From d57d27b708b65528945e1386327a49fe8e12d32a Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Tue, 13 Oct 2020 20:30:11 -0400
Subject: [PATCH 1/3] Update sshpwd-profile-iiab.sh

---
 .../templates/sshpwd-profile-iiab.sh          | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
index d611b16d0..d805700c6 100755
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
@@ -14,9 +14,14 @@
 # bash syntax "function check_user_pwd() {" was removed, as it prevented all
 # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
 check_user_pwd() {
+    #[ $(id -un) = "root" ] || return 2
+    #[ $(id -un) = "root" ] || [ $(id -un) = "iiab-admin" ] || return 2
+    [ -r /etc/shadow ] || return 2    # FORCE ERROR if /etc/shadow not readable
+    # *BUT* overall bash script still returns exit code 0 ("success").
 
-    id -u $1 > /dev/null 2>&1 || return 2    # FORCE ERROR if no such user
-    # *BUT* overall bash script still returns exit code 0 ("success")
+    #id -u $1 > /dev/null 2>&1 || return 2    # Not needed if return 1 is good
+    # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
+    # Either way, overall bash script still returns exit code 0 ("success").
 
     # $meth (hashing method) is typically '6' which implies 5000 rounds
     # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
@@ -26,21 +31,20 @@ check_user_pwd() {
     [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
 }
 
-[ $(id -un) = "root" ] || return   # MUST be executed as root!  Non-root logins
-# were blocking on above permissions to grep /etc/shadow.  As it's unreasonable
-# to provide sudo privs to every user (with "NOPASSWD:" password-free sudo
-# access or not, as required by graphical logins!)  iiab/iiab#2561
+# 2020-10-13 https://github.com/iiab/iiab/issues/2561 RECAP: Above was blocking
+# logins, lacking permissions to grep /etc/shadow.  As it's unreasonable to
+# provide sudo privs to every user (with "NOPASSWD:" password-free sudo access
+# or not, as required by graphical logins!)
 
-# 2020-10-10 RECAP: most logins (graphical or tty) blocked on above [sudo] grep
+# MORE DETAILS: most logins (graphical or tty) blocked on above [sudo] grep
 # (at least tty logins finally let sudoers in, after entering password twice!)
 # EXCEPTION: ALL GRAPHICAL logins to Raspberry Pi OS still worked, no matter
 # whether sshpwd-lxde-iiab.sh's "sudo grep" displayed our popup warning or not!
 
-#[ $(id -un) = "{{ iiab_admin_user }}" ] || [ $(id -un) = "root" ] || return
 # HISTORICAL: if password-free sudo access is truly nec, it can be set with
 # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older:
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml
-# BUT: popup warnings still don't appear on most OS's, much as mentioned here:
+# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30
 
 if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin g0adm1n

From c489c8f8a37036d6bf7643b15b169685a18dfe60 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Tue, 13 Oct 2020 20:30:27 -0400
Subject: [PATCH 2/3] Update sshpwd-lxde-iiab.sh

---
 roles/iiab-admin/templates/sshpwd-lxde-iiab.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
index ebc53eb99..28c2fc67e 100755
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
@@ -12,8 +12,9 @@
 # bash syntax "function check_user_pwd() {" was removed, as it prevented all
 # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
 check_user_pwd() {
-    id -u $1 > /dev/null 2>&1 || return 2    # FORCE ERROR if no such user
-    # *BUT* overall bash script still returns exit code 0 ("success")
+    #id -u $1 > /dev/null 2>&1 || return 2    # Not needed if return 1 is good
+    # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
+    # Either way, overall bash script still returns exit code 0 ("success")
 
     # $meth (hashing method) is typically '6' which implies 5000 rounds
     # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password

From 4ce8f873d8cc917c49e9ed18ef27b534d84b8bf3 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Tue, 13 Oct 2020 20:58:13 -0400
Subject: [PATCH 3/3] Update sshpwd-lxde-iiab.sh

---
 roles/iiab-admin/templates/sshpwd-lxde-iiab.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
index 28c2fc67e..b1fd88644 100755
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
@@ -16,6 +16,11 @@ check_user_pwd() {
     # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
     # Either way, overall bash script still returns exit code 0 ("success")
 
+    # sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RaspiOS ships w/
+    # /etc/sudoers.d/010_pi-nopasswd containing "pi ALL=(ALL) NOPASSWD: ALL"
+    # (read access to /etc/shadow is otherwise restricted to just root and
+    # group www-data i.e. Apache, NGINX get special access).  SEE: #2431, #2561
+
     # $meth (hashing method) is typically '6' which implies 5000 rounds
     # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
     meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)