A list of scripts for my Steam Deck that I want to always run as root.
This README describes the files necessary to set up always-sudo scripts. Any other file in this gist is one of the scripts.
Makes /bin/sudo /root/ALWAYS_SUDO_SCRIPTS/run
work for the deck
user, without a password prompt.
This allows that specific "executable" file (bash script) to be run as root without a password prompt.
If any of /root
, /root/ALWAYS_SUDO_SCRIPTS
, or /root/ALWAYS_SUDO_SCRIPTS/run
are not owned by root:root
or are world-writable, this will be a local privilege escalation vector.
deck ALL=(root) NOPASSWD: /root/ALWAYS_SUDO_SCRIPTS/run
The entrypoint for always-sudo scripts.
If the above sudoers entry was installed, this is allowed to run via sudo
without a password prompt.
The tries to valididate as much as possible to prevent LPE, only allowing root:root
and non-world-writable .sh
scripts within the current directly to be interpreted with /bin/bash
.
#!/bin/bash
set -euo pipefail
_scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
_scriptname="${1? Requires script}"
_args=("${@:2}")
# Reset the PATH to prevent hijacking.
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Ensure we're not trying to escape the directory, and that the script exists.
# Escaping the directory would allow for arbitrary script execution.
_script="${_scriptdir}/${_scriptname}.sh"
{
[[ "$_scriptname" =~ ^[A-Za-z0-9-]*$ ]] &&
[[ -f "$_script" ]]
} || {
printf "\x1B[31mInvalid always-sudo script: %s\x1B[0m\n" "$_script"
exit 2
}
# Ensure the script is owned by root and not world-writable.
_script_owner="$(stat --format="%u:%g" "$_script")"
_script_perms="$(stat --format="%a" "$_script")"
if [[ "$_script_owner" != "0:0" ]]; then
printf "\x1B[31mThe always-sudo script '%s' is not owned by root:root.\n" "$_scriptname"
printf "Refusing to run.\x1B[0m\n"
exit 2
fi
# Ensure the script is not world-writable.
_script_world="${_script_perms: -1}"
if [[ $((_script_world & 2)) -eq 2 ]]; then
printf "\x1B[31mThe always-sudo script '%s' is world-writable.\n" "$_scriptname"
printf "Refusing to run.\x1B[0m\n"
exit 2
fi
# Run the script.
exec /bin/bash "$_script" "${_args[@]}"