sean/sudo-nopasswd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
sudo-nopasswd/README.md
Seán Healy 2d984bbdb3 Update README.md
2026-04-18 19:39:36 +01:00

4.6 KiB
Raw Permalink Blame History

sudo-nopasswd

Logo

Manage a curated list of commands that members of the sudo group can run without a password prompt.

This project keeps command policy in /etc/sudo-nopasswd, then automatically syncs it into /etc/sudoers as a single NOPASSWD rule.

What It Does

  • Edits command policy in /etc/sudo-nopasswd
  • Resolves command names to full paths using command -v
  • Escapes sudoers special characters for safety
  • Updates or removes the %sudo ... NOPASSWD: line in /etc/sudoers
  • Validates syntax with visudo -c
  • Reverts from backup if validation fails
  • Watches policy changes and reapplies updates automatically via service

Components

  • src/sudo-nopasswd: interactive editor helper for /etc/sudo-nopasswd
  • src/update-sudo-nopasswd: applies policy to /etc/sudoers
  • src/watch-sudo-nopasswd: watches for file changes and triggers updates
  • src/sudo-nopasswd.service: systemd unit
  • src/sudo-nopasswd.init: OpenRC init script
  • build/install.sh: installs binaries/service files and enables service
  • build/uninstall.sh: removes service, binaries, and shared files

Requirements

Runtime requirements:

  • bash
  • sudo
  • visudo (normally from the sudggo package)
  • inotifywait (from inotify-tools)
  • Init system:
    • systemd (systemctl), or
    • OpenRC (rc-update, rc-service)

Build/package helper requirements:

  • For Debian package helper scripts: docker
  • For Gentoo helper script: emerge

Quick Start

  1. Install from source:
cd /path/to/sudo-nopasswd
./build/install.sh
  1. Add commands:
sudo-nopasswd

  1. Save and exit your editor. The tool runs update-sudo-nopasswd immediately, and the background watcher keeps changes in sync.

  2. Verify:

sudo -k
sudo <command-you-added>

If configured correctly, the command should run without a password prompt.

Policy File Format

Policy file: /etc/sudo-nopasswd

  • One command per line (preferred)
  • First token is resolved with command -v
  • Extra arguments on the line are kept

Example:

systemctl restart nginx
apt update
/usr/bin/journalctl -xe

Notes:

  • If command resolution fails, the resulting entry may be empty or invalid for your intent. Use fully qualified paths for strict control.
  • Keep this file root-owned and writable only by trusted admins.

Service Behavior

On install, the project:

  • Creates /etc/sudo-nopasswd if missing
  • Installs binaries to /usr/bin
  • Installs shared constants in /usr/share/sudo-nopasswd
  • Installs and enables either:
    • sudo-nopasswd.service (systemd), or
    • sudo-nopasswd.init (OpenRC)

The watcher listens for close_write events on /etc/sudo-nopasswd and runs update-sudo-nopasswd after each save.

Manual Operations

Run update once:

sudo update-sudo-nopasswd

Start/enable service manually (systemd):

sudo systemctl daemon-reload
sudo systemctl enable --now sudo-nopasswd.service

Start/enable service manually (OpenRC):

sudo rc-update add sudo-nopasswd.init default
sudo rc-service sudo-nopasswd.init start

Uninstall

cd /path/to/sudo-nopasswd
./build/uninstall.sh

This stops/disables the service, removes installed files, and removes /etc/sudo-nopasswd if it is empty.

Packaging Helpers

Debian helper

./build/build-deb.sh

This script builds in a Debian Docker container and places .deb artifacts in dist/.

Gentoo helper

./build/build-gentoo.sh

This script configures a local overlay and emerges app-admin/sudo-nopasswd-1.0.

Security Considerations

  • NOPASSWD reduces friction but increases risk if command scope is too broad.
  • Prefer exact binary paths and minimal argument patterns.
  • Review /etc/sudo-nopasswd regularly and keep it under change control.
  • Test changes in a non-production environment first.

Troubleshooting

  • No editor found: set EDITOR (for example EDITOR=vim sudo-nopasswd).
  • Unsupported init system: install/run on a host with systemd or OpenRC.
  • Update fails with syntax issues: the tool restores /etc/sudoers from backup automatically.
  • Watcher does not react: ensure inotifywait is installed and the service is running.

Repository Layout

build/      install, uninstall, and packaging scripts
debian/     Debian packaging metadata/helpers
gentoo/     Gentoo ebuild and metadata
src/        core scripts and service definitions
docs/       project assets/icons

License

This project is licensed under the GNU General Public License, version 3. See LICENSE for the full text.

Reference in New Issue View Git Blame Copy Permalink