diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
| commit | e00ad35dd4adcc21dd83ca063a2e306f8ae8b512 (patch) | |
| tree | 9ac41a27867cee04141e28b51fdebc9358616879 | |
| parent | eeb3752074edcb110cd3709689e818b57fd2d2fd (diff) | |
| download | dotfiles-e00ad35dd4adcc21dd83ca063a2e306f8ae8b512.tar.gz dotfiles-e00ad35dd4adcc21dd83ca063a2e306f8ae8b512.tar.bz2 dotfiles-e00ad35dd4adcc21dd83ca063a2e306f8ae8b512.zip | |
fix(privesc): revert bogus AssumeInstalled directive
AssumeInstalled is only a CLI flag (--assume-installed), not a
pacman.conf directive. The line I added was emitting a warning at
every pacman run and didn't actually keep base-devel from pulling
sudo.
Live with sudo installed: /usr/local/bin/sudo (-> sudo-rs) shadows
it via PATH precedence, so the /usr/bin/sudo binary is dead code
on disk. The alternative — maintaining a dummy 'provides=sudo'
package — is more cost than the ~1.5 MB it would save.
Update bootstrap.sh comment to reflect that sudo stays installed.
| -rwxr-xr-x | bootstrap.sh | 15 | ||||
| -rw-r--r-- | etc/pacman.conf | 4 |
2 files changed, 5 insertions, 14 deletions
diff --git a/bootstrap.sh b/bootstrap.sh index 17f7af4..2e5721d 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -68,20 +68,15 @@ fi # 5. run just init — this deploys chezmoi, installs the 'base' meta list # (which pulls in sudo-rs), deploys /etc/sudoers-rs, /etc/pam.d/sudo, -# and the AssumeInstalled = sudo line in /etc/pacman.conf, creates -# /usr/local/bin/{sudo,su,visudo,sudoedit} symlinks pointing at -# sudo-rs, and installs git hooks. +# creates /usr/local/bin/{sudo,su,visudo,sudoedit} symlinks pointing +# at sudo-rs (PATH precedence shadows /usr/bin/sudo), and installs +# git hooks. The classic 'sudo' package stays installed because +# base-devel hard-depends on it; that's harmless — the binary is +# never invoked once /usr/local/bin/sudo is in place. cd "$DOTFILES_DIR" log 'running just init' just init -# 5b. remove the classic sudo package — base-devel's dependency is -# satisfied by the AssumeInstalled = sudo line written above. -if pacman -Qq sudo >/dev/null 2>&1 && pacman -Qq sudo-rs >/dev/null 2>&1; then - log 'removing classic sudo (sudo-rs takes over)' - sudo pacman -Rns --noconfirm sudo || warn 'failed to remove sudo; remove it manually later' -fi - # 6. refresh pacman mirrorlist once via reflector (config deployed by chezmoi) log 'refreshing pacman mirrorlist via reflector' sudo reflector @/etc/xdg/reflector/reflector.conf \ diff --git a/etc/pacman.conf b/etc/pacman.conf index 53b684a..f6e7e64 100644 --- a/etc/pacman.conf +++ b/etc/pacman.conf @@ -16,10 +16,6 @@ #GPGDir = /etc/pacman.d/gnupg/ #HookDir = /etc/pacman.d/hooks/ HoldPkg = pacman glibc -# sudo-rs replaces sudo (memory-safe Rust rewrite). base-devel still -# lists sudo as a member, so pretend it's installed to keep pacman -# from pulling it in. See https://wiki.archlinux.org/title/Pacman#Skip_package_from_being_installed_to_system -AssumeInstalled = sudo=99.0 #XferCommand = /usr/bin/curl -L -C - -f -o %o %u #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u #CleanMethod = KeepInstalled |