diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
| commit | 51b8af587e46d4e03b059a51253d9671e27d08e3 (patch) | |
| tree | 4b1f41a520e1fffded965c3acd52be2078075df1 | |
| parent | f1442b9a9666b1c1fce34474e5bdb86585a98a0e (diff) | |
| download | dotfiles-51b8af587e46d4e03b059a51253d9671e27d08e3.tar.gz dotfiles-51b8af587e46d4e03b059a51253d9671e27d08e3.tar.bz2 dotfiles-51b8af587e46d4e03b059a51253d9671e27d08e3.zip | |
feat(doas): smarter sudo shim + paru SudoLoop
The packaged doas-sudo-shim is just 'exec doas "$@"', which means
'sudo -v' (used by paru --sudoloop to keep the auth timestamp fresh
during long AUR builds) hits doas, which doesn't implement -v, and
the loop dies. Then when the build finally finishes and tries the real
install, the cached timestamp has long expired, so we reprompt — and
opendoas only allows one attempt before bailing, so a single mistype
throws an hour of compilation away.
Replace it (per-user, via $HOME/.local/bin precedence) with a shim
that translates:
-v -> doas true (refresh persist timestamp)
-k / -K -> doas -L (clear)
-E -H -i -S etc -> dropped (no doas equivalent)
rest -> doas "$@"
Then enable SudoLoop in paru.conf so the timestamp stays fresh.
| -rw-r--r-- | dot_config/paru/paru.conf | 2 | ||||
| -rw-r--r-- | dot_local/bin/executable_sudo | 59 |
2 files changed, 60 insertions, 1 deletions
diff --git a/dot_config/paru/paru.conf b/dot_config/paru/paru.conf index 57cb11b..6a3632c 100644 --- a/dot_config/paru/paru.conf +++ b/dot_config/paru/paru.conf @@ -14,7 +14,7 @@ Provides DevelSuffixes = -git -cvs -svn -bzr -darcs -always # BottomUp RemoveMake -#SudoLoop +SudoLoop #UseAsk CombinedUpgrade BatchInstall diff --git a/dot_local/bin/executable_sudo b/dot_local/bin/executable_sudo new file mode 100644 index 0000000..b643f34 --- /dev/null +++ b/dot_local/bin/executable_sudo @@ -0,0 +1,59 @@ +#!/bin/sh +# sudo → doas shim that takes precedence over /usr/bin/sudo +# (provided by doas-sudo-shim) by living in $HOME/.local/bin. +# +# Why a custom shim: opendoas does not implement `sudo -v` (extend the +# auth timestamp without running a command). paru --sudoloop relies on +# that to keep credentials fresh during long AUR builds; without it, +# building gcc-git for an hour then mistyping the password at the install +# step throws the whole build away. We translate the handful of sudo +# flags paru / common scripts use into doas equivalents and swallow the +# rest. +# +# Translations: +# -v / --validate → doas true (refresh persist timestamp) +# -k / -K → doas -L (clear persist timestamp) +# -n → doas -n +# -E -H -i -S → silently dropped +# anything else → doas "$@" + +set -eu + +forward= +for arg; do + case $arg in + -v|--validate) + exec doas true + ;; + -k|-K) + exec doas -L + ;; + -h|--help) + exec doas -h + ;; + -n) + forward="$forward -n" + ;; + -E|-H|-i|-S|--preserve-env|--set-home|--login|--stdin) + # meaningless under doas; drop + ;; + --) + shift + # shellcheck disable=SC2086 + exec doas $forward "$@" + ;; + -*) + # unknown flag — pass through and let doas complain + forward="$forward $arg" + ;; + *) + # first non-flag: rest of argv is the command + # shellcheck disable=SC2086 + exec doas $forward "$@" + ;; + esac + shift +done + +# Only flags, no command — treat as `sudo -v` semantics. +exec doas true |