diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
| commit | 3d263bdbb48e7616a12af26ef094e5a416f9a735 (patch) | |
| tree | 34cf90cef24496ecfc271055255f8a7596f84627 /bootstrap.sh | |
| parent | 51b8af587e46d4e03b059a51253d9671e27d08e3 (diff) | |
| download | dotfiles-3d263bdbb48e7616a12af26ef094e5a416f9a735.tar.gz dotfiles-3d263bdbb48e7616a12af26ef094e5a416f9a735.tar.bz2 dotfiles-3d263bdbb48e7616a12af26ef094e5a416f9a735.zip | |
feat(privesc): migrate from opendoas to sudo-rs
doas's one-shot password and absent 'sudo -v' kept wasting hour-long
paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous
Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships
as default. We follow the Arch wiki 'Using sudo-rs without the sudo
package' recipe verbatim — no custom shims.
- meta/base.txt: -doas-sudo-shim +sudo-rs
- etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff
- etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file
- run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs
at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit,
su,visudo} → sudo-rs symlinks idempotently
- delete etc/doas.conf, dot_local/bin/{doasedit,sudo}
- zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/
pacdiff/ssys to call sudo
- justfile: s/doas/sudo/g (status/diff/restore helpers)
- nvim: rename :DoasWrite → :SudoWrite (uses sudo -S)
- sway config: reboot/poweroff buttons call sudo
- bootstrap.sh: update step-5 comment
- README/KEYBINDS/copilot-instructions: flip the privesc convention
No Defaults overrides: sudo's defaults (passwd_tries=3,
timestamp_timeout=5) already fix the doas pain, and paru SudoLoop
(kept) refreshes the 5-min window via real sudo -v.
Diffstat (limited to 'bootstrap.sh')
| -rwxr-xr-x | bootstrap.sh | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/bootstrap.sh b/bootstrap.sh index 65a9343..ead79e6 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -67,8 +67,12 @@ else fi # 5. run just init — this deploys chezmoi, installs the 'base' meta list -# (swapping sudo for doas-sudo-shim via paru -S --ask=4), deploys -# /etc/doas.conf, and installs git hooks. +# (which pulls in sudo-rs), deploys /etc/sudoers-rs and /etc/pam.d/sudo, +# creates /usr/local/bin/{sudo,su,visudo,sudoedit} symlinks pointing at +# sudo-rs, and installs git hooks. +# The classic 'sudo' package installed in step 2 stays alongside +# sudo-rs as a safety net; remove it manually with `sudo pacman -Rns +# sudo` once you've verified `sudo --version` reports sudo-rs. cd "$DOTFILES_DIR" log 'running just init' just init |