[sudo-users] '%wheel ALL=(ALL) NOPASSWD: ALL' prompt

[Kai Hendry]

Hi all,

I use:

%wheel ALL=(ALL) NOPASSWD: ALL

in my /etc/sudoers since I am not prepared to type in a password when
I need sudo. In my system I use a password for:

1) Decrypting my cryptroot
2) Unlocking my ssh key and setting up ssh-agent
3) Nope... really don't want to enter more passwords at this point


I do have a user password since I use a screen locker
http://tools.suckless.org/slock/ when I walk away from my running
(decrypted) computer.
Nonetheless I don't ask for a user password on boot since I feel
entering the initial decrypt password was sufficient. I don't care for
a root password, but it has been set. So four passwords to get a
typical system going... PITA. My only respite is trying not to type
them!

So here's my issue with my setup. If a script has `sudo
something-dangerous` from say Archlinux's AUR, I wouldn't know it ran.

I realise I could:
journalctl /bin/sudo -f

And somehow ignore the noise of session {opened, closed}, but I
don't.. I want an *opt-in experience*.

My ideal experience would be something like a red border around the
Xorg screen when a sudo operation on my local system is asked to be
run, and I would click some key basically to accept or deny the
prompt. Has anyone done something like that? I don't want some other
form of identification like fingerprint reader btw. I just want a
prompt without a password. Bonus points if the prompt tells me what
command and process is trying to get sudo running.

I hope this is not a too crazy/stupid/impractical idea.

Thanks!