group)
- Step A: Execute
groups "$USER"via pipe to grep for\bsudo\b. - Decision:
- If Match: Display success message ("User is already in sudo group"). Exit function.
- If No Match: Prompt user with a confirmation dialog asking if they want to add the user to the
sudogroup.- On Confirm: Execute
sudo usermod -aG sudo "$USER". If successful, display message instructing logout/login for changes to take effect. If failure, log error and return status 1.
- On Confirm: Execute
Option 2: Passwordless Sudo (_configure_nopasswd)
- Step A: Check if
/etc/sudoers.d/${USER}-nopasswdexists.- If Exists: Prompt to remove the configuration (restore password prompts). If confirmed, delete file and notify success. Return function.
- If Not Exists: Prompt user to configure NOPASSWD for maintenance commands.
- On Confirm: Display a checklist menu allowing selection of
apt,systemctl, orpowercommands.
- On Confirm: Display a checklist menu allowing selection of
- Step B: Process selected commands:
- Construct the content string based on selections, explicitly defining paths (e.g.,
/usr/bin/apt,/sbin/shutdown) to ensure compatibility across Debian versions.
- Construct the content string based on selections, explicitly defining paths (e.g.,
- Step C: Write configuration:
- Pipe content to
sudo tee /etc/sudoers.d/${USER}-nopasswd. - Set file permissions to
0440(readable only by root and owner). - Notify success or failure.
- Pipe content to
Option 3: Repair Home Directory Ownership (_repair_home_ownership)
- Step A: Resolve the absolute path of
$HOME. If directory does not exist, notify error and return status 1. - Step B: Retrieve User ID (UID) using
id -u "$USER". - Step C: Check current owner UID of
$HOMEusingstat -c '%u'.- If Match: Notify that ownership is correct and exit.
- If Mismatch: Identify the expected username for the conflicting UID. Prompt user to confirm repair.
- On Confirm: Execute
sudo chown -R "$USER:$USER" "$home". If successful, notify success. If failure, log error and return status 1.
- On Confirm: Execute
Option 4: Sudo Password Feedback (_toggle_pwfeedback)
- Step A: Check if
/etc/sudoers.d/pwfeedbackexists.- If Exists: Prompt to disable asterisks (restore hidden input). If confirmed, delete file and notify success. Return function.
- If Not Exists: Prompt user to enable visual feedback.
- On Confirm: Write
Defaults pwfeedbackto/etc/sudoers.d/pwfeedback.
- On Confirm: Write
- Step B: Verify write permission. If successful, notify success; otherwise, log error and return status 1.
4. Compatibility with all Debian
This module is designed for universal compatibility across the Debian family (Bullseye, Bookworm, Trixie, etc.) due to its reliance on standard POSIX-compliant tools and strict path handling.
- Architecture Independence: The script utilizes
usermod,chown, andgrepwhich are available on all x86_64, arm64, and i386 Debian architectures. - Version Agnosticism (Debian 11+):
- Sudoers Syntax: The script writes to
/etc/sudoers.d/, a directory introduced insudoversion 1.9.0p5 (available since Debian 7). It avoids editing the master file (/etc/sudoers) directly, preventing lockfile issues and syntax errors regardless of the specific Debian version's sudo configuration style. - Path Hardening: The NOPASSWD logic explicitly includes both
/usr/binand/binpaths for commands likeapt. This ensures that on older Debian versions (e.g., Bullseye) where binaries might reside in different locations or symlinks differ, the permissions remain valid.
- Sudoers Syntax: The script writes to
- Security Best Practices: By isolating configurations into separate files (
/etc/sudoers.d/) and setting restrictive permissions (0440), it adheres to Debian's security guidelines forsudo. This ensures that even on older systems with stricter default policies, the configuration is accepted without requiring a full system reboot or sudo upgrade. - Importance: Consistent behavior across versions means users can migrate between Debian releases (e.g., from 11 to 12) without needing to manually reconfigure these specific privileges, ensuring a stable and secure environment regardless of the underlying OS version.