From 245a054f82c10e84cce0b7d7f382e83f4228826b Mon Sep 17 00:00:00 2001
From: Ned Bingham <edward.bingham@broccolimicro.io>
Date: Sat, 3 Jun 2023 16:48:57 +0000
Subject: [PATCH] no need for full sudo access anymore

---
 Dockerfile                     | 10 +++++++++-
 bcli-develop.sh                |  2 +-
 home/.bashrc                   | 16 ++++++++++++++++
 home/.sudo_as_admin_successful |  0
 4 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 home/.sudo_as_admin_successful

diff --git a/Dockerfile b/Dockerfile
index 1916376..bd1a01a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -180,11 +180,19 @@ ENV GROUP_ID "1000"
 ENV MEMBERS ""
 ENV XAUTH_TOKEN ""
 
+RUN echo "version: 1"
 CMD exec /bin/bash -c "echo \"$MEMBERS\" | sed 's/ /\n/g' | xargs -n 2 /usr/sbin/groupadd -g; \
   /usr/sbin/useradd -u $USER_ID -g $USER $USER; \
   echo \"$MEMBERS\" | sed 's/ [0-9]\+ /,/g' | sed 's/[0-9]\+ //g' | xargs -I{} /usr/sbin/usermod -aG {} $USER; \
   cp -r /template /home/$USER; \
   xauth -f /home/$USER/.Xauthority add $XAUTH_TOKEN; \
   chown -R $USER:$USER /home/$USER; \
-  /usr/sbin/usermod -p \$(openssl passwd -1 'bcli') $USER; \ 
+  echo \"$USER ALL=NOPASSWD: /usr/bin/apt-get install *\" > /etc/sudoers.d/apt-get; \
+  echo \"$USER ALL=NOPASSWD: /usr/bin/apt install *\" > /etc/sudoers.d/apt; \
   trap : TERM INT; sleep infinity & wait"
+
+# In case we need to add a password for sudo.
+# However, its possible for someone to break out of the docker container and
+# have root access on the host if they are given sudo access in the container.
+# So, we really shouldn't give them sudo access
+# /usr/sbin/usermod -p \$(openssl passwd -1 'bcli') $USER; \ 
diff --git a/bcli-develop.sh b/bcli-develop.sh
index c7646ad..eb5bc37 100644
--- a/bcli-develop.sh
+++ b/bcli-develop.sh
@@ -1,6 +1,6 @@
 bcli() {
     if [ "$1" = "up" ]; then
-	export MEMBERS="$(groups | sed 's/ /\n/g' | xargs -I{} getent group {} | sed 's/\([^:]*\):[^:]*:\([^:]*\):.*/\2 \1/g')"
+	MEMBERS="$(groups | sed 's/adm \?\|cdrom \?\|sudo \?\|dip \?\|plugdev \?\|lxd \?\|docker \?//g' | sed 's/ /\n/g' | xargs -I{} getent group {} | sed 's/\([^:]*\):[^:]*:\([^:]*\):.*/\2 \1/g')"
 	docker run --rm -d --net=host -v $HOME:/host -v "/opt/tech:/opt/cad/conf" --name "bcli-$USER" -h "bcli-$USER" -e USER=$USER -e USER_ID=$(id -u) -e GROUP_ID=$(id -g) -e DISPLAY=$DISPLAY -e MEMBERS="$MEMBERS" -e XAUTH_TOKEN="$(xauth list | sed 's/^[^:]*/localhost/g')" -v "/tmp/.X11-unix:/tmp/.X11-unix:rw" public.ecr.aws/l5h5o6z4/broccoli-cli:latest > /dev/null
 	#docker run --rm -d -v $HOME:/host -v "${BCLI_TECH:/opt/tech}:/opt/cad/conf" --name "bcli-$USER" -h "bcli-$USER" -e USER=$USER -e USER_ID=$(id -u) -e GROUP_ID=$(id -g) -e DISPLAY=$DISPLAY -v "/tmp/.X11-unix:/tmp/.X11-unix:rw" ${BCLI_IMAGE:-public.ecr.aws/l5h5o6z4/broccoli-cli:latest} > /dev/null
 	echo "bcli-$USER started"
diff --git a/home/.bashrc b/home/.bashrc
index 9d7f1f8..ef0774b 100644
--- a/home/.bashrc
+++ b/home/.bashrc
@@ -126,3 +126,19 @@ if ! shopt -oq posix; then
   fi
 fi
 
+echo "Welcome to Broccoli's Command Line Interface"
+echo ""
+echo "The following tools are available:"
+echo "go       - architectural and behavioral simulation"
+echo "haystack - formal synthesis of self-timed circuits"
+echo "act      - circuit design and digital simulation"
+echo "prspice  - configure digital/analog circuit co-simulation"
+echo "Xyce     - analog circuit simulation"
+echo "gaw      - analog waveform viewer"
+echo "magic    - circuit layout"
+echo ""
+echo "Semiconductor PDKs are in /opt/cad/conf"
+echo "Packages may be installed with 'sudo apt install <package>'"
+echo "Other usages of sudo are disabled"
+echo ""
+echo ""
diff --git a/home/.sudo_as_admin_successful b/home/.sudo_as_admin_successful
new file mode 100644
index 0000000..e69de29