sean/sudo-nopasswd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added security and functionality.

Browse Source 
- Introduced a sudo-nopasswd script that allows users to edit and update
  in one shot.
- Use random suffix on temp files to avoid collisions and hacks.
This commit is contained in:
Seán
2026-04-11 20:46:12 +01:00
parent 89d049ba7a
commit 75f7fa28dc
4 changed files with 36 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/sudo-nopasswd Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
set -e
[ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; }
SHARE_ROOTS=("$HOME/.local/share" "/usr/local/share" "/usr/share")
for SHARE_ROOT in "${SHARE_ROOTS[@]}"; do
if [ -d "$SHARE_ROOT/sudo-nopasswd" ]; then
SHARE_DIR="$SHARE_ROOT/sudo-nopasswd"
break
fi
done
CONSTANTS="sudo_no_passwd_constants.sh"
source "$SHARE_DIR/$CONSTANTS"
"$EDITOR" "$ETC_FILE"
"$UPDATE_COMMAND"

11
src/sudo_no_passwd_constants.sh
View File

@@ -1,9 +1,12 @@
#!/bin/bash #!/bin/bash
if [ ! "$INSTANCE" ]; then
INSTANCE="$(head -c10 /dev/urandom | base32)"
fi
ETC_FILE="/etc/sudo-nopasswd" ETC_FILE="/etc/sudo-nopasswd"
SUDOERS_FILE="/etc/sudoers" SUDOERS_FILE="/etc/sudoers"
SUDOERS_BAK="/etc/sudoers.bak" SUDOERS_BAK="/etc/sudoers.bak_$INSTANCE"
BEFORE_COMMANDS="/tmp/sudo-nopasswd-before" BEFORE_COMMANDS="/tmp/sudo-nopasswd-before-$INSTANCE"
AFTER_COMMANDS="/tmp/sudo-nopasswd-after" AFTER_COMMANDS="/tmp/sudo-nopasswd-after-$INSTANCE"
SCRIPT_NAME="update-sudo-nopasswd" SCRIPT_NAME="update-sudo-nopasswd"
# Installation paths # Installation paths
@@ -15,5 +18,3 @@ INITD_DIR="/etc/init.d"
UPDATE_COMMAND="update-sudo-nopasswd" UPDATE_COMMAND="update-sudo-nopasswd"
WATCH_COMMAND="watch-sudo-nopasswd" WATCH_COMMAND="watch-sudo-nopasswd"
SHARE_DIR="/usr/share/sudo-nopasswd"

12
src/update-sudo-nopasswd
View File

@@ -1,9 +1,15 @@
#!/bin/bash #!/bin/bash
set -e set -e
SHARE_DIR="/usr/share/sudo-nopasswd" [ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; }
SHARE_ROOTS=("$HOME/.local/share" "/usr/local/share" "/usr/share")
for SHARE_ROOT in "${SHARE_ROOTS[@]}"; do
if [ -d "$SHARE_ROOT/sudo-nopasswd" ]; then
SHARE_DIR="$SHARE_ROOT/sudo-nopasswd"
break
fi
done
CONSTANTS="sudo_no_passwd_constants.sh" CONSTANTS="sudo_no_passwd_constants.sh"
source "$SHARE_DIR/$CONSTANTS" source "$SHARE_DIR/$CONSTANTS"
[ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; }
cp "$SUDOERS_FILE" "$SUDOERS_BAK" cp "$SUDOERS_FILE" "$SUDOERS_BAK"
if grep -q "^%sudo.*NOPASSWD" "$SUDOERS_FILE"; then if grep -q "^%sudo.*NOPASSWD" "$SUDOERS_FILE"; then
@@ -41,4 +47,4 @@ cat "$ETC_FILE" |
diff -u "$BEFORE_COMMANDS" "$AFTER_COMMANDS" --color=always | diff -u "$BEFORE_COMMANDS" "$AFTER_COMMANDS" --color=always |
grep $'^\x1b\\[[0-9;]*m[+-]' | grep $'^\x1b\\[[0-9;]*m[+-]' |
grep -Ev $'^\x1b\\[[0-9;]*m([+][+][+]|[-][-][-])' grep -Ev $'^\x1b\\[[0-9;]*m([+][+][+]|[-][-][-])'
rm "$BEFORE_COMMANDS" "$AFTER_COMMANDS" rm "$BEFORE_COMMANDS" "$AFTER_COMMANDS"

8
src/watch-sudo-nopasswd
View File

@@ -1,7 +1,13 @@
#!/bin/bash #!/bin/bash
set -e set -e
[ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; } [ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; }
SHARE_DIR="/usr/share/sudo-nopasswd" SHARE_ROOTS=("$HOME/.local/share" "/usr/local/share" "/usr/share")
for SHARE_ROOT in "${SHARE_ROOTS[@]}"; do
if [ -d "$SHARE_ROOT/sudo-nopasswd" ]; then
SHARE_DIR="$SHARE_ROOT/sudo-nopasswd"
break
fi
done
CONSTANTS="sudo_no_passwd_constants.sh" CONSTANTS="sudo_no_passwd_constants.sh"
source "$SHARE_DIR/$CONSTANTS" source "$SHARE_DIR/$CONSTANTS"
while [ 1 ]; do while [ 1 ]; do