[openssh-commits] [openssh] 02/02: Restore nopasswd sudo rule on Mac OS X.

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Oct 30 16:15:27 AEDT 2023 

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 917ba181c2cbdb250a443589ec732aa36fd51ffa
Author: Darren Tucker <dtucker at dtucker.net>
Date:   Mon Oct 30 13:32:03 2023 +1100

    Restore nopasswd sudo rule on Mac OS X.
    
    This seems to be missing from some (but not all) github runners, so
    restore it if it seems to be missing.
---
 .github/setup_ci.sh | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh
index de10857d..d0ba7b47 100755
--- a/.github/setup_ci.sh
+++ b/.github/setup_ci.sh
@@ -29,18 +29,30 @@ TARGETS=$@
 INSTALL_FIDO_PPA="no"
 export DEBIAN_FRONTEND=noninteractive
 
-set -ex
+set -e
 
 if [ -x "`which lsb_release 2>&1`" ]; then
 	lsb_release -a
 fi
 
-# Ubuntu 22.04 defaults to private home dirs which prevent the
-# agent-getpeerid test from running ssh-add as nobody.  See
-# https://github.com/actions/runner-images/issues/6106
-if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then
-	echo ~ is not executable by nobody, adding perms.
-	chmod go+x ~
+if [ ! -z "$SUDO" ]; then
+	# Ubuntu 22.04 defaults to private home dirs which prevent the
+	# agent-getpeerid test from running ssh-add as nobody.  See
+	# https://github.com/actions/runner-images/issues/6106
+	if ! "$SUDO" -u nobody test -x ~; then
+		echo ~ is not executable by nobody, adding perms.
+		chmod go+x ~
+	fi
+	# Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular
+	# sudo still works, but sudo -u doesn't.  Restore the sudo rule.
+	if ! "$SUDO" grep  -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then
+		echo "Restoring runner nopasswd rule to sudoers."
+		echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers
+	fi
+	if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then
+		echo "Still can't sudo to nobody."
+		exit 1
+	fi
 fi
 
 if [ "${TARGETS}" = "kitchensink" ]; then

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list