From 3d263bdbb48e7616a12af26ef094e5a416f9a735 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Wed, 13 May 2026 13:43:31 +0100
Subject: feat(privesc): migrate from opendoas to sudo-rs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

doas's one-shot password and absent 'sudo -v' kept wasting hour-long
paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous
Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships
as default. We follow the Arch wiki 'Using sudo-rs without the sudo
package' recipe verbatim — no custom shims.

- meta/base.txt: -doas-sudo-shim +sudo-rs
- etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff
- etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file
- run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs
  at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit,
  su,visudo} → sudo-rs symlinks idempotently
- delete etc/doas.conf, dot_local/bin/{doasedit,sudo}
- zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/
  pacdiff/ssys to call sudo
- justfile: s/doas/sudo/g (status/diff/restore helpers)
- nvim: rename :DoasWrite → :SudoWrite (uses sudo -S)
- sway config: reboot/poweroff buttons call sudo
- bootstrap.sh: update step-5 comment
- README/KEYBINDS/copilot-instructions: flip the privesc convention

No Defaults overrides: sudo's defaults (passwd_tries=3,
timestamp_timeout=5) already fix the doas pain, and paru SudoLoop
(kept) refreshes the 5-min window via real sudo -v.
---
 dot_config/zsh/dot_zshrc | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

(limited to 'dot_config/zsh/dot_zshrc')

diff --git a/dot_config/zsh/dot_zshrc b/dot_config/zsh/dot_zshrc
index e8fca42..3bce27c 100644
--- a/dot_config/zsh/dot_zshrc
+++ b/dot_config/zsh/dot_zshrc
@@ -53,7 +53,7 @@ zstyle ':completion:*:functions' ignored-patterns '_*'         # hide internal c
 zstyle ':completion:*:*:kill:*' menu yes select                # interactive menu for kill completion
 zstyle ':completion:*:kill:*' force-list always                # always show process list for kill
 zstyle ':completion:*:cd:*' ignore-parents parent pwd          # cd never completes . or ..
-zstyle ':completion::complete:*' gain-privileges 1             # use doas/sudo for privileged completions
+zstyle ':completion::complete:*' gain-privileges 1             # use sudo for privileged completions
 zstyle -e ':completion:*:approximate:*' \
 	max-errors 'reply=($((($#PREFIX+$#SUFFIX)/3))numeric)'    # allow 1 typo per 3 chars typed
 
@@ -200,13 +200,11 @@ alias ip="ip -color=auto"
 alias lsip="ip -human -color=auto --brief address show"
 alias ipa="ip -stats -details -human -color=auto address show"
 alias ipecho='curl ipecho.net/plain'
-alias ss='doas ss -tupnl'
+alias ss='sudo ss -tupnl'
 
 # Privilege escalation
-alias sudo='doas'
-alias sudoedit='doasedit'
-alias gimme='doas chown $USER:$(id -gn $USER)'
-alias pacdiff='doas pacdiff'
+alias gimme='sudo chown $USER:$(id -gn $USER)'
+alias pacdiff='sudo pacdiff'
 
 # Pacman
 alias pacopt='comm -13 <(pacman -Qqdt | sort) <(pacman -Qqdtt | sort)'
@@ -216,7 +214,7 @@ alias g='git'
 
 # Systemd
 alias sys='systemctl'
-alias ssys='doas systemctl'
+alias ssys='sudo systemctl'
 alias sysu='systemctl --user'
 
 # Navigation
-- 
cgit v1.3.1