From 767a54e48163ea0db701c926e6bf69f2237fce33 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Wed, 13 May 2026 13:43:36 +0100
Subject: fix(sudoers-rs,waybar): pass DIFFPROG (and friends) through sudo-rs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous fix sidestepped sudo-rs's env scrubbing by setting
DIFFPROG inside a nested root shell. That works but it's the wrong
shape — every command that wants to honour a user UX env var would
have to do the same dance. Configure the policy once instead.

etc/sudoers-rs:
  Defaults env_keep += "DIFFPROG"
  Defaults env_keep += "EDITOR VISUAL SUDO_EDITOR GIT_EDITOR"
  Defaults env_keep += "PAGER MANPAGER GIT_PAGER SYSTEMD_PAGER"
  Defaults env_keep += "LESS LESSOPEN SYSTEMD_LESS"

env_keep is the unconditional pass-through list, so no '-E' is needed
on the call site — `DIFFPROG='nvim -d' sudo pacdiff` Just Works, same
as it does for `EDITOR=nvim sudo systemctl edit foo`,
`PAGER=less sudo journalctl …`, etc. None of these vars influence
privilege boundaries; they only configure user-facing program
behaviour, so widening env_keep to cover them carries no security
trade-off worth accounting for. The existing per-visudo env_keep
lines are kept for documentation value (they're now subsumed by the
global rule but make the intent explicit at the visudo call sites).

The waybar pacdiff click handler reverts to the canonical form
`DIFFPROG='nvim -d' sudo pacdiff`, matching the recipe pacman.git
ships in /usr/share/doc/pacman/.

Will take effect after the next `chezmoi apply` redeploys
/etc/sudoers-rs (the run_onchange_after_deploy-etc.sh.tmpl script
re-installs it with mode 0440 whenever its hash changes).
---
 dot_config/waybar/config.jsonc                 |  2 +-
 dot_config/waybar/executable_pacdiff-status.sh |  7 +++----
 etc/sudoers-rs                                 | 16 ++++++++++++++++
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/dot_config/waybar/config.jsonc b/dot_config/waybar/config.jsonc
index a68278f..a5bada7 100644
--- a/dot_config/waybar/config.jsonc
+++ b/dot_config/waybar/config.jsonc
@@ -227,7 +227,7 @@
     "exec": "~/.config/waybar/pacdiff-status.sh",
     "return-type": "json",
     "interval": 300,
-    "on-click": "ghostty --class=floating -e sh -c 'sudo sh -c \"DIFFPROG=\\\"nvim -d\\\" pacdiff\"; printf \"\\n[done — press enter] \"; read _'",
+    "on-click": "ghostty --class=floating -e sh -c 'DIFFPROG=\"nvim -d\" sudo pacdiff; printf \"\\n[done — press enter] \"; read _'",
     "tooltip": true,
   },
 
diff --git a/dot_config/waybar/executable_pacdiff-status.sh b/dot_config/waybar/executable_pacdiff-status.sh
index e1a2291..c9278d2 100755
--- a/dot_config/waybar/executable_pacdiff-status.sh
+++ b/dot_config/waybar/executable_pacdiff-status.sh
@@ -5,10 +5,9 @@
 # from "no problems" to "non-zero" (i.e. on the post-`pacman -Syu`
 # settle), so you're nudged exactly once per upgrade wave.
 #
-# Click handler hands off to a root shell that sets DIFFPROG before
-# invoking pacdiff (sudo-rs scrubs the env by default, so passing
-# `DIFFPROG=… sudo pacdiff` or `sudo DIFFPROG=… pacdiff` doesn't
-# survive — but `sudo sh -c 'DIFFPROG=… pacdiff'` does).
+# Click handler runs `DIFFPROG='nvim -d' sudo pacdiff` in a floating
+# ghostty. DIFFPROG is propagated through sudo-rs by the env_keep policy
+# in etc/sudoers-rs (no -E needed — env_keep is unconditional pass-through).
 
 set -eu
 
diff --git a/etc/sudoers-rs b/etc/sudoers-rs
index 8326b8e..3a75395 100644
--- a/etc/sudoers-rs
+++ b/etc/sudoers-rs
@@ -2,6 +2,22 @@
 Defaults!/usr/bin/visudo-rs    env_keep += "SUDO_EDITOR EDITOR VISUAL"
 Defaults!/usr/local/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL"
 
+# Pass through interactive/UX env vars so commands run via sudo behave the
+# way they do in a normal shell. Specifically:
+#   DIFFPROG       — pacdiff(8), etckeeper, etc.
+#   EDITOR/VISUAL  — sudoedit, systemctl edit, git rebase -i under sudo, …
+#   SUDO_EDITOR    — explicit override for sudoedit
+#   PAGER/MANPAGER — pacman, systemctl, man, less wrappers
+#   LESS / LESSOPEN — `less` behaviour and preprocessor
+#   SYSTEMD_PAGER / SYSTEMD_LESS — systemctl's pager
+#   GIT_EDITOR / GIT_PAGER — git invocations under sudo
+# None of these influence privilege boundaries; they just configure
+# user-facing behaviour of programs that happen to run as root.
+Defaults env_keep += "DIFFPROG"
+Defaults env_keep += "EDITOR VISUAL SUDO_EDITOR GIT_EDITOR"
+Defaults env_keep += "PAGER MANPAGER GIT_PAGER SYSTEMD_PAGER"
+Defaults env_keep += "LESS LESSOPEN SYSTEMD_LESS"
+
 # Sanitize PATH for elevated commands.
 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"
 
-- 
cgit v1.3.1