diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:36 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:36 +0100 |
| commit | 767a54e48163ea0db701c926e6bf69f2237fce33 (patch) | |
| tree | f2d9c79af4d2a1985c010d84cd1192728dc7d856 /dot_config/waybar | |
| parent | 1238e4dfc33bc4347564350bbfadac50aa8da0cd (diff) | |
| download | dotfiles-767a54e48163ea0db701c926e6bf69f2237fce33.tar.gz dotfiles-767a54e48163ea0db701c926e6bf69f2237fce33.tar.bz2 dotfiles-767a54e48163ea0db701c926e6bf69f2237fce33.zip | |
fix(sudoers-rs,waybar): pass DIFFPROG (and friends) through sudo-rs
The previous fix sidestepped sudo-rs's env scrubbing by setting
DIFFPROG inside a nested root shell. That works but it's the wrong
shape — every command that wants to honour a user UX env var would
have to do the same dance. Configure the policy once instead.
etc/sudoers-rs:
Defaults env_keep += "DIFFPROG"
Defaults env_keep += "EDITOR VISUAL SUDO_EDITOR GIT_EDITOR"
Defaults env_keep += "PAGER MANPAGER GIT_PAGER SYSTEMD_PAGER"
Defaults env_keep += "LESS LESSOPEN SYSTEMD_LESS"
env_keep is the unconditional pass-through list, so no '-E' is needed
on the call site — `DIFFPROG='nvim -d' sudo pacdiff` Just Works, same
as it does for `EDITOR=nvim sudo systemctl edit foo`,
`PAGER=less sudo journalctl …`, etc. None of these vars influence
privilege boundaries; they only configure user-facing program
behaviour, so widening env_keep to cover them carries no security
trade-off worth accounting for. The existing per-visudo env_keep
lines are kept for documentation value (they're now subsumed by the
global rule but make the intent explicit at the visudo call sites).
The waybar pacdiff click handler reverts to the canonical form
`DIFFPROG='nvim -d' sudo pacdiff`, matching the recipe pacman.git
ships in /usr/share/doc/pacman/.
Will take effect after the next `chezmoi apply` redeploys
/etc/sudoers-rs (the run_onchange_after_deploy-etc.sh.tmpl script
re-installs it with mode 0440 whenever its hash changes).
Diffstat (limited to 'dot_config/waybar')
| -rw-r--r-- | dot_config/waybar/config.jsonc | 2 | ||||
| -rwxr-xr-x | dot_config/waybar/executable_pacdiff-status.sh | 7 |
2 files changed, 4 insertions, 5 deletions
diff --git a/dot_config/waybar/config.jsonc b/dot_config/waybar/config.jsonc index a68278f..a5bada7 100644 --- a/dot_config/waybar/config.jsonc +++ b/dot_config/waybar/config.jsonc @@ -227,7 +227,7 @@ "exec": "~/.config/waybar/pacdiff-status.sh", "return-type": "json", "interval": 300, - "on-click": "ghostty --class=floating -e sh -c 'sudo sh -c \"DIFFPROG=\\\"nvim -d\\\" pacdiff\"; printf \"\\n[done — press enter] \"; read _'", + "on-click": "ghostty --class=floating -e sh -c 'DIFFPROG=\"nvim -d\" sudo pacdiff; printf \"\\n[done — press enter] \"; read _'", "tooltip": true, }, diff --git a/dot_config/waybar/executable_pacdiff-status.sh b/dot_config/waybar/executable_pacdiff-status.sh index e1a2291..c9278d2 100755 --- a/dot_config/waybar/executable_pacdiff-status.sh +++ b/dot_config/waybar/executable_pacdiff-status.sh @@ -5,10 +5,9 @@ # from "no problems" to "non-zero" (i.e. on the post-`pacman -Syu` # settle), so you're nudged exactly once per upgrade wave. # -# Click handler hands off to a root shell that sets DIFFPROG before -# invoking pacdiff (sudo-rs scrubs the env by default, so passing -# `DIFFPROG=… sudo pacdiff` or `sudo DIFFPROG=… pacdiff` doesn't -# survive — but `sudo sh -c 'DIFFPROG=… pacdiff'` does). +# Click handler runs `DIFFPROG='nvim -d' sudo pacdiff` in a floating +# ghostty. DIFFPROG is propagated through sudo-rs by the env_keep policy +# in etc/sudoers-rs (no -E needed — env_keep is unconditional pass-through). set -eu |