diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
| commit | 3d263bdbb48e7616a12af26ef094e5a416f9a735 (patch) | |
| tree | 34cf90cef24496ecfc271055255f8a7596f84627 /run_onchange_after_deploy-etc.sh.tmpl | |
| parent | 51b8af587e46d4e03b059a51253d9671e27d08e3 (diff) | |
| download | dotfiles-3d263bdbb48e7616a12af26ef094e5a416f9a735.tar.gz dotfiles-3d263bdbb48e7616a12af26ef094e5a416f9a735.tar.bz2 dotfiles-3d263bdbb48e7616a12af26ef094e5a416f9a735.zip | |
feat(privesc): migrate from opendoas to sudo-rs
doas's one-shot password and absent 'sudo -v' kept wasting hour-long
paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous
Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships
as default. We follow the Arch wiki 'Using sudo-rs without the sudo
package' recipe verbatim — no custom shims.
- meta/base.txt: -doas-sudo-shim +sudo-rs
- etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff
- etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file
- run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs
at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit,
su,visudo} → sudo-rs symlinks idempotently
- delete etc/doas.conf, dot_local/bin/{doasedit,sudo}
- zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/
pacdiff/ssys to call sudo
- justfile: s/doas/sudo/g (status/diff/restore helpers)
- nvim: rename :DoasWrite → :SudoWrite (uses sudo -S)
- sway config: reboot/poweroff buttons call sudo
- bootstrap.sh: update step-5 comment
- README/KEYBINDS/copilot-instructions: flip the privesc convention
No Defaults overrides: sudo's defaults (passwd_tries=3,
timestamp_timeout=5) already fix the doas pain, and paru SudoLoop
(kept) refreshes the 5-min window via real sudo -v.
Diffstat (limited to 'run_onchange_after_deploy-etc.sh.tmpl')
| -rwxr-xr-x | run_onchange_after_deploy-etc.sh.tmpl | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/run_onchange_after_deploy-etc.sh.tmpl b/run_onchange_after_deploy-etc.sh.tmpl index d82a1d6..9ba10d2 100755 --- a/run_onchange_after_deploy-etc.sh.tmpl +++ b/run_onchange_after_deploy-etc.sh.tmpl @@ -7,20 +7,30 @@ set -eu cd "$CHEZMOI_SOURCE_DIR" find etc -type f ! -name .ignore | while IFS= read -r src; do - case "$src" in - *.tmpl) - dest="/${src%.tmpl}" - tmp=$(mktemp) - chezmoi execute-template <"$src" >"$tmp" - doas install -D -m 0644 -o root -g root "$tmp" "$dest" - rm -f "$tmp" - ;; - *) - dest="/${src}" - doas install -D -m 0644 -o root -g root "$src" "$dest" - ;; - esac + case "$src" in + *.tmpl) + dest="/${src%.tmpl}" + tmp=$(mktemp) + chezmoi execute-template <"$src" >"$tmp" + sudo install -D -m 0644 -o root -g root "$tmp" "$dest" + rm -f "$tmp" + ;; + etc/sudoers-rs) + sudo install -D -m 0440 -o root -g root "$src" "/${src}" + ;; + *) + sudo install -D -m 0644 -o root -g root "$src" "/${src}" + ;; + esac done -# doas refuses to parse /etc/doas.conf unless it's 0400 root:root -doas chmod 0400 /etc/doas.conf +# sudo-rs: /etc/pam.d/sudo-i is a symlink to /etc/pam.d/sudo +sudo ln -sfT sudo /etc/pam.d/sudo-i + +# Make sudo-rs the system-wide sudo via /usr/local/bin precedence. +# Targets may not exist yet on first bootstrap (sudo-rs is installed by +# the subsequent pkg-apply step); the symlinks resolve once it lands. +sudo ln -sfT /usr/bin/sudo-rs /usr/local/bin/sudo +sudo ln -sfT /usr/bin/sudo-rs /usr/local/bin/sudoedit +sudo ln -sfT /usr/bin/su-rs /usr/local/bin/su +sudo ln -sfT /usr/bin/visudo-rs /usr/local/bin/visudo |