sean/sudo-nopasswd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Seán Healy 2d984bbdb3 Update README.md
2026-04-18 19:39:36 +01:00
build
Print logs while installing. Add editor support.
2026-04-11 21:02:15 +01:00
debian
Initial commit
2026-01-10 22:22:36 +00:00
docs
Add readme, license and logo
2026-04-18 19:36:29 +01:00
gentoo
Initial commit
2026-01-10 22:22:36 +00:00
src
Add readme, license and logo
2026-04-18 19:36:29 +01:00
LICENSE
Add readme, license and logo
2026-04-18 19:36:29 +01:00
README.md
Update README.md
2026-04-18 19:39:36 +01:00

README.md

sudo-nopasswd

Logo

Manage a curated list of commands that members of the sudo group can run without a password prompt.

This project keeps command policy in /etc/sudo-nopasswd, then automatically syncs it into /etc/sudoers as a single NOPASSWD rule.

What It Does

  • Edits command policy in /etc/sudo-nopasswd
  • Resolves command names to full paths using command -v
  • Escapes sudoers special characters for safety
  • Updates or removes the %sudo ... NOPASSWD: line in /etc/sudoers
  • Validates syntax with visudo -c
  • Reverts from backup if validation fails
  • Watches policy changes and reapplies updates automatically via service

Components

  • src/sudo-nopasswd: interactive editor helper for /etc/sudo-nopasswd
  • src/update-sudo-nopasswd: applies policy to /etc/sudoers
  • src/watch-sudo-nopasswd: watches for file changes and triggers updates
  • src/sudo-nopasswd.service: systemd unit
  • src/sudo-nopasswd.init: OpenRC init script
  • build/install.sh: installs binaries/service files and enables service
  • build/uninstall.sh: removes service, binaries, and shared files

Requirements

Runtime requirements:

  • bash
  • sudo
  • visudo (normally from the sudggo package)
  • inotifywait (from inotify-tools)
  • Init system:
    • systemd (systemctl), or
    • OpenRC (rc-update, rc-service)

Build/package helper requirements:

  • For Debian package helper scripts: docker
  • For Gentoo helper script: emerge

Quick Start

  1. Install from source:
cd /path/to/sudo-nopasswd
./build/install.sh
  1. Add commands:
sudo-nopasswd

  1. Save and exit your editor. The tool runs update-sudo-nopasswd immediately, and the background watcher keeps changes in sync.

  2. Verify:

sudo -k
sudo <command-you-added>

If configured correctly, the command should run without a password prompt.

Policy File Format

Policy file: /etc/sudo-nopasswd

  • One command per line (preferred)
  • First token is resolved with command -v
  • Extra arguments on the line are kept

Example:

systemctl restart nginx
apt update
/usr/bin/journalctl -xe

Notes:

  • If command resolution fails, the resulting entry may be empty or invalid for your intent. Use fully qualified paths for strict control.
  • Keep this file root-owned and writable only by trusted admins.

Service Behavior

On install, the project:

  • Creates /etc/sudo-nopasswd if missing
  • Installs binaries to /usr/bin
  • Installs shared constants in /usr/share/sudo-nopasswd
  • Installs and enables either:
    • sudo-nopasswd.service (systemd), or
    • sudo-nopasswd.init (OpenRC)

The watcher listens for close_write events on /etc/sudo-nopasswd and runs update-sudo-nopasswd after each save.

Manual Operations

Run update once:

sudo update-sudo-nopasswd

Start/enable service manually (systemd):

sudo systemctl daemon-reload
sudo systemctl enable --now sudo-nopasswd.service

Start/enable service manually (OpenRC):

sudo rc-update add sudo-nopasswd.init default
sudo rc-service sudo-nopasswd.init start

Uninstall

cd /path/to/sudo-nopasswd
./build/uninstall.sh

This stops/disables the service, removes installed files, and removes /etc/sudo-nopasswd if it is empty.

Packaging Helpers

Debian helper

./build/build-deb.sh

This script builds in a Debian Docker container and places .deb artifacts in dist/.

Gentoo helper

./build/build-gentoo.sh

This script configures a local overlay and emerges app-admin/sudo-nopasswd-1.0.

Security Considerations

  • NOPASSWD reduces friction but increases risk if command scope is too broad.
  • Prefer exact binary paths and minimal argument patterns.
  • Review /etc/sudo-nopasswd regularly and keep it under change control.
  • Test changes in a non-production environment first.

Troubleshooting

  • No editor found: set EDITOR (for example EDITOR=vim sudo-nopasswd).
  • Unsupported init system: install/run on a host with systemd or OpenRC.
  • Update fails with syntax issues: the tool restores /etc/sudoers from backup automatically.
  • Watcher does not react: ensure inotifywait is installed and the service is running.

Repository Layout

build/      install, uninstall, and packaging scripts
debian/     Debian packaging metadata/helpers
gentoo/     Gentoo ebuild and metadata
src/        core scripts and service definitions
docs/       project assets/icons

License

This project is licensed under the GNU General Public License, version 3. See LICENSE for the full text.

Reference in New Issue View Git Blame Copy Permalink
Description
Takes the fuss out of maintaining a list of commands that sudo can run without a password.
Readme 1 MiB
Languages
Shell 100%