sdk_lib: move rewrite-sudoers.d logic out of chroot_version_hooks.d/

We want to delete these older hooks, so move the script out of the
version hooks dir and by itself.  It was always kind of a hack that
we did it this way too ;).

BUG=None
TEST=CQ passes

Change-Id: I3859d172ff68cd6d26f92a005ee8d0a493ad47bb
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosutils/+/2028988
Reviewed-by: Chris McDonald <cjmcdonald@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
diff --git a/sdk_lib/make_chroot.sh b/sdk_lib/make_chroot.sh
index 4eef727..a0bbcc8 100755
--- a/sdk_lib/make_chroot.sh
+++ b/sdk_lib/make_chroot.sh
@@ -226,7 +226,7 @@
 
    # Use the standardized upgrade script to setup proxied vars.
    load_environment_whitelist
-   bash "${SCRIPT_ROOT}/chroot_version_hooks.d/153_rewrite_sudoers.d" \
+   "${SCRIPT_ROOT}/sdk_lib/rewrite-sudoers.d.sh" \
      "${FLAGS_chroot}" "${SUDO_USER}" "${ENVIRONMENT_WHITELIST[@]}"
 
    find "${FLAGS_chroot}/etc/"sudoers* -type f -exec chmod 0440 {} +
diff --git a/sdk_lib/rewrite-sudoers.d.sh b/sdk_lib/rewrite-sudoers.d.sh
new file mode 100755
index 0000000..0219b91
--- /dev/null
+++ b/sdk_lib/rewrite-sudoers.d.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+# Copyright 2020 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+set -e
+
+if [[ "${UID:-$(id -u)}" != 0 ]]; then
+  # Note that since we're screwing w/ sudo variables, this script
+  # explicitly bounces up to root for everything it does- that way
+  # if anyone introduces a temp depriving in the sudo setup, it can't break
+  # mid upgrade.
+
+  # shellcheck source=../common.sh
+  . "$(dirname "$(dirname "$0")")/common.sh" || exit 1
+
+  load_environment_whitelist
+  echo "Rewriting with env list ${ENVIRONMENT_WHITELIST[*]}"
+  exec sudo bash "$0" / "${USER}" "${ENVIRONMENT_WHITELIST[@]}"
+  exit 1
+fi
+
+# Reaching here means we're root.
+
+if [[ $# -lt 2 ]]; then
+  echo "Invoked with wrong number of args; expected root USER [variables]*" >&2
+  exit 1
+fi
+
+root=$1
+username=$2
+shift 2
+set -- "$@" CROS_WORKON_SRCROOT PORTAGE_USERNAME
+
+cat > "${root}/etc/sudoers.d/90_cros" <<EOF
+Defaults env_keep += "$*"
+
+# We need adm currently to let sudo work inside ebuilds.
+%adm ALL=(ALL) ALL
+root ALL=(ALL) ALL
+${username} ALL=NOPASSWD: ALL
+
+# Simplify the -v option checks due to overlap of the adm group and the user's
+# supplementary groups.  We don't set any passwords, so disable asking.
+# https://crbug.com/762445
+Defaults verifypw = any
+EOF
+
+chmod 0440 "${root}/etc/sudoers.d/90_cros"
+chown root:root "${root}/etc/sudoers.d/90_cros"