sudo-buddy

Secure, scoped passwordless sudo automation for Linux developers using least-privilege sudoers rules.

sudo-buddy lets you run specific administrative commands — system updates, service restarts, log cleanup — without entering your sudo password repeatedly. It does this safely by granting access to only an explicit, minimal set of commands, not blanket root access.

Example

update.sh
cleanup.sh
service-restart docker
dev-reset.sh

---

Why This Exists

Typing sudo passwords repeatedly during development is friction. The usual workarounds — NOPASSWD: ALL in sudoers, or just staying root — are poor security choices.

sudo-buddy takes a third path: define exactly which commands are allowed, nothing more.

---

Use Cases

• Daily system updates
• Docker restart during development
• Cleanup before builds
• CI-like local automation
• Cron-based maintenance
• Development environment reset
• Laptop boot-time maintenance

---

What It Does

Script	What It Runs
update.sh	apt update, apt upgrade, apt autoremove
cleanup.sh	apt clean, journalctl vacuum (time + size)
service-restart.sh	systemctl restart for docker / NetworkManager
dev-reset.sh	update → restart docker → cleanup logs

All operations are logged to ~/.local/logs/.

---

Quick Install

git clone https://github.com/abdustartus/sudo-buddy
cd sudo-buddy
./scripts/install-all.sh

The installer automatically substitutes your username into the sudoers config. See INSTALL.md for manual steps and PATH setup.

---

Requirements

• Linux (Debian/Ubuntu — requires apt)
• sudo
• systemd
• Bash

---

Security Model

sudo-buddy follows the principle of least privilege.

The sudoers configuration allows only exact, full-path commands with no wildcards. Specifically blocked:

• Shell access (sudo bash, sudo su, etc.)
• Editors (sudo vim, sudo nano, etc.)
• Generic systemctl (only docker and NetworkManager are whitelisted)
• File system commands (sudo cp, sudo rm, etc.)

Even if a script is modified maliciously, sudo still enforces the rules defined in the sudoers file.

See SECURITY.md for the full threat model and allowed command list.

---

Directory Structure

sudo-buddy
├── scripts
│   ├── install-all.sh          # One-command installer
│   ├── update.sh               # System package update
│   ├── cleanup.sh              # Package + log cleanup
│   ├── service-restart.sh      # Whitelisted service restarts
│   └── dev-reset.sh            # Combined dev environment reset
├── sudoers
│   └── apt-nopasswd.template   # Restricted sudoers config (template)
├── README.md
├── INSTALL.md
├── USAGE.md
└── SECURITY.md

---

Usage

# Update system packages
update.sh

# Clean packages and logs
cleanup.sh

# Restart a service (docker or NetworkManager only)
service-restart docker
service-restart NetworkManager

# Full dev environment reset
dev-reset.sh

See USAGE.md for cron setup, aliases, and chaining commands.

---

Logs

~/.local/logs/update.log
~/.local/logs/cleanup.log

All script executions append timestamped output to these files.

---

Uninstall

sudo rm /etc/sudoers.d/apt-nopasswd
rm ~/.local/bin/update.sh ~/.local/bin/cleanup.sh
rm ~/.local/bin/dev-reset.sh ~/.local/bin/service-restart.sh
rm -r ~/.local/logs   # optional

---

License

MIT