Add temporary passwordless sudo

[tuxpeople]

This should fix #147

Once #79 is ready, this can be removed again.

[geerlingguy]

The major issue I have with this approach is that if the playbook stops for some reason after it enables the permission, but before it disables it, the system would have passwordless sudo enabled until someone either manually deleted the config, or successfully completes the playbook again.

[tuxpeople]

Understood. But an attacker would need your password anyway to login prior to being able to passwordless sudo.

There would also be an option to use the SUDO_ASKPASS together with the keychain, which would only work to retrieve the password when the keychain is unlocked.

How about this:

- name: Run the .osx dotfiles passwordless.
  block:
    - name: Add temporary passwordless sudo permissions
        ansible.builtin.copy:
          content: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
          dest: "/private/etc/sudoers.d/99_tmp_ansible"
          validate: /usr/sbin/visudo -csf %s
          mode: 0644
        become: true

    - name: Run .osx dotfiles.
      command: "{{ osx_script }}"
      changed_when: false
      become: false 

  always:
    - name: Remove temporary passwordless sudo permissions
        ansible.builtin.file:
          path: "/private/etc/sudoers.d/99_tmp_ansible"
          state: absent
        become: true 

In this case it would be cleaned up even if the .osx run fails. That block would also be possible around the necessary parts of the playbook.

[stale]

This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark pull requests as stale.

[stale]

This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.