Initial commit

src/sudo-nopasswd.init

@@ -0,0 +1,11 @@
+#!/sbin/openrc-run
+description="Watch for changes to sudo-nopasswd and update sudoers"
+command="/usr/bin/watch-sudo-nopasswd"
+command_background=yes
+pidfile="/run/watch-sudo-nopasswd.pid"
+start_stop_daemon_args="--quiet"
+stop() {
+    ebegin "Stopping watch-sudo-nopasswd"
+    start-stop-daemon --stop --pidfile /run/watch-sudo-nopasswd.pid
+    eend $?
+}

src/sudo-nopasswd.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Watch for changes to /etc/sudo-nopasswd and update sudoers NOPASSWD
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/watch-sudo-nopasswd
+Restart=always
+User=root
+Type=simple
+
+[Install]
+WantedBy=multi-user.target

src/sudo_no_passwd_constants.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+ETC_FILE="/etc/sudo-nopasswd"
+SUDOERS_FILE="/etc/sudoers"
+SUDOERS_BAK="/etc/sudoers.bak"
+BEFORE_COMMANDS="/tmp/sudo-nopasswd-before"
+AFTER_COMMANDS="/tmp/sudo-nopasswd-after"
+SCRIPT_NAME="update-sudo-nopasswd"
+
+# Installation paths
+BIN_DIR="/usr/bin"
+SERVICE_FILE="sudo-nopasswd.service"
+INIT_FILE="sudo-nopasswd.init"
+SYSTEMD_DIR="/etc/systemd/system"
+INITD_DIR="/etc/init.d"
+
+UPDATE_COMMAND="update-sudo-nopasswd"
+WATCH_COMMAND="watch-sudo-nopasswd"
+
+SHARE_DIR="/usr/share/sudo-nopasswd"

src/update-sudo-nopasswd

@@ -0,0 +1,44 @@
+#!/bin/bash
+set -e
+SHARE_DIR="/usr/share/sudo-nopasswd"
+CONSTANTS="sudo_no_passwd_constants.sh"
+source "$SHARE_DIR/$CONSTANTS"
+[ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; }
+cp "$SUDOERS_FILE" "$SUDOERS_BAK"
+
+if grep -q "^%sudo.*NOPASSWD" "$SUDOERS_FILE"; then
+    grep "%sudo.*NOPASSWD" "$SUDOERS_FILE" |
+        sed -E 's/.*NOPASSWD: //;s/([^\\]),/\1\n/g;s/\\\\//g' > "$BEFORE_COMMANDS"
+else
+    touch "$BEFORE_COMMANDS"
+fi
+output="$(
+    cat "$ETC_FILE" |
+        awk -F' ' '{"command -v "$1 | getline program; $1=program; print}' |
+        sed -E 's/([:,#])/\\\\\1/g' |
+        paste -sd,
+)"
+sep=$(printf '\001')
+if [ "$output" ]; then
+    if grep -q "^%sudo.*NOPASSWD" "$SUDOERS_FILE"; then
+        sed -i "s${sep}^%sudo.*NOPASSWD: .*${sep}%sudo ALL=(ALL:ALL) NOPASSWD: $output${sep}" "$SUDOERS_FILE"
+    else
+        sed -i "/^%sudo/a %sudo ALL=(ALL:ALL) NOPASSWD: $output" "$SUDOERS_FILE"
+    fi
+else
+    sed -i "/^%sudo.*NOPASSWD/d" "$SUDOERS_FILE"
+fi
+if ! visudo -c "$SUDOERS_FILE" >/dev/null 2>&1; then
+    cat "$SUDOERS_BAK" | grep "%sudo.*NOPASSWD"
+    cp "$SUDOERS_BAK" "$SUDOERS_FILE"
+    echo "Syntax error detected in $SUDOERS_FILE. Reverted to backup."
+    exit 1
+else
+    rm "$SUDOERS_BAK"
+fi
+cat "$ETC_FILE" |
+    awk -F' ' '{"command -v "$1 | getline program; $1=program; print}' > "$AFTER_COMMANDS"
+diff -u "$BEFORE_COMMANDS" "$AFTER_COMMANDS" --color=always |
+    grep $'^\x1b\\[[0-9;]*m[+-]' |
+    grep -Ev $'^\x1b\\[[0-9;]*m([+][+][+]|[-][-][-])'
+rm "$BEFORE_COMMANDS" "$AFTER_COMMANDS"

src/watch-sudo-nopasswd

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+[ "$EUID" -eq 0 ] || { sudo "$0" "$@"; exit $?; }
+SHARE_DIR="/usr/share/sudo-nopasswd"
+CONSTANTS="sudo_no_passwd_constants.sh"
+source "$SHARE_DIR/$CONSTANTS"
+while [ 1 ]; do
+	while ! inotifywait -e close_write "$ETC_FILE"; do
+		"$UPDATE_COMMAND"
+	done
+done