Different behaviour of "sudo -l" checks

Better shebangs

system_setup/logon_script.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
@@ -56,30 +56,47 @@ elog_add "Update and install client software"
 
 # First, check the sudo rule
 elog_add "Check the matching client rule:"
-#Somewhat strange sudo -l will ask for password instead of just checking if the rule can be found, so it needs -n to be silent
+#Somewhat strange "sudo -l" will *sometimes* ask for password instead of just checking if the rule can be found, so it needs -n to be silent
 # The behaviour will be:
+# A. If "sudo -l" wants a password (some installations!):
 # If a matching rule with !authenticate is found, no passwd will be asked and retno is 0
 # If there is a rule matching with no !authenticate, then a password would be asked. This is prevented, so there will only be the
 # error "a password is needed" an retno is 1
 # If there is no sudo rule at all, it will only set retno to 1
-elog_add_command "/usr/bin/sudo -n -l ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
+#-> Anyway, returning > 0 means the user is not allowed to run sw installation, which is fine. Print Message and skip installation.
+#
+# B. If "sudo -l" doesn't not want a password, then
+# RETNO = 0 , but the Output of "sudo -l -l" must als be checked, if there is an Option !authenticate in the returnung string, otherwise a failed installation cannot be
+# divided from a missing sudo-rule
+#
+elog_add_command "/usr/bin/sudo -n -l -l ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
 if [[ $RETNO -ne 0 ]]; then
     elog_add "Error was no $RETNO"
     elog_add "No matching IPA rule found for this user, so the user is not allowed to install software, skipping this."
     elog_add "If you want to change: Please check the sudo rules in ipa and your group membership."
     elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
     elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
+    elog_add "Skipping SW Install."
 else
-    elog_add "Matching Sudo rule found."
-    elog_add ""
-    elog_add "Running client software install..."
-    elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install"
-    #ERRTXT=$( { /usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install > >(tee -a ${LOGFILE}); } 2>&1 )
-    #ERR=$?
-    if [[ $RETNO -ne 0 ]]; then
-        elog_add "Errorcode was $RETNO"
-        elog_add "Error executing software sync and install, please check your output!"
-        echo "Press any key to continue" && read -n 1 -s -r && exit 1
+    # Check, if the rule is with Option !authenticate
+    if [[ $RETTXT != *"!authenticate"* ]]; then
+        elog_add "The above IPA rule found for this user and the install script, but it has not the right options to be executed without password."
+        elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
+        elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
+        elog_add "Skipping SW Install."
+    else
+        # Rule seems to be ok, executing script
+        elog_add "Matching Sudo rule found."
+        elog_add ""
+        elog_add "Running client software install..."
+        elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install"
+        #ERRTXT=$( { /usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install > >(tee -a ${LOGFILE}); } 2>&1 )
+        #ERR=$?
+        if [[ $RETNO -ne 0 ]]; then
+            elog_add "Errorcode was $RETNO"
+            elog_add "Error executing software sync and install, please check your output!"
+            echo "Press any key to continue" && read -n 1 -s -r && exit 1
+        fi
     fi
 fi
 echo ""