Skip to content

Instantly share code, notes, and snippets.

@eth-p

eth-p/README.md

Created March 9, 2023 08:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save eth-p/fd3e10ff949ceb08317f8260cc1c0d2e to your computer and use it in GitHub Desktop.
Save eth-p/fd3e10ff949ceb08317f8260cc1c0d2e to your computer and use it in GitHub Desktop.
Download ZIP
Steam Deck: Always Sudo Scripts
Raw
README.md

A list of scripts for my Steam Deck that I want to always run as root.

This README describes the files necessary to set up always-sudo scripts. Any other file in this gist is one of the scripts.

/etc/sudoers/x99-always-sudo-scripts

Makes /bin/sudo /root/ALWAYS_SUDO_SCRIPTS/run work for the deck user, without a password prompt.

⚠️ Safety Considerations: ⚠️
This allows that specific "executable" file (bash script) to be run as root without a password prompt. If any of /root, /root/ALWAYS_SUDO_SCRIPTS, or /root/ALWAYS_SUDO_SCRIPTS/run are not owned by root:root or are world-writable, this will be a local privilege escalation vector.

deck  ALL=(root) NOPASSWD: /root/ALWAYS_SUDO_SCRIPTS/run

/root/ALWAYS_SUDO_SCRIPTS/run

The entrypoint for always-sudo scripts.

If the above sudoers entry was installed, this is allowed to run via sudo without a password prompt.

The tries to valididate as much as possible to prevent LPE, only allowing root:root and non-world-writable .sh scripts within the current directly to be interpreted with /bin/bash.

#!/bin/bash
set -euo pipefail
_scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
_scriptname="${1? Requires script}"
_args=("${@:2}")

# Reset the PATH to prevent hijacking.
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Ensure we're not trying to escape the directory, and that the script exists.
# Escaping the directory would allow for arbitrary script execution.
_script="${_scriptdir}/${_scriptname}.sh"
{
	[[ "$_scriptname" =~ ^[A-Za-z0-9-]*$ ]] &&
	[[ -f "$_script" ]]
} || {
	printf "\x1B[31mInvalid always-sudo script: %s\x1B[0m\n" "$_script"
	exit 2
}

# Ensure the script is owned by root and not world-writable.
_script_owner="$(stat --format="%u:%g" "$_script")"
_script_perms="$(stat --format="%a" "$_script")"

if [[ "$_script_owner" != "0:0" ]]; then
	printf "\x1B[31mThe always-sudo script '%s' is not owned by root:root.\n" "$_scriptname"
	printf "Refusing to run.\x1B[0m\n"
	exit 2
fi

# Ensure the script is not world-writable.
_script_world="${_script_perms: -1}"
if [[ $((_script_world & 2)) -eq 2 ]]; then
	printf "\x1B[31mThe always-sudo script '%s' is world-writable.\n" "$_scriptname"
	printf "Refusing to run.\x1B[0m\n"
	exit 2
fi

# Run the script.
exec /bin/bash "$_script" "${_args[@]}"
Raw
update-decky.sh
#!/bin/bash
#
# An always-sudo script that runs the Decky installer without prompting for the root password.
# Usage:
#
# sudo /root/ALWAYS_SUDO_SCRIPTS/run update-decky
#
set -euo pipefail
umask 0700
DOWNLOAD_URL="https://github.com/SteamDeckHomebrew/decky-installer/releases/latest/download/user_install_script.sh"
# Create a safe download directory that cannot be used to gain root from this script.
DOWNLOAD_DIR="$(mktemp -d)"
trap 'rm -rf "$DOWNLOAD_DIR"' EXIT
DOWNLOAD_FILE="$(TMPDIR="$DOWNLOAD_DIR" mktemp)"
chmod -R 700 "${DOWNLOAD_DIR}"
chown -R root:root "${DOWNLOAD_DIR}"
# Download the Decky install script.
printf "\x1B[33mDownloading Decky install script...\x1B[0m\n"
curl -L -o "${DOWNLOAD_FILE}" "$DOWNLOAD_URL"
# Ask if it's okay to run the Decky install script.
installer_sha256="$(sha256sum "$DOWNLOAD_FILE" | cut -d' ' -f1)"
zenity \
--question \
--title="Steam Deck Tricks: Decky Installer" \
--text="$(printf "The Decky installer has been downloaded with the SHA-256 hash \`%s\`.\n\nProceed?" "$installer_sha256")" \
|| exit 0
# Run the Decky install script.
printf "\x1B[33mRunning Decky install script...\x1B[0m\n"
bash "$DOWNLOAD_FILE"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment