fix(installer): make sudo -v passwordless during in-chroot TUI install

The temporary setup drop-in granted `NOPASSWD: ALL`, which covers `sudo <cmd>` but NOT `sudo -v`. Installers run by the TUI (starship, rustup, …) call `sudo -v` to pre-authorise, and that check still demands a password whenever the user has any password-required sudoers entry — which they do, via the wheel rule in 10-wheel. The result was a hidden `[sudo] password for <user>:` prompt that stalled the otherwise-unattended module install. Add `Defaults:<user> !authenticate` to the 99-setup-nopasswd drop-in (in both the auto and guided installers) so the auth check is skipped entirely for the setup user; `sudo -v` and `sudo <cmd>` are now both passwordless during setup. Verified live in a VM: `sudo -nv` for the user went from "a password is required" to rc=0 after adding the line. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01R5kHioUMK3mtf2eiLEozCM
2026-06-27 01:50:17 +02:00 · 2026-06-27 01:50:17 +02:00 · 2774a00554
parent e7f251dde3
commit 2774a00554
2 changed files with 13 additions and 2 deletions
--- a/setup/arch-autoinstall.sh
+++ b/setup/arch-autoinstall.sh
@ -626,7 +626,15 @@ if [[ "${RUN_TUI^^}" == "YES" ]]; then
    # Grant passwordless sudo temporarily so the TUI installer can call pacman/yay
    # without needing a password inside the chroot (the real sudoers is already set).
    # The file is removed immediately after the TUI exits.
-    echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
+    #
+    # Two lines are needed, not just a NOPASSWD command rule:
+    #   * `<user> ALL=(ALL:ALL) NOPASSWD: ALL` makes `sudo <cmd>` passwordless.
+    #   * `Defaults:<user> !authenticate` makes `sudo -v` passwordless too. Several
+    #     installers (starship, rustup, …) call `sudo -v` to pre-authorise, and that
+    #     check demands a password whenever the user has ANY password-required
+    #     sudoers entry — which tester does, via the wheel rule in 10-wheel. Without
+    #     !authenticate the TUI stalls on a hidden `[sudo] password` prompt.
+    printf 'Defaults:%s !authenticate\n%s ALL=(ALL:ALL) NOPASSWD: ALL\n' "$USERNAME" "$USERNAME" \
        | arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
    arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd

--- a/setup/archbaseos-guided-install.sh
+++ b/setup/archbaseos-guided-install.sh
@ -628,7 +628,10 @@ _DO_TUI="${RUN_TUI}"
 if [[ "${_DO_TUI^^}" == "YES" ]]; then
    # Grant temporary passwordless sudo so the TUI installer can call pacman/yay
    # inside the chroot without a password. Removed immediately after the script exits.
-    echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
+    # `Defaults:<user> !authenticate` is required alongside the NOPASSWD command
+    # rule: installers like starship/rustup call `sudo -v`, which still demands a
+    # password whenever the user has any password-required entry (the wheel rule).
+    printf 'Defaults:%s !authenticate\n%s ALL=(ALL:ALL) NOPASSWD: ALL\n' "$USERNAME" "$USERNAME" \
        | arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
    arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd