From 264d1d49315916ff036226d4ad3bafcec9d7fce3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=C3=A4tzold?= <obel1x@web.de>
Date: Mon, 16 Mar 2026 11:53:31 +0100
Subject: [PATCH] Different behaviour of "sudo -l" checks Better shebangs

---
 .../create_nc_package_from_sys_config.sh      |  2 +-
 system_setup/logon_script.sh                  | 43 +++++++++++++------
 system_setup/mount_ecrypt_home.sh             |  2 +-
 system_setup/mozilla_starter.sh               |  2 +-
 system_setup/pack_skel.sh                     |  2 +-
 system_setup/setup_skel.sh                    |  2 +-
 system_setup/setup_system.inc.sh              |  3 +-
 system_setup/setup_system_full.sh             |  2 +-
 system_setup/sync_client_software.sh          |  2 +-
 9 files changed, 39 insertions(+), 21 deletions(-)

diff --git a/system_setup/create_nc_package_from_sys_config.sh b/system_setup/create_nc_package_from_sys_config.sh
index ea37c6b..1247606 100755
--- a/system_setup/create_nc_package_from_sys_config.sh
+++ b/system_setup/create_nc_package_from_sys_config.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 source $(dirname "$0")/setup_system.inc.sh
 mkdir -p ${HOME}/temp
 cd ${SYSCONFIGPATH}
diff --git a/system_setup/logon_script.sh b/system_setup/logon_script.sh
index 608a26b..0bf858c 100755
--- a/system_setup/logon_script.sh
+++ b/system_setup/logon_script.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
@@ -56,30 +56,47 @@ elog_add "Update and install client software"
 
 # First, check the sudo rule
 elog_add "Check the matching client rule:"
-#Somewhat strange sudo -l will ask for password instead of just checking if the rule can be found, so it needs -n to be silent
+#Somewhat strange "sudo -l" will *sometimes* ask for password instead of just checking if the rule can be found, so it needs -n to be silent
 # The behaviour will be:
+# A. If "sudo -l" wants a password (some installations!):
 # If a matching rule with !authenticate is found, no passwd will be asked and retno is 0
 # If there is a rule matching with no !authenticate, then a password would be asked. This is prevented, so there will only be the
 # error "a password is needed" an retno is 1
 # If there is no sudo rule at all, it will only set retno to 1
-elog_add_command "/usr/bin/sudo -n -l ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
+#-> Anyway, returning > 0 means the user is not allowed to run sw installation, which is fine. Print Message and skip installation.
+#
+# B. If "sudo -l" doesn't not want a password, then
+# RETNO = 0 , but the Output of "sudo -l -l" must als be checked, if there is an Option !authenticate in the returnung string, otherwise a failed installation cannot be
+# divided from a missing sudo-rule
+#
+elog_add_command "/usr/bin/sudo -n -l -l ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
 if [[ $RETNO -ne 0 ]]; then
     elog_add "Error was no $RETNO"
     elog_add "No matching IPA rule found for this user, so the user is not allowed to install software, skipping this."
     elog_add "If you want to change: Please check the sudo rules in ipa and your group membership."
     elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
     elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
+    elog_add "Skipping SW Install."
 else
-    elog_add "Matching Sudo rule found."
-    elog_add ""
-    elog_add "Running client software install..."
-    elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install"
-    #ERRTXT=$( { /usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install > >(tee -a ${LOGFILE}); } 2>&1 )
-    #ERR=$?
-    if [[ $RETNO -ne 0 ]]; then
-        elog_add "Errorcode was $RETNO"
-        elog_add "Error executing software sync and install, please check your output!"
-        echo "Press any key to continue" && read -n 1 -s -r && exit 1
+    # Check, if the rule is with Option !authenticate
+    if [[ $RETTXT != *"!authenticate"* ]]; then
+        elog_add "The above IPA rule found for this user and the install script, but it has not the right options to be executed without password."
+        elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
+        elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
+        elog_add "Skipping SW Install."
+    else
+        # Rule seems to be ok, executing script
+        elog_add "Matching Sudo rule found."
+        elog_add ""
+        elog_add "Running client software install..."
+        elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install"
+        #ERRTXT=$( { /usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install > >(tee -a ${LOGFILE}); } 2>&1 )
+        #ERR=$?
+        if [[ $RETNO -ne 0 ]]; then
+            elog_add "Errorcode was $RETNO"
+            elog_add "Error executing software sync and install, please check your output!"
+            echo "Press any key to continue" && read -n 1 -s -r && exit 1
+        fi
     fi
 fi
 echo ""
diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh
index ebf7eba..e881fbd 100755
--- a/system_setup/mount_ecrypt_home.sh
+++ b/system_setup/mount_ecrypt_home.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
diff --git a/system_setup/mozilla_starter.sh b/system_setup/mozilla_starter.sh
index 68f619c..5ff6c61 100755
--- a/system_setup/mozilla_starter.sh
+++ b/system_setup/mozilla_starter.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
diff --git a/system_setup/pack_skel.sh b/system_setup/pack_skel.sh
index 2bc1598..b7c9210 100755
--- a/system_setup/pack_skel.sh
+++ b/system_setup/pack_skel.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env sh
 source $(dirname "$0")/setup_system.inc.sh
 mv skel.tar.zst backup_skel.tar.zst
 if [ $? -eq 0 ]; then
diff --git a/system_setup/setup_skel.sh b/system_setup/setup_skel.sh
index 9068952..9d1d70a 100755
--- a/system_setup/setup_skel.sh
+++ b/system_setup/setup_skel.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 # Replaces /etc/skel with the contents of skel.tar.zst
 source $(dirname "$0")/setup_system.inc.sh
 EXECDIR=$(pwd)
diff --git a/system_setup/setup_system.inc.sh b/system_setup/setup_system.inc.sh
index d9b387c..6ad41de 100644
--- a/system_setup/setup_system.inc.sh
+++ b/system_setup/setup_system.inc.sh
@@ -1,9 +1,10 @@
+#!/usr/bin/env sh
 # Includes for System Setup
 #
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
-# This is not a runnig script-file. No Logik to execute. Its used for includes in other scripts.
+# This is not a runnig script-file. No real logic to execute. Its used for includes in other scripts.
 
 #Check if we are root
 # Deprectaed - use if Statement itself
diff --git a/system_setup/setup_system_full.sh b/system_setup/setup_system_full.sh
index 3eb9403..f5fd39d 100755
--- a/system_setup/setup_system_full.sh
+++ b/system_setup/setup_system_full.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
diff --git a/system_setup/sync_client_software.sh b/system_setup/sync_client_software.sh
index 371a56a..52b50a9 100755
--- a/system_setup/sync_client_software.sh
+++ b/system_setup/sync_client_software.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #