don't prepend sudo to command if user is superuser (#110)

harp-intel · web-flow · commit 71f651125e4a · 2024-12-05T13:21:17.000-08:00
diff --git a/internal/script/script.go b/internal/script/script.go
@@ -107,7 +107,7 @@ func RunScripts(myTarget target.Target, scripts []ScriptDefinition, ignoreScript
 			continue
 		}
 		if script.Superuser && !canElevate {
-			slog.Info("skipping script because it requires superuser privileges and the target cannot elevate privileges", slog.String("script", script.Name))
+			slog.Info("skipping script because it requires superuser privileges and the user cannot elevate privileges on target", slog.String("script", script.Name))
 			continue
 		}
 		if script.Sequential {
@@ -163,8 +163,12 @@ func RunScripts(myTarget target.Target, scripts []ScriptDefinition, ignoreScript
 		// instigates a known bug in the terminal that corrupts the tty settings:
 		// https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043320
 		var cmd *exec.Cmd
-		if needsElevatedPrivileges {
-			// run master script with sudo, "-S" to read password from stdin
+		if needsElevatedPrivileges && !canElevate {
+			// this shouldn't happen because we already filtered out the scripts that require elevated privileges if the user cannot elevate privileges on the target
+			err = fmt.Errorf("master script requires elevated privileges but the user cannot elevate privileges on target")
+			return nil, err
+		} else if needsElevatedPrivileges && !myTarget.IsSuperUser() {
+			// run master script with sudo, "-S" to read password from stdin. Note: password won't be asked for if password-less sudo is configured.
 			cmd = exec.Command("sudo", "-S", "bash", path.Join(myTarget.GetTempDirectory(), masterScriptName))
 		} else {
 			cmd = exec.Command("bash", path.Join(myTarget.GetTempDirectory(), masterScriptName))
diff --git a/internal/target/target.go b/internal/target/target.go
@@ -35,6 +35,10 @@ type Target interface {
 	// It returns true if the user can elevate privileges, false otherwise.
 	CanElevatePrivileges() bool
 
+	// IsSuperUser checks if the current user is a superuser.
+	// It returns true if the user is a superuser, false otherwise.
+	IsSuperUser() bool
+
 	// GetArchitecture returns the architecture of the target system.
 	// It returns a string representing the architecture and any error that occurred.
 	GetArchitecture() (arch string, err error)
@@ -370,7 +374,7 @@ func (t *LocalTarget) CanElevatePrivileges() bool {
 	if t.canElevate != 0 {
 		return t.canElevate == 1
 	}
-	if os.Geteuid() == 0 {
+	if t.IsSuperUser() {
 		t.canElevate = 1
 		return true // user is root
 	}
@@ -406,7 +410,7 @@ func (t *RemoteTarget) CanElevatePrivileges() bool {
 	if t.canElevate != 0 {
 		return t.canElevate == 1
 	}
-	if t.user == "root" {
+	if t.IsSuperUser() {
 		t.canElevate = 1
 		return true
 	}
@@ -420,6 +424,16 @@ func (t *RemoteTarget) CanElevatePrivileges() bool {
 	return false
 }
 
+// IsSuperUser checks if the current user is a superuser.
+// It returns true if the user is a superuser, false otherwise.
+func (t *LocalTarget) IsSuperUser() bool {
+	return os.Geteuid() == 0
+}
+
+func (t *RemoteTarget) IsSuperUser() bool {
+	return t.user == "root"
+}
+
 // InstallLkms installs the specified LKMs (Loadable Kernel Modules) on the target.
 // It returns the list of installed LKMs and any error encountered during the installation process.
 func (t *LocalTarget) InstallLkms(lkms []string) (installedLkms []string, err error) {
