blob: 3a753954a472b9b76d5ae9a3baf9ec3b415e301a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
# Keep $EDITOR / $VISUAL when running visudo.
Defaults!/usr/bin/visudo-rs env_keep += "SUDO_EDITOR EDITOR VISUAL"
Defaults!/usr/local/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL"
# Pass through interactive/UX env vars so commands run via sudo behave the
# way they do in a normal shell. Specifically:
# DIFFPROG — pacdiff(8), etckeeper, etc.
# EDITOR/VISUAL — sudoedit, systemctl edit, git rebase -i under sudo, …
# SUDO_EDITOR — explicit override for sudoedit
# PAGER/MANPAGER — pacman, systemctl, man, less wrappers
# LESS / LESSOPEN — `less` behaviour and preprocessor
# SYSTEMD_PAGER / SYSTEMD_LESS — systemctl's pager
# GIT_EDITOR / GIT_PAGER — git invocations under sudo
# None of these influence privilege boundaries; they just configure
# user-facing behaviour of programs that happen to run as root.
Defaults env_keep += "DIFFPROG"
Defaults env_keep += "EDITOR VISUAL SUDO_EDITOR GIT_EDITOR"
Defaults env_keep += "PAGER MANPAGER GIT_PAGER SYSTEMD_PAGER"
Defaults env_keep += "LESS LESSOPEN SYSTEMD_LESS"
# Sanitize PATH for elevated commands.
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"
# Root and the wheel group can run anything (after a password prompt).
root ALL=(ALL:ALL) ALL
%wheel ALL=(ALL:ALL) ALL
# Passwordless poweroff/reboot (parity with the previous doas.conf).
%wheel ALL=(ALL) NOPASSWD: /usr/bin/poweroff, /usr/bin/reboot
|
