diff options
| -rw-r--r-- | dot_config/waybar/config.jsonc | 2 | ||||
| -rwxr-xr-x | dot_config/waybar/executable_pacdiff-status.sh | 7 | ||||
| -rw-r--r-- | etc/sudoers-rs | 16 |
3 files changed, 20 insertions, 5 deletions
diff --git a/dot_config/waybar/config.jsonc b/dot_config/waybar/config.jsonc index a68278f..a5bada7 100644 --- a/dot_config/waybar/config.jsonc +++ b/dot_config/waybar/config.jsonc @@ -227,7 +227,7 @@ "exec": "~/.config/waybar/pacdiff-status.sh", "return-type": "json", "interval": 300, - "on-click": "ghostty --class=floating -e sh -c 'sudo sh -c \"DIFFPROG=\\\"nvim -d\\\" pacdiff\"; printf \"\\n[done — press enter] \"; read _'", + "on-click": "ghostty --class=floating -e sh -c 'DIFFPROG=\"nvim -d\" sudo pacdiff; printf \"\\n[done — press enter] \"; read _'", "tooltip": true, }, diff --git a/dot_config/waybar/executable_pacdiff-status.sh b/dot_config/waybar/executable_pacdiff-status.sh index e1a2291..c9278d2 100755 --- a/dot_config/waybar/executable_pacdiff-status.sh +++ b/dot_config/waybar/executable_pacdiff-status.sh @@ -5,10 +5,9 @@ # from "no problems" to "non-zero" (i.e. on the post-`pacman -Syu` # settle), so you're nudged exactly once per upgrade wave. # -# Click handler hands off to a root shell that sets DIFFPROG before -# invoking pacdiff (sudo-rs scrubs the env by default, so passing -# `DIFFPROG=… sudo pacdiff` or `sudo DIFFPROG=… pacdiff` doesn't -# survive — but `sudo sh -c 'DIFFPROG=… pacdiff'` does). +# Click handler runs `DIFFPROG='nvim -d' sudo pacdiff` in a floating +# ghostty. DIFFPROG is propagated through sudo-rs by the env_keep policy +# in etc/sudoers-rs (no -E needed — env_keep is unconditional pass-through). set -eu diff --git a/etc/sudoers-rs b/etc/sudoers-rs index 8326b8e..3a75395 100644 --- a/etc/sudoers-rs +++ b/etc/sudoers-rs @@ -2,6 +2,22 @@ Defaults!/usr/bin/visudo-rs env_keep += "SUDO_EDITOR EDITOR VISUAL" Defaults!/usr/local/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL" +# Pass through interactive/UX env vars so commands run via sudo behave the +# way they do in a normal shell. Specifically: +# DIFFPROG — pacdiff(8), etckeeper, etc. +# EDITOR/VISUAL — sudoedit, systemctl edit, git rebase -i under sudo, … +# SUDO_EDITOR — explicit override for sudoedit +# PAGER/MANPAGER — pacman, systemctl, man, less wrappers +# LESS / LESSOPEN — `less` behaviour and preprocessor +# SYSTEMD_PAGER / SYSTEMD_LESS — systemctl's pager +# GIT_EDITOR / GIT_PAGER — git invocations under sudo +# None of these influence privilege boundaries; they just configure +# user-facing behaviour of programs that happen to run as root. +Defaults env_keep += "DIFFPROG" +Defaults env_keep += "EDITOR VISUAL SUDO_EDITOR GIT_EDITOR" +Defaults env_keep += "PAGER MANPAGER GIT_PAGER SYSTEMD_PAGER" +Defaults env_keep += "LESS LESSOPEN SYSTEMD_LESS" + # Sanitize PATH for elevated commands. Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" |