bundlewrap

cronekorkn/bundlewrap

Fork 0

Commit graph

Author	SHA1	Message	Date
CroneKorkN	433c403ddc	left4me: validate sudoers file with visudo before install A malformed /etc/sudoers.d/left4me would lock sudo on the target (blast radius: every other bundle using sudo at apply time). bw's file: items support test_with, which runs the supplied command on the locally-rendered file before transfer. Use it to gate the sudoers file on visudo -cf — analogous to the visudo -cf check the original deploy script ran inline (deploy-test-server.sh:186).	2026-05-10 17:29:01 +02:00
CroneKorkN	80d2a79b97	left4me: declare directories, users, files, sysctl-reload action Modes/owners match the upstream left4me deploy script: helpers 0755 root:root sudoers.d/left4me 0440 root:root (validated with visudo -cf) sysctl conf 0644 root:root (triggers sysctl --system) sandbox-resolv 0644 root:root /etc/left4me/host.env 0644 root:root (Mako) /etc/left4me/web.env 0640 root:left4me (Mako, contains SECRET_KEY) /var/lib/left4me 0711 left4me:left4me (l4d2-sandbox traversal) UIDs/GIDs pinned at 980/981 for deterministic ownership.	2026-05-10 17:23:03 +02:00
CroneKorkN	7547d041a2	left4me: scaffold bundle (items/metadata/README stubs) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 17:05:13 +02:00

Author

SHA1

Message

Date

CroneKorkN

433c403ddc

left4me: validate sudoers file with visudo before install

A malformed /etc/sudoers.d/left4me would lock sudo on the target
(blast radius: every other bundle using sudo at apply time). bw's
file: items support test_with, which runs the supplied command on the
locally-rendered file before transfer. Use it to gate the sudoers
file on visudo -cf — analogous to the visudo -cf check the original
deploy script ran inline (deploy-test-server.sh:186).

2026-05-10 17:29:01 +02:00

CroneKorkN

80d2a79b97

left4me: declare directories, users, files, sysctl-reload action

Modes/owners match the upstream left4me deploy script:
  helpers          0755 root:root
  sudoers.d/left4me 0440 root:root (validated with visudo -cf)
  sysctl conf      0644 root:root  (triggers sysctl --system)
  sandbox-resolv   0644 root:root
  /etc/left4me/host.env  0644 root:root  (Mako)
  /etc/left4me/web.env   0640 root:left4me (Mako, contains SECRET_KEY)
  /var/lib/left4me 0711 left4me:left4me (l4d2-sandbox traversal)
UIDs/GIDs pinned at 980/981 for deterministic ownership.

2026-05-10 17:23:03 +02:00

CroneKorkN

7547d041a2

left4me: scaffold bundle (items/metadata/README stubs)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-10 17:05:13 +02:00

3 commits