#!/bin/bash # Bootstrap script to configure sudo for ClaudeTools operations # Run this ONCE with: bash temp/setup-sudo-for-claudetools.sh set -e echo "[INFO] Setting up passwordless sudo for ClaudeTools operations..." # Create sudoers rule for ClaudeTools/GuruRMM operations cat > /tmp/claudetools-sudoers << 'EOF' # ClaudeTools passwordless sudo rules # Allows specific operations without password prompt # GuruRMM agent installation and management azcomputerguru ALL=(ALL) NOPASSWD: /bin/mkdir -p /Library/Application Support/GuruRMM azcomputerguru ALL=(ALL) NOPASSWD: /bin/mkdir -p /Library/Logs/GuruRMM azcomputerguru ALL=(ALL) NOPASSWD: /bin/cp /Users/azcomputerguru/ClaudeTools/projects/msp-tools/guru-rmm/agent/target/release/gururmm-agent /usr/local/bin/gururmm-agent azcomputerguru ALL=(ALL) NOPASSWD: /bin/cp /Users/azcomputerguru/ClaudeTools/projects/msp-tools/guru-rmm/agent/agent.toml /Library/Application Support/GuruRMM/agent.toml azcomputerguru ALL=(ALL) NOPASSWD: /bin/chmod +x /usr/local/bin/gururmm-agent azcomputerguru ALL=(ALL) NOPASSWD: /bin/chmod 644 /Library/LaunchDaemons/com.azcomputerguru.gururmm.plist azcomputerguru ALL=(ALL) NOPASSWD: /usr/sbin/chown root:wheel /usr/local/bin/gururmm-agent azcomputerguru ALL=(ALL) NOPASSWD: /usr/sbin/chown root:wheel /Library/LaunchDaemons/com.azcomputerguru.gururmm.plist azcomputerguru ALL=(ALL) NOPASSWD: /usr/sbin/chown -R root:wheel /Library/Application Support/GuruRMM azcomputerguru ALL=(ALL) NOPASSWD: /usr/bin/tee /Library/LaunchDaemons/com.azcomputerguru.gururmm.plist azcomputerguru ALL=(ALL) NOPASSWD: /bin/launchctl load /Library/LaunchDaemons/com.azcomputerguru.gururmm.plist azcomputerguru ALL=(ALL) NOPASSWD: /bin/launchctl unload /Library/LaunchDaemons/com.azcomputerguru.gururmm.plist azcomputerguru ALL=(ALL) NOPASSWD: /bin/launchctl start com.azcomputerguru.gururmm azcomputerguru ALL=(ALL) NOPASSWD: /bin/launchctl stop com.azcomputerguru.gururmm azcomputerguru ALL=(ALL) NOPASSWD: /bin/launchctl list # General file operations for ClaudeTools azcomputerguru ALL=(ALL) NOPASSWD: /bin/cat /Library/Logs/GuruRMM/* azcomputerguru ALL=(ALL) NOPASSWD: /usr/bin/tail -f /Library/Logs/GuruRMM/* EOF # Install sudoers rule sudo install -m 0440 /tmp/claudetools-sudoers /etc/sudoers.d/claudetools echo "[OK] Passwordless sudo rules installed to /etc/sudoers.d/claudetools" # Validate sudoers syntax sudo visudo -c -f /etc/sudoers.d/claudetools echo "[OK] Sudoers syntax validated" # Enable Touch ID for sudo (fallback for other operations) if ! grep -q "pam_tid.so" /etc/pam.d/sudo 2>/dev/null; then echo "[INFO] Enabling Touch ID for sudo..." sudo sed -i '' '2i\ auth sufficient pam_tid.so ' /etc/pam.d/sudo echo "[OK] Touch ID enabled for sudo" else echo "[OK] Touch ID already enabled for sudo" fi # Clean up rm -f /tmp/claudetools-sudoers echo "" echo "[SUCCESS] Sudo configuration complete!" echo "" echo "What was configured:" echo " - Passwordless sudo for GuruRMM agent installation/management" echo " - Passwordless sudo for reading GuruRMM logs" echo " - Touch ID authentication for other sudo operations" echo "" echo "ClaudeTools can now install the GuruRMM agent without password prompts."