From f0db333fa4f10c66cb6c6336385e9b354e5e923d Mon Sep 17 00:00:00 2001
From: The_miro <amir@abdelbaki.eu>
Date: Fri, 26 Jun 2026 19:39:32 +0200
Subject: [PATCH] fix(installer): stop sudo re-prompting during in-chroot
 module install
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The base installers granted wheel sudo with `echo '%wheel ... ALL' >> /etc/sudoers`.
Because the stock sudoers ends with `@includedir /etc/sudoers.d`, that appended
rule is parsed AFTER the drop-ins, and since sudo applies the last matching rule,
it overrode the temporary 99-setup-nopasswd NOPASSWD rule — so the user had to
re-enter their password on every pacman/yay/flatpak call while the TUI installed
modules.

Grant wheel via /etc/sudoers.d/10-wheel instead, which sorts before
99-setup-nopasswd so NOPASSWD wins during the TUI run and password auth resumes
once the temp file is removed. Also guard that @includedir is present (so the
drop-ins are always read) and set both drop-ins to the canonical 0440 mode.
Applied to both archbaseos-guided-install.sh and arch-autoinstall.sh.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 setup/arch-autoinstall.sh          | 13 ++++++++++++-
 setup/archbaseos-guided-install.sh | 13 ++++++++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/setup/arch-autoinstall.sh b/setup/arch-autoinstall.sh
index fe342f5..ef0540a 100755
--- a/setup/arch-autoinstall.sh
+++ b/setup/arch-autoinstall.sh
@@ -497,7 +497,17 @@ useradd -m -G wheel -s /bin/zsh "$USERNAME"
 # chpasswd reads "user:pass" from stdin to set the password non-interactively.
 echo "$USERNAME:$USERPASS" | chpasswd
 # Grant wheel group full sudo access (ALL:ALL covers any user/group runas context).
-echo "%wheel ALL=(ALL:ALL) ALL" >> /etc/sudoers
+# Use a drop-in rather than appending to /etc/sudoers: the default sudoers ends
+# with '@includedir /etc/sudoers.d', so an appended '%wheel' rule would be parsed
+# AFTER the drop-ins and — since the last matching rule wins — override the
+# temporary 99-setup-nopasswd NOPASSWD rule used during the in-chroot TUI run,
+# making the user re-enter their password on every sudo. A 10-wheel drop-in sorts
+# before 99-setup-nopasswd, so NOPASSWD wins while it is present and password
+# auth resumes once it is removed.
+# Guard that drop-ins are actually read (the stock sudoers already includes this).
+grep -q '^@includedir /etc/sudoers.d' /etc/sudoers || echo '@includedir /etc/sudoers.d' >> /etc/sudoers
+echo '%wheel ALL=(ALL:ALL) ALL' > /etc/sudoers.d/10-wheel
+chmod 0440 /etc/sudoers.d/10-wheel
 
 ###################################################
 # INITRAMFS CONFIG
@@ -588,6 +598,7 @@ if [[ "${RUN_TUI^^}" == "YES" ]]; then
     # The file is removed immediately after the TUI exits.
     echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
         | arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
+    arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd
 
     echo "Running tui-install.sh as ${USERNAME} inside chroot..."
     # `runuser -u` switches to the unprivileged user inside the chroot so that
diff --git a/setup/archbaseos-guided-install.sh b/setup/archbaseos-guided-install.sh
index e4c1d39..12f653c 100755
--- a/setup/archbaseos-guided-install.sh
+++ b/setup/archbaseos-guided-install.sh
@@ -532,7 +532,17 @@ echo "$USERNAME:$USERPASS" | chpasswd
 chown -R "$USERNAME:$USERNAME" "/home/$USERNAME"
 
 # Grant wheel group full sudo access (ALL covers any host/user/group runas context).
-echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers
+# Use a drop-in rather than appending to /etc/sudoers: the default sudoers ends
+# with '@includedir /etc/sudoers.d', so an appended '%wheel' rule would be parsed
+# AFTER the drop-ins and — since the last matching rule wins — override the
+# temporary 99-setup-nopasswd NOPASSWD rule used during the in-chroot TUI run,
+# making the user re-enter their password on every sudo. A 10-wheel drop-in sorts
+# before 99-setup-nopasswd, so NOPASSWD wins while it is present and password
+# auth resumes once it is removed.
+# Guard that drop-ins are actually read (the stock sudoers already includes this).
+grep -q '^@includedir /etc/sudoers.d' /etc/sudoers || echo '@includedir /etc/sudoers.d' >> /etc/sudoers
+echo '%wheel ALL=(ALL) ALL' > /etc/sudoers.d/10-wheel
+chmod 0440 /etc/sudoers.d/10-wheel
 
 # Initramfs hook selection:
 # 1. FIDO2 root unlock: needs `systemd` + `sd-encrypt` for systemd-cryptsetup.
@@ -620,6 +630,7 @@ if [[ "${_DO_TUI^^}" == "YES" ]]; then
     # inside the chroot without a password. Removed immediately after the script exits.
     echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
         | arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
+    arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd
 
     echo "Running tui-install.sh as ${USERNAME} inside chroot..."
     # `runuser -u` switches to the unprivileged user inside the chroot so that