From 75f7fa28dcb3e9794bff368f6a0c903a37b5aef5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Se=C3=A1n=20Healy?= Date: Sat, 11 Apr 2026 20:46:12 +0100 Subject: [PATCH] Added security and functionality. - Introduced a sudo-nopasswd script that allows users to edit and update in one shot. - Use random suffix on temp files to avoid collisions and hacks. --- src/sudo-nopasswd | 14 ++++++++++++++ src/sudo_no_passwd_constants.sh | 11 ++++++----- src/update-sudo-nopasswd | 12 +++++++++--- src/watch-sudo-nopasswd | 8 +++++++- 4 files changed, 36 insertions(+), 9 deletions(-) create mode 100755 src/sudo-nopasswd diff --git a/src/sudo-nopasswd b/src/sudo-nopasswd new file mode 100755 index 0000000..752816a --- /dev/null +++ b/src/sudo-nopasswd @@ -0,0 +1,14 @@ +#!/bin/bash +set -e +[ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; } +SHARE_ROOTS=("$HOME/.local/share" "/usr/local/share" "/usr/share") +for SHARE_ROOT in "${SHARE_ROOTS[@]}"; do + if [ -d "$SHARE_ROOT/sudo-nopasswd" ]; then + SHARE_DIR="$SHARE_ROOT/sudo-nopasswd" + break + fi +done +CONSTANTS="sudo_no_passwd_constants.sh" +source "$SHARE_DIR/$CONSTANTS" +"$EDITOR" "$ETC_FILE" +"$UPDATE_COMMAND" diff --git a/src/sudo_no_passwd_constants.sh b/src/sudo_no_passwd_constants.sh index 95a095a..458e1e4 100644 --- a/src/sudo_no_passwd_constants.sh +++ b/src/sudo_no_passwd_constants.sh @@ -1,9 +1,12 @@ #!/bin/bash +if [ ! "$INSTANCE" ]; then + INSTANCE="$(head -c10 /dev/urandom | base32)" +fi ETC_FILE="/etc/sudo-nopasswd" SUDOERS_FILE="/etc/sudoers" -SUDOERS_BAK="/etc/sudoers.bak" -BEFORE_COMMANDS="/tmp/sudo-nopasswd-before" -AFTER_COMMANDS="/tmp/sudo-nopasswd-after" +SUDOERS_BAK="/etc/sudoers.bak_$INSTANCE" +BEFORE_COMMANDS="/tmp/sudo-nopasswd-before-$INSTANCE" +AFTER_COMMANDS="/tmp/sudo-nopasswd-after-$INSTANCE" SCRIPT_NAME="update-sudo-nopasswd" # Installation paths @@ -15,5 +18,3 @@ INITD_DIR="/etc/init.d" UPDATE_COMMAND="update-sudo-nopasswd" WATCH_COMMAND="watch-sudo-nopasswd" - -SHARE_DIR="/usr/share/sudo-nopasswd" \ No newline at end of file diff --git a/src/update-sudo-nopasswd b/src/update-sudo-nopasswd index 6014c02..6622915 100755 --- a/src/update-sudo-nopasswd +++ b/src/update-sudo-nopasswd @@ -1,9 +1,15 @@ #!/bin/bash set -e -SHARE_DIR="/usr/share/sudo-nopasswd" +[ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; } +SHARE_ROOTS=("$HOME/.local/share" "/usr/local/share" "/usr/share") +for SHARE_ROOT in "${SHARE_ROOTS[@]}"; do + if [ -d "$SHARE_ROOT/sudo-nopasswd" ]; then + SHARE_DIR="$SHARE_ROOT/sudo-nopasswd" + break + fi +done CONSTANTS="sudo_no_passwd_constants.sh" source "$SHARE_DIR/$CONSTANTS" -[ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; } cp "$SUDOERS_FILE" "$SUDOERS_BAK" if grep -q "^%sudo.*NOPASSWD" "$SUDOERS_FILE"; then @@ -41,4 +47,4 @@ cat "$ETC_FILE" | diff -u "$BEFORE_COMMANDS" "$AFTER_COMMANDS" --color=always | grep $'^\x1b\\[[0-9;]*m[+-]' | grep -Ev $'^\x1b\\[[0-9;]*m([+][+][+]|[-][-][-])' -rm "$BEFORE_COMMANDS" "$AFTER_COMMANDS" \ No newline at end of file +rm "$BEFORE_COMMANDS" "$AFTER_COMMANDS" diff --git a/src/watch-sudo-nopasswd b/src/watch-sudo-nopasswd index 1d4201a..7444a3f 100755 --- a/src/watch-sudo-nopasswd +++ b/src/watch-sudo-nopasswd @@ -1,7 +1,13 @@ #!/bin/bash set -e [ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; } -SHARE_DIR="/usr/share/sudo-nopasswd" +SHARE_ROOTS=("$HOME/.local/share" "/usr/local/share" "/usr/share") +for SHARE_ROOT in "${SHARE_ROOTS[@]}"; do + if [ -d "$SHARE_ROOT/sudo-nopasswd" ]; then + SHARE_DIR="$SHARE_ROOT/sudo-nopasswd" + break + fi +done CONSTANTS="sudo_no_passwd_constants.sh" source "$SHARE_DIR/$CONSTANTS" while [ 1 ]; do