juliyvchirkov/macos-sudo-nopasswd.sh

## readme.rst

      
    Raw
  

              readme.rst
            
          
    Purpose

Enable nopasswd mode for sudo on macOS from the userspace in fast and totally non-interactive way
Type your sudo password one last time to enable nopasswd mode and forget it for any console task for ages


Warning

Althrough NOPASSWD doesn't have a major impact on security, it needs to be clarified and clearly stated that you are acting as a person aware of the possible consequences. Enabling NOPASSWD for sudo, no matter with or without this script, you realize the risks and on your own take the whole responsibility for any claims, damages or other liability, arising from, in connection with or out of access from your userspace to the sudo command without password protection on your macOS


Features


Enables nopasswd mode in 0.14769983291626 sec
Provides the rollback. Disables nopasswd mode in 0.097800025939941 sec
Implements silent autofixes for missing settings and environment
Includes various checks to avoid conflicts with existing configuration

Environment

Designed and tested with GNU bash 3.2.57(1)-release on macOS Big Sur 11.2.0 (Darwin Kernel Version 20.3.0 Thu Jan 21 00:07:06 PST 2021)
macOS SIP is disabled (since OS X El Capitan 10.11)
Depends on coreutils sudo, visudo, mkdir, rm, chmod, grep, cat, grep, wc, basename and hostname.
Setup routine also requires wget utility to retrieve the script from Github Gist


Warning

Most likely you will need to disable macOS System Integrity Protection before using this script (or applying any other changes to system files), otherwise active SIP won't let you to modify system files under /private/etc/ folder owned by root:wheel


Steps to disable SIP


If your hard drive is encrypted, you have to decrypt it first and disable FileVault
Boot into recovery mode, holding down ⌘ and R keys while starting up your computer
Launch Utilities > Terminal from the menu bar
Run command csrutil authenticated-root disable; csrutil disable; reboot

To check current status of SIP, open Terminal.app and run csrutil authenticated-root status; csrutil status. When nopasswd mode for sudo will be enabled, you can turn SIP back on
Steps to enable SIP


Boot into recovery mode, holding down ⌘ and R keys while starting up your computer
Launch Utilities > Terminal from the menu bar
Run command csrutil authenticated-root enable; csrutil enable; reboot

Usage

To enable nopasswd mode


Open Terminal.app
Copy the following command, paste it to command line and launch
Type your sudo password one last time to let the script to process
Enjoy!

cd ${HOME}; \
wget https://gist.githubusercontent.com/juliyvchirkov/3ca76582ed6b6a8366c9e7d60644960d/raw/macos-sudo-nopasswd.sh -O macos-sudo-nopasswd.sh; \
chmod 755 macos-sudo-nopasswd.sh; \
./macos-sudo-nopasswd.sh
Since the goal is now achieved, you can safely remove downloaded script. Delete it with rm macos-sudo-nopasswd.sh command in Terminal.app or drop to Trash from the Finder.app
To disable nopasswd mode


Open Terminal.app
Copy the following command, paste it to command line and launch
That's all! Due to nopasswd mode the rollback is completely non-interactive, and from now on your sudo will require the password again

cd ${HOME}; \
wget https://gist.githubusercontent.com/juliyvchirkov/3ca76582ed6b6a8366c9e7d60644960d/raw/macos-sudo-nopasswd.sh -O macos-sudo-nopasswd.sh; \
chmod 755 macos-sudo-nopasswd.sh; \
./macos-sudo-nopasswd.sh --undo
Since the goal is now achieved, you can safely remove downloaded script. Delete it with rm macos-sudo-nopasswd.sh command in Terminal.app or drop to Trash from the Finder.app
To re-enable and re-disable nopasswd mode at any moment repeat the steps from the appropriative above block
Troubleshooting


Warning

Improper use of sudo command can lead to data loss or the deletion of important system files. Always double-check your typing when using sudo. Type man sudo in Terminal.app for more information


System sudoers config is stored in /private/etc/sudoers, custom sudoers profiles can be found under /private/etc/sudoers.d folder
Sudoers directives are declared as plain text. Use Terminal.app to inspect sudoers configuration in case of some emergency with sudo settings

Investigate the routine in details

man sudo
man sudoers
man visudo

Check sudoers config files for syntax errors and invalid permissions

sudo visudo -c

Review the list of custom sudoers profiles

sudo ls -lAh /private/etc/sudoers.d

Try to force correct permissions for custom sudoers profiles

sudo chmod 440 /private/etc/sudoers.d/*

Inspect directives in all custom sudoers profiles at once in sequence

sudo bash -c \
"for conf in /private/etc/sudoers.d/*; \
do echo -e \"> \${conf} \n\"; cat \${conf}; done | 
less -F"

Inspect directives in system sudoers config the same way

sudo less /private/etc/sudoers -F

This script on the first run just in case backups system sudoers config at /private/etc/sudoers.default. Try to compare that saved edition with the current one

sudo diff /private/etc/sudoers /private/etc/sudoers.default

Temporary remove all custom sudoers profiles and see if it helps

sudo bash -c \
"mkdir /private/tmp/sudoers.d; \
mv /private/etc/sudoers.d/* /private/tmp/sudoers.d/; \
visudo -c"
#. If the move solves the problem, try to return custom sudoers profiles back one by one with dedicated step on each one. Check for the problem again after each step
sudo bash -c \
"find /private/tmp/sudoers.d -type f -print0 -quit |
xargs -0 -I{} mv -v {} /private/etc/sudoers.d/; \
chmod 440 /private/etc/sudoers.d/*; \
visudo -c"
Credits

Implemented by @juliyvchirkov under the MIT license

  
## macos-sudo-nopasswd.sh
#!/bin/bash
#
# Enable nopasswd mode for sudo on macOS from the userspace in fast and totally non-interactive way
#
# Type the password last time to apply the new mode and forget it for any console task for ages
# Use the rollback to restore password protection
#
# Developed and tested by https://juliyvchirkov.github.io/ under the MIT license on macOS Big Sur 11.2.0
#
# Get latest version at https://gist.github.com/juliyvchirkov/3ca76582ed6b6a8366c9e7d60644960d
#
# See https://gist.github.com/juliyvchirkov/3ca76582ed6b6a8366c9e7d60644960d#file-readme-rst for details

if [[ ${USER} != root ]]
then
    /usr/bin/sudo /bin/bash ${0} ${1}
else
    sudoers=/private/etc/sudoers
    sudoersd=${sudoers}.d
    sudoersinc="#includedir ${sudoersd}"
    whoami=${SUDO_USER}
    usersudoersd=${sudoersd}/${whoami}-nopasswd
    hostname=$(/bin/hostname -s)

    if [[ "${1}" = "--undo" ]]
    then
        if [ -f ${usersudoersd} ]
        then
            /bin/rm -f ${usersudoersd}
            /usr/sbin/visudo -cq
            echo -e "sudo in nopasswd mode has been disabled for ${whoami}@${hostname}"
        else
            echo -e "Sorry, seems this script hasn't been used to enable nopasswd mode for ${whoami}@${hostname}, or it has been already disabled.\nTry to inspect the content of ${sudoersd} folder manually"
        fi
    else
        [ -d ${sudoersd} ] || /bin/mkdir -m755 ${sudoersd}

        if [ -f ${usersudoersd} ]
        then
            echo -e "Sorry, seems this script has already been used to enable nopasswd mode for ${whoami}@${hostname}\nTo rollback changes run this script once again with --undo option\n\n\t$(/usr/bin/basename ${0}) --undo\n"
        else
            echo "${whoami} ALL=(ALL:ALL) NOPASSWD: ALL" >${usersudoersd}
            /bin/chmod 440 ${usersudoersd}
            [ -f ${sudoers}.default ] || cp -a ${sudoers} ${sudoers}.default
            /usr/bin/grep "${sudoersinc}" ${sudoers} >/dev/null || echo -e "\n${sudoersinc}" >>${sudoers}
            /usr/sbin/visudo -cq
            echo -e "Congrats, ${whoami}@${hostname}! nopasswd mode for sudo has been enabled\nTo rollback changes run this script once again with --undo option\n\n\t$(/usr/bin/basename ${0}) --undo\n"
        fi

        [ $(cat ${sudoers} ${sudoersd}/* | /usr/bin/grep ${whoami} | /usr/bin/wc -l) -ne 1 ] && echo -e "\n*WARNING* Another mention of ${whoami}@${hostname} has been found at sudoers config files!\nTry to inspect the content of sudoers system config and custom profiles to alter settings manually and avoid possible conflicts\nSystem config: ${sudoers}\nCustom profiles: ${sudoersd}/"
    fi
fi
	#!/bin/bash
	#
	# Enable nopasswd mode for sudo on macOS from the userspace in fast and totally non-interactive way
	#
	# Type the password last time to apply the new mode and forget it for any console task for ages
	# Use the rollback to restore password protection
	#
	# Developed and tested by https://juliyvchirkov.github.io/ under the MIT license on macOS Big Sur 11.2.0
	#
	# Get latest version at https://gist.github.com/juliyvchirkov/3ca76582ed6b6a8366c9e7d60644960d
	#
	# See https://gist.github.com/juliyvchirkov/3ca76582ed6b6a8366c9e7d60644960d#file-readme-rst for details

	if [[ ${USER} != root ]]
	then
	/usr/bin/sudo /bin/bash ${0} ${1}
	else
	sudoers=/private/etc/sudoers
	sudoersd=${sudoers}.d
	sudoersinc="#includedir ${sudoersd}"
	whoami=${SUDO_USER}
	usersudoersd=${sudoersd}/${whoami}-nopasswd
	hostname=$(/bin/hostname -s)

	if [[ "${1}" = "--undo" ]]
	then
	if [ -f ${usersudoersd} ]
	then
	/bin/rm -f ${usersudoersd}
	/usr/sbin/visudo -cq
	echo -e "sudo in nopasswd mode has been disabled for ${whoami}@${hostname}"
	else
	echo -e "Sorry, seems this script hasn't been used to enable nopasswd mode for ${whoami}@${hostname}, or it has been already disabled.\nTry to inspect the content of ${sudoersd} folder manually"
	fi
	else
	[ -d ${sudoersd} ] \|\| /bin/mkdir -m755 ${sudoersd}

	if [ -f ${usersudoersd} ]
	then
	echo -e "Sorry, seems this script has already been used to enable nopasswd mode for ${whoami}@${hostname}\nTo rollback changes run this script once again with --undo option\n\n\t$(/usr/bin/basename ${0}) --undo\n"
	else
	echo "${whoami} ALL=(ALL:ALL) NOPASSWD: ALL" >${usersudoersd}
	/bin/chmod 440 ${usersudoersd}
	[ -f ${sudoers}.default ] \|\| cp -a ${sudoers} ${sudoers}.default
	/usr/bin/grep "${sudoersinc}" ${sudoers} >/dev/null \|\| echo -e "\n${sudoersinc}" >>${sudoers}
	/usr/sbin/visudo -cq
	echo -e "Congrats, ${whoami}@${hostname}! nopasswd mode for sudo has been enabled\nTo rollback changes run this script once again with --undo option\n\n\t$(/usr/bin/basename ${0}) --undo\n"
	fi

	[ $(cat ${sudoers} ${sudoersd}/* \| /usr/bin/grep ${whoami} \| /usr/bin/wc -l) -ne 1 ] && echo -e "\nWARNING Another mention of ${whoami}@${hostname} has been found at sudoers config files!\nTry to inspect the content of sudoers system config and custom profiles to alter settings manually and avoid possible conflicts\nSystem config: ${sudoers}\nCustom profiles: ${sudoersd}/"
	fi
	fi