diff --git a/setup/arch-autoinstall.sh b/setup/arch-autoinstall.sh index fe342f5..ef0540a 100755 --- a/setup/arch-autoinstall.sh +++ b/setup/arch-autoinstall.sh @@ -497,7 +497,17 @@ useradd -m -G wheel -s /bin/zsh "$USERNAME" # chpasswd reads "user:pass" from stdin to set the password non-interactively. echo "$USERNAME:$USERPASS" | chpasswd # Grant wheel group full sudo access (ALL:ALL covers any user/group runas context). -echo "%wheel ALL=(ALL:ALL) ALL" >> /etc/sudoers +# Use a drop-in rather than appending to /etc/sudoers: the default sudoers ends +# with '@includedir /etc/sudoers.d', so an appended '%wheel' rule would be parsed +# AFTER the drop-ins and — since the last matching rule wins — override the +# temporary 99-setup-nopasswd NOPASSWD rule used during the in-chroot TUI run, +# making the user re-enter their password on every sudo. A 10-wheel drop-in sorts +# before 99-setup-nopasswd, so NOPASSWD wins while it is present and password +# auth resumes once it is removed. +# Guard that drop-ins are actually read (the stock sudoers already includes this). +grep -q '^@includedir /etc/sudoers.d' /etc/sudoers || echo '@includedir /etc/sudoers.d' >> /etc/sudoers +echo '%wheel ALL=(ALL:ALL) ALL' > /etc/sudoers.d/10-wheel +chmod 0440 /etc/sudoers.d/10-wheel ################################################### # INITRAMFS CONFIG @@ -588,6 +598,7 @@ if [[ "${RUN_TUI^^}" == "YES" ]]; then # The file is removed immediately after the TUI exits. echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \ | arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null + arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd echo "Running tui-install.sh as ${USERNAME} inside chroot..." # `runuser -u` switches to the unprivileged user inside the chroot so that diff --git a/setup/archbaseos-guided-install.sh b/setup/archbaseos-guided-install.sh index e4c1d39..12f653c 100755 --- a/setup/archbaseos-guided-install.sh +++ b/setup/archbaseos-guided-install.sh @@ -532,7 +532,17 @@ echo "$USERNAME:$USERPASS" | chpasswd chown -R "$USERNAME:$USERNAME" "/home/$USERNAME" # Grant wheel group full sudo access (ALL covers any host/user/group runas context). -echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers +# Use a drop-in rather than appending to /etc/sudoers: the default sudoers ends +# with '@includedir /etc/sudoers.d', so an appended '%wheel' rule would be parsed +# AFTER the drop-ins and — since the last matching rule wins — override the +# temporary 99-setup-nopasswd NOPASSWD rule used during the in-chroot TUI run, +# making the user re-enter their password on every sudo. A 10-wheel drop-in sorts +# before 99-setup-nopasswd, so NOPASSWD wins while it is present and password +# auth resumes once it is removed. +# Guard that drop-ins are actually read (the stock sudoers already includes this). +grep -q '^@includedir /etc/sudoers.d' /etc/sudoers || echo '@includedir /etc/sudoers.d' >> /etc/sudoers +echo '%wheel ALL=(ALL) ALL' > /etc/sudoers.d/10-wheel +chmod 0440 /etc/sudoers.d/10-wheel # Initramfs hook selection: # 1. FIDO2 root unlock: needs `systemd` + `sd-encrypt` for systemd-cryptsetup. @@ -620,6 +630,7 @@ if [[ "${_DO_TUI^^}" == "YES" ]]; then # inside the chroot without a password. Removed immediately after the script exits. echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \ | arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null + arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd echo "Running tui-install.sh as ${USERNAME} inside chroot..." # `runuser -u` switches to the unprivileged user inside the chroot so that