user-tools/subst_sudo_user

   1 #!/bin/bash
   2
   3 true <<EOF
   4 =pod
   5
   6 =head1 NAME
   7
   8 subst_sudo_user - Sudo helper program
   9
  10 =head1 SYNOPSIS
  11
  12 subst_sudo_user <B<COMMAND>> [<B<ARGUMENTS>>]
  13
  14 Substitute literal C<$SUDO_USER> in the B<ARGUMENTS> and run B<COMMAND>.
  15
  16 =head1 RATIONALE
  17
  18 It enables sys admins to define sudoers(5) rule in which each user is allowed to
  19 call a privileged command with thier own username in parameters. Example:
  20
  21   %users ALL=(root:root) NOPASSWD: /usr/tool/subst_sudo_user passwd $SUDO_USER
  22
  23 This rule allows users to run C<subst_sudo_user> (and subsequentially
  24 passwd(1)) as root with verbatim C<$SUDO_USER> parameter. So no shell
  25 variable resolution happens so far. C<Subst_sudo_user> in turn, running
  26 as root, replaces C<$SUDO_USER> to the value of C<SUDO_USER> environment
  27 variable, which is, by sudo(1), guaranteed to be the caller username.
  28 Then it runs passwd(1) (still as root) to change the given user's
  29 password. So effectively with this rule, each user can change their
  30 password without knowing the current one first (because passwd(1)
  31 usually does not ask root for his password).
  32
  33 =head1 EXAMPLES
  34
  35   %USERS ALL=(root:root) NOPASSWD: /usr/tool/subst_sudo_user /usr/bin/install -o $SUDO_USER -m 0750 -d /var/backup/user/$SUDO_USER
  36
  37 =cut
  38
  39 EOF
  40
  41 set -e
  42 set -o pipefail
  43 set -u
  44
  45 declare -a args=()
  46
  47 shopt -u nocaseglob
  48 shopt -u nocasematch
  49
  50 while [ $# -gt 0 ]
  51 do
  52         args+=("${1//\$SUDO_USER/$SUDO_USER}")
  53         shift
  54 done
  55
  56 exec "${args[@]}"