From 3d263bdbb48e7616a12af26ef094e5a416f9a735 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:31 +0100 Subject: feat(privesc): migrate from opendoas to sudo-rs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit doas's one-shot password and absent 'sudo -v' kept wasting hour-long paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships as default. We follow the Arch wiki 'Using sudo-rs without the sudo package' recipe verbatim — no custom shims. - meta/base.txt: -doas-sudo-shim +sudo-rs - etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff - etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file - run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit, su,visudo} → sudo-rs symlinks idempotently - delete etc/doas.conf, dot_local/bin/{doasedit,sudo} - zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/ pacdiff/ssys to call sudo - justfile: s/doas/sudo/g (status/diff/restore helpers) - nvim: rename :DoasWrite → :SudoWrite (uses sudo -S) - sway config: reboot/poweroff buttons call sudo - bootstrap.sh: update step-5 comment - README/KEYBINDS/copilot-instructions: flip the privesc convention No Defaults overrides: sudo's defaults (passwd_tries=3, timestamp_timeout=5) already fix the doas pain, and paru SudoLoop (kept) refreshes the 5-min window via real sudo -v. --- etc/doas.conf | 3 --- etc/pam.d/sudo | 4 ++++ etc/sudoers-rs | 13 +++++++++++++ 3 files changed, 17 insertions(+), 3 deletions(-) delete mode 100644 etc/doas.conf create mode 100644 etc/pam.d/sudo create mode 100644 etc/sudoers-rs (limited to 'etc') diff --git a/etc/doas.conf b/etc/doas.conf deleted file mode 100644 index fad7c3c..0000000 --- a/etc/doas.conf +++ /dev/null @@ -1,3 +0,0 @@ -permit persist setenv { PATH TERM LANG LC_ALL EDITOR DIFFPROG PAGER } :wheel -permit nopass :wheel as root cmd /usr/bin/poweroff -permit nopass :wheel as root cmd /usr/bin/reboot diff --git a/etc/pam.d/sudo b/etc/pam.d/sudo new file mode 100644 index 0000000..ab053c5 --- /dev/null +++ b/etc/pam.d/sudo @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +session include system-auth diff --git a/etc/sudoers-rs b/etc/sudoers-rs new file mode 100644 index 0000000..8326b8e --- /dev/null +++ b/etc/sudoers-rs @@ -0,0 +1,13 @@ +# Keep $EDITOR / $VISUAL when running visudo. +Defaults!/usr/bin/visudo-rs env_keep += "SUDO_EDITOR EDITOR VISUAL" +Defaults!/usr/local/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL" + +# Sanitize PATH for elevated commands. +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" + +# Root and the wheel group can run anything (after a password prompt). +root ALL=(ALL:ALL) ALL +%wheel ALL=(ALL:ALL) ALL + +# Passwordless poweroff/reboot (parity with the previous doas.conf). +%wheel ALL=(ALL) NOPASSWD: /usr/bin/poweroff, /usr/bin/reboot -- cgit v1.3.1