1e9481849b
Sweep across the three script directories: features/scripts/utils,
core/system/scripts, themes/engine/scripts. 142 of 169 bash scripts
gained `set -e`; 27 already had it; the one Python helper
(nomarchy-haptic-touchpad) was skipped via shebang detection.
Why: bash's default behavior is to continue past a failed command,
which means a script that does "do A; do B; do C" leaves the system
in a half-applied state when B fails - and the user gets no signal.
Several recent fix commits (theme partial-apply, waybar reload race,
installer prewipe silent failures) all trace back to this. set -e
turns silent corruption into a loud abort the user can act on.
The 11 scripts with explicit `|| true` markers stay safe under set -e
because || true coerces the exit to zero; the markers continue to
mean "I deliberately tolerate this failure here."
Deliberate exception: nomarchy-menu runs WITHOUT set -e. It is an
interactive UX loop where action branches do `cmd; back_to <self>`
so a failed action would abort the script under set -e and the menu
would disappear without feedback. Soft-failure - menu re-displays,
user picks again - is the right semantic. Documented inline.
Validation: bash -n on every modified script (zero failures). The
new pre-commit hook (27f5663) was just updated to filter by shebang
so it doesn't try to bash-syntax-check the Python helper - that
filter was uncovered by this sweep.
Risk: set -e can surface latent bugs in scripts that previously
relied on silent continuation. If anything breaks, it's a real bug
that was already broken and is now visible. Easy per-script revert
if any UX glitches show up.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
45 lines
1.9 KiB
Bash
Executable File
45 lines
1.9 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
# Toggle passwordless sudo for the current user.
|
|
# First run: enables passwordless sudo for 15 minutes (after confirmation).
|
|
# Second run: disables it early.
|
|
|
|
NOPASSWD_FILE="/etc/sudoers.d/99-nomarchy-nopasswd-${USER}"
|
|
TIMER_NAME="nomarchy-nopasswd-expire-${USER}"
|
|
|
|
# Safety: if the file exists but the timer doesn't (e.g. after reboot), clean up
|
|
if sudo test -f "$NOPASSWD_FILE" && ! systemctl is-active "${TIMER_NAME}.timer" &>/dev/null; then
|
|
sudo rm "$NOPASSWD_FILE"
|
|
fi
|
|
|
|
# Check for the file directly — sudo -n can stay cached or be granted by other rules
|
|
if sudo test -f "$NOPASSWD_FILE"; then
|
|
sudo rm "$NOPASSWD_FILE"
|
|
sudo systemctl stop "${TIMER_NAME}.timer" 2>/dev/null
|
|
echo "Passwordless sudo has been DISABLED. Sudo will require a password again."
|
|
else
|
|
echo ""
|
|
echo "⚠️ WARNING: This will allow ANY process running as your user to"
|
|
echo "execute ANY command as root WITHOUT a password for 15 minutes."
|
|
echo ""
|
|
echo "This is useful for AI agents that need to run sudo commands,"
|
|
echo "but it significantly weakens the security of your system."
|
|
echo "Anyone or anything with access to your user account gets full root."
|
|
echo ""
|
|
echo "Passwordless sudo will automatically disable after 15 minutes."
|
|
echo "Run this command again to disable it early."
|
|
echo ""
|
|
|
|
if gum confirm "Enable passwordless sudo for 15 minutes? This is a significant security risk!"; then
|
|
echo "${USER} ALL=(ALL) NOPASSWD: ALL" | sudo tee "$NOPASSWD_FILE" > /dev/null
|
|
sudo chmod 440 "$NOPASSWD_FILE"
|
|
sudo systemd-run --on-active=15m --timer-property=AccuracySec=1s --unit="$TIMER_NAME" \
|
|
rm "$NOPASSWD_FILE"
|
|
echo "Passwordless sudo has been ENABLED. It will automatically disable in 15 minutes."
|
|
echo "Note: if you restart before then, run nomarchy-sudo-passwordless-toggle again to disable it."
|
|
else
|
|
echo "Aborted. No changes made."
|
|
fi
|
|
fi
|