Set and remove a sudo password automatically

[kadogo]

Hello, at first, thanks for this utility.

I didn't try it much for now, but it's on my list ^^ Having more tools that can help for Steam Deck and maybe Linux in general is always good.

I have noticed that the Decky Loader setup sets the password by default if it's not set. I know that it's not a big deal, but I think it can be more convenient.

I extracted some part of their installation script. That could perhaps be adapted in go?

Decky Loader installation script: https://github.com/SteamDeckHomebrew/decky-installer/releases/latest/download/user_install_script.sh

# if a password was set by decky, this will run when the program closes
temp_pass_cleanup() {
  echo $PASS | sudo -S -k passwd -d deck
}

# if the script is not root yet, get the password and rerun as root
if (( $EUID != 0 )); then
    PASS_STATUS=$(passwd -S deck 2> /dev/null)
    if [ "$PASS_STATUS" = "" ]; then
        echo "Deck user not found. Continuing anyway, as it probably just means user is on a non-steamos system."
    fi

    if [ "${PASS_STATUS:5:2}" = "NP" ]; then # if no password is set
        if ( zenity --title="Decky Installer" --width=300 --height=200 --question --text="You appear to have not set an admin password.\nDecky can still install by temporarily setting your password to 'Decky!' and continuing, then removing it when the installer finishes\nAre you okay with that?" ); then
            yes "Decky!" | passwd deck
            trap temp_pass_cleanup EXIT # make sure password is removed when application closes
            PASS="Decky!"
        else exit 1; fi
    else
        # get password
        FINISHED="false"
        while [ "$FINISHED" != "true" ]; do
            PASS=$(zenity --title="Decky Installer" --width=300 --height=100 --entry --hide-text --text="Enter your sudo/admin password")
            if [[ $? -eq 1 ]] || [[ $? -eq 5 ]]; then
                exit 1
            fi
            if ( echo "$PASS" | sudo -S -k true ); then
                FINISHED="true"
            else
                zenity --title="Decky Installer" --width=150 --height=40 --info --text "Incorrect Password"
            fi
        done
    fi

    if ! [ $USER = "deck" ]; then
        zenity --title="Decky Installer" --width=300 --height=100 --warning --text "You appear to not be on a deck.\nDecky should still mostly work, but you may not get full functionality."
    fi

    # get user dir before rerunning as root, otherwise it'll just be 'home/root'

    echo "$PASS" | sudo -S -k bash "$0" "$@" # rerun script as root
    exit 1
fi

Thanks for your answer and have a nice day. Cheers

[CryoByte33]

It's definitely possible, but IMO is very sketchy. Having a user enter a sudo password is a sign of consent to operate on the device. Commandeering the entire device with a sudo takeover/temporary password skips that entire step and is a major red flag for me as a Linux user.

What are other opinions on this? I'm heavily leaning towards not implementing it.

[kadogo]

In my opinion, if there is a popup it's alright, but I'm not objective at all ^^

[alismx]

I understand the appeal, but I would prefer it not be implemented.

[bugworm]

I'd rather have a prompt for making a new password instead. It'll be easier and fair at the same time.

[CryoByte33]

I think that could be a bit misleading, and also a bit sketchy. As a Linux user, I don't want a tool to set my password for me, personally.

[bugworm]

I mean something like "You have no sudo password set. Do you want to set it now?" And then just run passwd, or something a little bit more complex for GUI.

[CryoByte33]

Yeah, that's what I meant. I don't want a tool setting it with a UI, I think that the "set your password" step is valuable for security.

[bugworm]

Okay, that's fair. Users running scripts from the internet without password is already concerning (since it can just set it automatically and use it against the user), but that's on Valve, not you. Therefore this should be fixed on a system level, not by some tools

[kadogo]

The passwd command is not difficult to do, the issue was more about making it less troublesome.

In my context, I just use my Steamdeck for playing. So, I never set a password before Decky Loader and for the steam-deck-utilities here.

• It's troublesome because I must use the virtual keyboard
• I will do an easy password because it's troublesome
• I will forget it because it's not my daily password and I will not use it very much

But I understand the security concern, and I know that I could also just script something for removing the password when I'm done and it will work too.

I just think it would be more transparent and easy for the use of peoples like me that will just use it for applying the configuration once.

[CryoByte33]

I actually think that needing to type the password is very valuable, since it makes a user think "is this okay?".

[CryoByte33]

Upon further reflection, I've decided not to implement this for the reasons above. If anyone has some strong feelings about it, please reopen this issue and we can discuss it!

[bugworm]

Having to set a password is actually a hidden security feature at this point, even if user doesn't care about all of that. Compromising security for simplicity is not a good idea, and I know that decky-loader devs didn't mean any harm, but this is not how it should work and it can lead to a disaster. I'm thinking about raising some awareness about this, maybe @CryoByte33 is interested (since you have a YouTube channel)? I think that Valve should either ask for a password at setup or making it the same as password of a first account that was logged in. Either way, I strongly believe that this is something that is up to Valve to fix

[CryoByte33]

I'm thinking about raising some awareness about this, maybe @CryoByte33 is interested (since you have a YouTube channel)? I think that Valve should either ask for a password at setup or making it the same as password of a first account that was logged in. Either way, I strongly believe that this is something that is up to Valve to fix

I agree that it's definitely a concern that Valve needs to address. Even having a standard password OOTB is preferable to none. This isn't the correct forum to talk about how to bring attention to it, and I'm not sure my channel is a good fit, but I'd definitely be interested in talking about it on Discord @bugworm .