create a dedicated system user with sudo permissions

conf/sudoers.conf

@@ -0,0 +1,12 @@
+Cmnd_Alias HOTSPOT_YUNOHOST = /usr/bin/yunohost app info hotspot *,\
+                              /usr/bin/yunohost app setting hotspot *,\
+                              /usr/bin/yunohost app setting vpnclient *
+
+Cmnd_Alias HOTSPOT_SERVICE  = /bin/systemctl stop ynh-hotspot,\
+                              /bin/systemctl start ynh-hotspot
+
+Cmnd_Alias HOTSPOT_MISC     = /usr/local/bin/ynh-hotspot *,\
+                              /usr/local/bin/iw_devices *,\
+                              /usr/local/bin/iw_multissid *
+
+__HOTSPOT_SYSUSER__ ALL = NOPASSWD: /bin/grep, HOTSPOT_YUNOHOST, HOTSPOT_SERVICE, HOTSPOT_MISC

scripts/install

@@ -45,6 +45,7 @@ wifi_passphrase=$YNH_APP_ARG_WIFI_PASSPHRASE
 firmware_nonfree=$YNH_APP_ARG_FIRMWARE_NONFREE
 
 app=$YNH_APP_INSTANCE_NAME
+sysuser="${app}"
 
 # the service name must match the service template files
 service_name='ynh-hotspot'
@@ -197,6 +198,19 @@ ynh_app_setting_set $app ip4_nat_prefix 10.0.242
 ynh_app_setting_set $app vpnclient no
 ynh_app_setting_set $app service_name $service_name
 
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+
+# Ensure the app has its own system user
+if ! ynh_system_user_exists ${sysuser}
+then
+  ynh_system_user_create ${sysuser}
+fi
+
+# Ensure the system user has enough sudo permissions
+install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh
+ynh_replace_string "__HOTSPOT_SYSUSER__" "${sysuser}" /etc/sudoers.d/${app}_ynh
 
 #=================================================
 # INSTALL CUSTOM SCRIPTS
@@ -246,10 +260,10 @@ sed 's|<TPL:NGINX_REALPATH>|/var/www/wifiadmin/|g' -i "/etc/nginx/conf.d/${domai
 sed 's|<TPL:PHP_NAME>|wifiadmin|g' -i "/etc/nginx/conf.d/${domain}.d/wifiadmin.conf"
 
 ## php-fpm
-sed 's|<TPL:PHP_NAME>|wifiadmin|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf
+sed "s|<TPL:PHP_NAME>|wifiadmin|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf
-sed 's|<TPL:PHP_USER>|admin|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf
+sed "s|<TPL:PHP_USER>|${sysuser}|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf
-sed 's|<TPL:PHP_GROUP>|admins|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf
+sed "s|<TPL:PHP_GROUP>|${sysuser}|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf
-sed 's|<TPL:NGINX_REALPATH>|/var/www/wifiadmin/|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf
+sed "s|<TPL:NGINX_REALPATH>|/var/www/wifiadmin/|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf
 
 # Fix sources
 sed "s|<TPL:NGINX_LOCATION>|${path_url}|g" -i /var/www/wifiadmin/config.php

scripts/remove

@@ -58,6 +58,7 @@ for FILE in $(ls /etc/hostapd/hostapd.conf{.tpl?,})
 do
     ynh_secure_remove "$FILE"
 done
+ynh_secure_remove /etc/sudoers.d/hotspot_ynh
 
 # Remove packages
 if [[ $firmware_nonfree == yes ]]; then
@@ -79,3 +80,6 @@ systemctl reload nginx
 
 # Remove sources
 ynh_secure_remove /var/www/wifiadmin/
+
+# Remove user
+ynh_system_user_delete ${app}

sources/controller.php

@@ -47,7 +47,7 @@ function service_status() {
 }
 
 function service_faststatus() {
-  exec('sudo systemctl is-active hostapd', $output, $retcode);
+  exec('systemctl is-active hostapd', $output, $retcode);
 
   return $retcode;
 }