9f551e3c13
Run t3-dispatch as an unprivileged dedicated user instead of wizard (who has full sudo). Privileged minting goes through /usr/local/bin/t3-mint, which validates the target against /etc/ttyd-user-map before minting as that user; sudoers permits t3-dispatch to run only that wrapper. Compromise of the network-facing service can mint pairing tokens for mapped users at most. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
13 lines
786 B
Bash
13 lines
786 B
Bash
#!/usr/bin/env bash
|
|
# Mint a one-time t3 pairing token for a mapped OS user.
|
|
# Runs as root via the scoped sudoers entry for the t3-dispatch service user.
|
|
# Validates the requested user is an actual t3 OS user (a value on the RHS of
|
|
# /etc/ttyd-user-map) before minting as that user. Prints the t3 CLI JSON.
|
|
set -euo pipefail
|
|
os_user="${1:-}"
|
|
[[ "$os_user" =~ ^[a-z_][a-z0-9_-]{0,31}$ ]] || { echo "invalid user" >&2; exit 2; }
|
|
# Must be a mapped t3 OS user (RHS of a non-comment "authentik=os" line).
|
|
awk -F= '!/^[[:space:]]*#/ && NF==2 { gsub(/[[:space:]]/, "", $2); print $2 }' /etc/ttyd-user-map \
|
|
| grep -qxF "$os_user" || { echo "user not mapped" >&2; exit 3; }
|
|
exec runuser -u "$os_user" -- /usr/bin/t3 auth pairing create \
|
|
--base-dir "/home/${os_user}/.t3" --ttl 5m --json
|