bugfix : fix secure path set in centos (#2757)

Signed-off-by: xuesongzuo@yunify.com <xuesongzuo@yunify.com>
2025-12-25 17:12:50 +00:00 · 2025-09-10 17:20:39 +08:00 · 2025-09-10 17:20:39 +08:00 · 32aba628e9
parent 0b7d62d93b
commit 32aba628e9
1 changed files with 27 additions and 20 deletions
--- a/builtin/core/roles/native/root/tasks/main.yaml
+++ b/builtin/core/roles/native/root/tasks/main.yaml
@ -3,45 +3,52 @@
  command: |
    ADD_PATHS="/usr/local/bin"
    BACKUP_FILE="/etc/sudoers.backup.$(date +%Y%m%d_%H%M%S)"
-    cp /etc/sudoers "$BACKUP_FILE"
-    echo "tmp file created: $BACKUP_FILE"
+    cp -p /etc/sudoers "$BACKUP_FILE"
    TMP_FILE=$(mktemp /tmp/sudoers_update.XXXXXX)
    chmod 600 "$TMP_FILE"
-    cat /etc/sudoers > "$TMP_FILE"
+    cp -p /etc/sudoers "$TMP_FILE"
    cleanup() {
-        rm -rf "$TMP_FILE"
-        rm -rf "$BACKUP_FILE"
-        exit
+        rm -f "$TMP_FILE"
+        rm -f "$BACKUP_FILE"
    }
    trap cleanup EXIT INT TERM
    if grep -q "^Defaults.*secure_path" "$TMP_FILE"; then
-        EXISTING_PATH=$(grep "^Defaults.*secure_path" "$TMP_FILE" | sed -n 's/.*secure_path="\([^"]*\)".*/\1/p')
+        echo "find current secure_path 配置"
+        EXISTING_LINE=$(grep "^Defaults.*secure_path" "$TMP_FILE")
+        EXISTING_PATH=$(echo "$EXISTING_LINE" | sed -e 's/.*secure_path[[:space:]]*=[[:space:]]*"\{0,1\}\([^"[:space:]]*\)"\{0,1\}.*/\1/')
        if [ -n "$EXISTING_PATH" ]; then
+            echo "current secure_path: $EXISTING_PATH"
            NEW_PATH="$EXISTING_PATH"
-            IFS_BAK=$IFS
-            IFS=':'
-            for path in $ADD_PATHS; do
+            IFS=':' read -ra PATHS_TO_ADD <<< "$ADD_PATHS"
+            for path in "${PATHS_TO_ADD[@]}"; do
                if [[ ":$NEW_PATH:" != *":$path:"* ]]; then
                    NEW_PATH="$NEW_PATH:$path"
                fi
            done
-            IFS=$IFS_BAK
-            sed -i "s|^Defaults.*secure_path=.*|Defaults secure_path=\"$NEW_PATH\"|" "$TMP_FILE"
-            echo "already updated secure_path: $NEW_PATH"
+            echo "new secure_path: $NEW_PATH"
+            sed -i "s/^Defaults.*secure_path/# &/" "$TMP_FILE"
+            echo "Defaults secure_path=\"$NEW_PATH\"" >> "$TMP_FILE"
+        else
+            echo "warning: can not get current secure_path"
+            echo "Defaults secure_path=\"$ADD_PATHS\"" >> "$TMP_FILE"
        fi
    else
+        echo "current secure_path config not found,set new data"
        echo "Defaults secure_path=\"$ADD_PATHS\"" >> "$TMP_FILE"
-        echo "already added secure_path: $ADD_PATHS"
    fi
-    if visudo -cf "$TMP_FILE"; then
-        cp "$TMP_FILE" /etc/sudoers
+    if /usr/sbin/visudo -cf "$TMP_FILE" > /dev/null 2>&1; then
+        cp -f "$TMP_FILE" /etc/sudoers
        chmod 440 /etc/sudoers
-        echo "already updated /etc/sudoers"
+        echo "already update /etc/sudoers"
+        echo "after update secure_path config:"
+        grep "^Defaults.*secure_path" /etc/sudoers
    else
-        echo "something went wrong ,file roll back"
-        cp "$BACKUP_FILE" /etc/sudoers
+        echo "error: something went wrong,roll back"
+        echo "please check visudo log:"
+        /usr/sbin/visudo -cf "$TMP_FILE"
+        cp -f "$BACKUP_FILE" /etc/sudoers
        chmod 440 /etc/sudoers
        echo "already roll back"
        exit 1
    fi
-    echo "finish"
+    echo "success"